On Thursday, GitHub announced that all pushes to public repositories will automatically be protected by secret scanning push protection.
You will have the option to remove a supported secret from your commits or, if you think it’s safe, to bypass the block, according to Eric Tooley and Courtney Claessens.
Push protection was introduced as an opt-in feature in August 2023, but it has been tested since April 2022. In May 2023, it became widely available.
In order to stop malicious actors from using over 200 different token types and patterns from more than 180 service providers, the secret scanning feature is designed to identify them.
The development comes almost five months after the Microsoft subsidiary expanded secret scanning to include verification checks for well-known services like Slack, Microsoft, Google, and Amazon Web Services ( AWS).
Additionally, it comes as a result of a recent “repo confusion” attack targeting Git Hub, which has flooded the source code hosting platform with thousands of repositories filled with obfuscated malware capable of stealing passwords and money from developer devices.
The attacks use phony Python packages hosted on cloned, trojanized repositories to deliver stealer malware called BlackCap Grabber, which was disclosed by Phylum and Trend Micro last year.
In a report this week, Apiiro claimed that “repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes using social engineering techniques as well.”