When Microsoft bought GitHub four years ago, developers everywhere panicked that it was the end of privacy and open-source and the programming world as we knew it. While those fears weren't unfounded – remember Skype? – they were definitely blown out of proportion. Sure, alternatives like GitLab or Bitbucket exist for those who ever want out, but truth be told, GitHub has continued to serve the programming community well.
I, for one, have been pleasantly surprised by the numerous features that GitHub has released in the last few years. Soon after their acquisition, they began scanning repositories and notifying the owners about dependencies on outdated or vulnerable packages. They also improved their UI, e.g. adding the "update via rebase" option to their pull request pages. And most recently, they've added secrets scanning!
The feature, known as "push protection" (and not to be confused with "branch protection"), allows organizations to prevent individual developers from pushing secrets to a repository. This saves developers time in the form of not rotating compromised keys, not cleaning git history for secrets buried there, and not wasting precious code review time doing a job that can be automated. GitHub can currently identify and protect against 69 kinds of secrets, including those distributed by Amazon Web Services, Azure, and Google Cloud. And, even though the scanning technology is not perfect, GitHub offers the ability to override false positives or tokens that are desirable to have committed to the repository.
GitHub's announcement couldn't have been more timely. I'm about to spend my weekend solving cybersecurity challenges for PlaidCTF, so security is on my mind. Stay safe!