GitHub Extends Push Protection to Prevent Accidental Leakage of Keys and Other Secrets

May 11, 2023Ravie Lakshmanan

GitHub has announced the general availability of a new security feature called thrust protectionwhich aims to prevent developers from accidentally leaking keys and other secrets in their code.

Microsoft’s cloud-based repository hosting platform, which started test features a year ago, said it was also extending push protection to all public repositories at no additional cost.

This functionality is designed to work side-by-side with existing ones discreet scan featurewhich scans the repository for known secret formats to prevent fraudulent use and avoid potential serious consequences.

“Push protection prevents secret leaks without compromising the developer experience by scanning highly identifiable secrets before they are committed,” GitHub said earlier this week.

“When a secret is detected in the code, developers are prompted directly in their IDE or command line interface with a fix wizard to ensure that the secret is never exposed.”

When thrust protection can be bypassed by providing a reason (for example, testing, false positives, or acceptable risk), repository and organizational administrators and security managers will be notified of the incident via email.

To enable the option, users can go to Settings > Select “Security and code analysis” > Enable “Secret scan” and “Push protection”.

Push protection, since launching in April 2022 as beta, has been estimated to have prevented 17,000 accidental leaks of secrets, saving more than 95,000 hours that would otherwise have been spent revoking, playing, and recovering compromised secrets, the company added.

The development comes nearly five months after GitHub made the Secrets scan free for all public repositories, allowing users to be notified of leaked secrets in their repositories.