GitHub token scanning comes to Alibaba, AWS, Azure, Google and more - CSO


Microsoft-owned GitHub has expanded its token scanning service for figuring out uncovered developer credentials, bringing to a number of main cloud corporations that present entry tokens. 

GitHub’s new token scanning companions embrace Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio. 

GitHub already scans for its personal OAuth tokens and private entry tokens and if it finds uncovered credentials, GitHub notifies cloud suppliers, which in flip alerts the proprietor of the credential. The brand new partnerships imply GitHub’s token scanning embrace entry token codecs from these corporations. 

Now if builders unintentionally publish a token for merchandise like Atlassian’s Jira or chat app, Discord, the supplier will get notified a couple of potential match — inside seconds, in accordance with GitHub — permitting them to revoke the token earlier than it’s used maliciously, defined GitHub’s Justin Hutchings.

The token scanning service makes an attempt to resolve a common problem that occurs when developers hard-code access keys and API keys for third-party services in apps or if they publish them in a pubically accessible repository, like on GitHub. In some circumstances, the keys can be utilized by an attacker to entry delicate information or programs that ought to usually be protected by these entry keys. 


Source link