[Code Security] August Release Roundup 🚀

[ghostinhershell]

We're excited to announce a host of new code security products and features designed to help you protect your code and maintain a secure development environment. We're especially thrilled to announce powerful new enhancements to Secret Scanning, including things like expanded coverage and partnering with industry leaders, that make securing your codebase easier than ever before 🔍

We're holding true to our commitment to making security simple and accessible for every developer and team. Here’s a quick overview of what’s new for the month of August 🚀

🔍 What's New with Secret Scanning?

• Secret scanning displays branch and file paths for push protection bypasses

Push protection bypass requests will now show file path and branch information for the secret. This improvement helps you more effectively triage any secrets for which you’ve requested push protection bypasses. Branch information is only available for pushes to single branches.

• Secret scanning non-provider patterns inclusion in recommended security configuration

Now, secret scanning non-provider patterns are included in the GitHub-recommended security configuration. Non-provider patterns have also been automatically enabled for any repositories with the recommended configuration previously attached.

• Secret scanning now deduplicates non-provider patterns

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now de-duplicates non-provider patterns (generic patterns) against provider patterns.

• Secret scanning non-provider patterns are included in security configurations

You can now enable non-provider patterns (generic patterns) through security configurations at the organization level.
Non-provider patterns will also be included in the GitHub-recommended security configuration on August 23, 2024. At that time, non-provider patterns will be automatically enabled for any repositories with the recommended configuration attached.

• Unkey is now a GitHub secret scanning partner

For Unkey users, GitHub secret scanning now scans for Unkey tokens to help secure your public repositories. Unkey’s Root API Key enables users to create and manage Unkey resources including APIs, API keys, global rate limiting, and access controls. GitHub will forward any exposed tokens found in public repositories to Unkey, who will then revoke the compromised tokens and notify the affected users.

Read more information about Unkey tokens here.

• Anthropic is now a GitHub secret scanning partner

For Anthropic users, GitHub secret scanning now scans for Anthropic tokens to help secure your public repositories. GitHub Advanced Security customers can also scan for and block Anthropic tokens in their private repositories.

• Secret scanning for non-code GitHub surfaces is now generally available

GitHub secret scanning now detects and alerts you on secrets found in GitHub issues, wikis, discussions, and pull requests.
To help protect you from leaked secrets – anywhere within your GitHub perimeter – GitHub provides visibility across all major surfaces. We scan these surfaces for over 200+ token formats and work with relevant partners to help protect you from publicly leaked secrets. GitHub also supports generic patterns like RSA private keys and Copilot-detected passwords.

• Bypass list for secret scanning push protection can include the maintainer role

Starting in April 2024, GitHub Advanced Security customers using secret scanning have been able to specify which teams or roles have the ability to bypass push protection using a delegated bypass list.
Administrators can now add the maintainer role to this list.

• Secret scanning push protection is supported for content upload REST API endpoints

Push protection is now supported for the following REST API endpoints:

• Create a blob
• Create or update file contents

There is also a new API endpoint to bypass push protection programatically, Create a push protection bypass. You or your application can use the placeholder_id from your push protection block in your call to this endpoint.

• Secret scanning backfilling existing secrets in GitHub wikis

Secret scanning is now performing a backfill to detect historically existing secrets in GitHub wikis. For repositories with secret scanning enabled, you may notice newly created alerts for these exposed secrets.

• Metrics for push protection bypass requests are included in the secret scanning metrics page

The secret scanning metrics page within an organization’s “Security” tab now includes metrics for push protection bypass requests.
If an organization uses delegated bypass controls for push protection, the following data is shown:

• Number of bypass requests, broken down by state

• Mean time to review the requests

• Secret scanning alerts for non-provider patterns and passwords are retrievable with the REST API

Secret scanning alerts for non-provider patterns and generic passwords can now be retrieved using the REST API.

• Secret scanning fine-grained permissions for bypasses

You can now grant fine-grained permissions to review and manage push protection bypass requests within your organization.
Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

👩🏾‍💻 CodeQL Updates

• CodeQL code scanning can analyze Java and C# codebases without needing a build (GA)

CodeQL code scanning can now analyze Java and C# code without having to observe a build. This makes it easier to roll out the security analysis on large numbers of repositories, especially when enabling and managing repositories with GHAS security configurations.

Learn more about GitHub code scanning. If you have any feedback about these new analysis mechanisms for Java and C#, please join the discussion here.

• Prevention and autofix insights for CodeQL pull request alerts

You can now track prevention metrics for CodeQL pull request alerts with the new CodeQL pull request alerts report—available at both the organization and enterprise level. These insights empower you to proactively identify and mitigate security risks before they reach your default branch.

If you have any questions or feedback, please join the discussion here.

• Copilot Autofix for CodeQL code scanning alerts is now generally available

We’ve announced the general availability of Copilot Autofix for CodeQL alerts in GitHub code scanning! Powered by GitHub Copilot, this feature brings automatic fixes for vulnerabilities found by CodeQL into the developer workflow.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

🔐 Security Dashboard Updates

• CSV exports for security alerts on the organization-level security overview dashboard

Enhance your security workflows by exporting security alert data for offline analysis, reporting, and archival purposes with our new CSV export functionality, available at the organization level.

Learn more about the security overview dashboard and send us your feedback here.
—-----
Whether you’re a solo developer or part of a large team, these tools will help you secure your code and keep your projects safe. Stay tuned for more updates, and as always, happy coding! 🧑‍💻