Covering Disruptive Technology Powering Business in The Digital Age

image
GitHub Announces General Availability of Code View and Code Search and Secret Scanning’s Push Protection
image

 

GitHub, the world’s largest software development collaboration platform, announced that its new code view and code search are generally available to all users on GitHub.com. Reading and understanding code is a fundamental task for developers, which is why GitHub has been laying the foundation to improve code search over the past two years. Additionally, secret scanning’s push protection is now generally available for all private repositories with a GitHub Advanced Security (GHAS) licence as well as free for all public repositories.

GitHub’s goal with the new code search and code view is to enable developers to quickly search, navigate and understand their code, put critical information into context and, ultimately, make them more productive. To achieve that, GitHub has brought three powerful new capabilities to GitHub.com:

  • An entirely redesigned search interface, with suggestions, completions and the ability to slice and dice the results.
  • GitHub has built a new code search engine, completely from scratch. It is incredibly fast (about twice as fast as the old code search), far more capable (supporting substring queries, regular expressions, and symbol search) and understands code, putting the most relevant results first.
  • GitHub’s code view, tightly integrating search, browsing and code navigation have also been totally redesigned.

Expect More in the Future

This launch is just the beginning — GitHub is infusing intelligence into every aspect of software development. Learn more about code view and code search in this blog.

Additionally, push protection is now generally available for private repositories with a GitHub Advanced Security (GHAS) licence. To help developers and maintainers across open source proactively secure their code, GitHub is also making push protection free for all public repositories.

Push protection prevents secret leaks without compromising the developer experience by scanning for highly identifiable secrets before they are committed. GitHub partners closely with service providers to ensure tokens have a low false positive rate, ensuring developer trust in its alerts. When a secret is detected in code, developers are prompted directly in their IDE or command line interface with remediation guidance to ensure that the secret is never exposed.

Ger McMahon, Product Area Leader ALM Tools and Platforms at Fidelity Investments, explains: “Incorporating secret scanning with push protection directly into the development workflow reduces friction which enables developers to create secure and high-quality code.”

Developers need tools they can trust—GitHub designed push protection with this in mind. If developers are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location and how to remediate the exposure. Once the developer has removed the secret from their commit history, they can repush their commit. Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it is worth investigating.

Pushing Secret Codes

In certain instances, developers have an urgent circumstance to push code that has a secret in it—for example, fixing an outage with speed and addressing the secrets after. Users can bypass push protection by providing a reason, for example, it is used for testing, is a false positive or is an acceptable risk that will be fixed later. Repository and organisation administrators and security managers will receive an email alert on all bypasses and can audit any bypasses via their enterprise and organisation audit logs, alert view UI, REST API, or webhook events.

According to Leo Stolyarov, Director and Cloud Practice Lead at KPMG, this approach ensures an improved security posture without compromising on velocity. “Secret scanning push protection is a frictionless feature that has brought better security awareness and protection from leaked secrets without compromising developer experience.”

Learn more about the GA of secret scanning’s push protection in this blog.

(0)(0)

Archive