HostvixJul 12, 2024

JFrog prevents massive Python supply chain attack with timely discovery

https://stackdiary.com/jfrog-prevents-massive-python-supply-chain-attack-with-timely-discovery/

#Python #JFrog #Security #TokenLeak #GitHub #Docker #SupplyChain #CodeSafety #Cybersecurity #DevOps #BinaryAnalysis #PyPI #SoftwareSecurity #TechAlert #DataProtection #CodingMishap #InfoSec #DeveloperTools #CloudSecurity #EthicalHacking #APISecrets #ContainerSecurity #BugBounty #WhiteHat #SecretScanning #PythonDev #IncidentResponse #ThreatPrevention #SecurityResearch #CyberVigilance

JFrog prevents massive Python supply chain attack with timely discovery

In a discovery that could have led to a devastating supply chain attack, researchers from JFrog have uncovered a leaked GitHub token granting

Stack Diary
Show threadaegilopsNov 18, 2023

A new setting to enable for  Secret Scanning is “non-vendor patterns”.

This now covers some private keys, database connection strings and web auth headers, and will grow over time: it won’t offer push protection.

For public repos on #GitHub you can enable everything above 👆 for 🆓.

(For private repos on GitHub Enterprise you can buy Advanced Security for this security experience; with new AI enabled features coming soon, on top of what public repos get)

#AppSec #SecretScanning

aegilopsOct 31, 2023

@simontsui Unit42 buried a significant part:

"One of the largest obstacles…was how fast AWS reacted in applying the quarantine policy to prevent malicious operations. AWS applied [it] within two minutes of the AWS credentials being leaked on GitHub.“

That’s down to GitHub’s automated secret scanning and partner program.

I’d love to know how many keys slip past that, or where the AWS user removes the quarantine.

#SecretScanning #GitHub

aegilopsJul 13, 2023

I’ve released more GitHub  Secret 🔑 Scanning 🔎 custom patterns, which you can use with Advanced Security.

Some are 🔥 (IMHO), some are for auditing only - e.g. my “common passwords” pattern, written to spot some of the most commonly leaked weak passwords - “P@55word123!” etc.

We have DataDog, Sentry, .Net configs, MS SQLServer user creation, and Bearer tokens.

https://aegilops.github.io/posts/new-github-secret-scanning-custom-patterns/

#GitHub #SecretScanning #AppSec #SDLC #regex

New Github Secret Scanning Custom Patterns

GitHub Secret Scanning gives loads of value off-the-shelf, with highly precise vendor secret detection, but sometimes a customer wants something that isn’t already covered by the built-in patterns. For that, our custom patterns for Advanced Security are perfect, and I’ve just released some that I’ve written for a couple of customers (and also on a whim). Here’s the list: .NET Configuration file, e.g. <add key="password" value="somesecret" /> .NET machineKey, e.g. <machineKey validationKey=".

aegilopsMar 13, 2023

I kicked off my blog with a post about writing regex for GitHub Secret Scanning's custom patterns (which you get if you pay for Advanced Security):

https://aegilops.github.io/posts/regex-for-secret-scanning/

#GitHub #SecretScanning #SecureCoding #DevSecOps #regex #HyperScan

Regex for GitHub Secret Scanning

Regex for GitHub Secret Scanning Regular Expressions (regex) are the butt of many a joke - “now you have two problems”, but they’re a powerful tool for searching and matching text. As someone who’s been jokingly called “The King of Regex” 👑 before, I’ve got a little bit to say about them. They’re used in many places, including GitHub’s Secret Scanning, where as part of Advanced Security they give you the ability to match your own patterns to search for secrets or personal data (or anything you like!

Romano RothFeb 14, 2023

Do you know if you have secrets in your own code or configuration files in your repository?

In part 7/12 of our video series, Patrick Steger and I will show you how to find secrets in your own code or configuration files using @github .

👉 https://youtu.be/k-uuPTLNXGM

Here you can find our comparison of GitLab vs. GitHub: https://www.romanoroth.com/post/gitlab-vs-github-devsecops

#github #devsecops #devops #secretscanning #vulnerability

GitHub: DevSecOps: Part 7/12: How to find secrets in your own code with Secret Scanning

YouTube
Rob BosJan 23, 2023

I have enabled GitHub's Secret scanning for 14k forked repositories from the Actions Marketplace. Here is what I have found (and why you should make sure you have this enabled)!

https://devopsjournal.io/blog/2023/01/22/Making-the-case-for-secret-scanning?utm_source=dlvr.it&utm_medium=mastodon

#DevSecOps #SecretScanning #GitHub

Making the case for GitHub's Secret scanning

Making the case for GitHub's Secret scanning

Geekmaster 👽Dec 17, 2022
This is excellent news! GitHub is now providing secrets scanning for free for everyone! #WootWoot #GitHub #SecretScanning #SecureCode https://thehackernews.com/2022/12/github-announces-free-secret-scanning.html
GitHub Announces Free Secret Scanning for All Public Repositories

GitHub on Thursday said it is making available its secret scanning service to all public repositories on the code hosting platform for free.

The Hacker News