JFrog prevents massive Python supply chain attack with timely discovery

https://stackdiary.com/jfrog-prevents-massive-python-supply-chain-attack-with-timely-discovery/

#Python #JFrog #Security #TokenLeak #GitHub #Docker #SupplyChain #CodeSafety #Cybersecurity #DevOps #BinaryAnalysis #PyPI #SoftwareSecurity #TechAlert #DataProtection #CodingMishap #InfoSec #DeveloperTools #CloudSecurity #EthicalHacking #APISecrets #ContainerSecurity #BugBounty #WhiteHat #SecretScanning #PythonDev #IncidentResponse #ThreatPrevention #SecurityResearch #CyberVigilance

A new setting to enable for :github: Secret Scanning is “non-vendor patterns”.

This now covers some private keys, database connection strings and web auth headers, and will grow over time: it won’t offer push protection.

For public repos on #GitHub you can enable everything above 👆 for 🆓.

(For private repos on GitHub Enterprise you can buy Advanced Security for this security experience; with new AI enabled features coming soon, on top of what public repos get)

#AppSec #SecretScanning

@simontsui Unit42 buried a significant part:

"One of the largest obstacles…was how fast AWS reacted in applying the quarantine policy to prevent malicious operations. AWS applied [it] within two minutes of the AWS credentials being leaked on GitHub.“

That’s down to GitHub’s automated secret scanning and partner program.

I’d love to know how many keys slip past that, or where the AWS user removes the quarantine.

#SecretScanning #GitHub

I’ve released more GitHub :github: Secret 🔑 Scanning 🔎 custom patterns, which you can use with Advanced Security.

Some are 🔥 (IMHO), some are for auditing only - e.g. my “common passwords” pattern, written to spot some of the most commonly leaked weak passwords - “P@55word123!” etc.

We have DataDog, Sentry, .Net configs, MS SQLServer user creation, and Bearer tokens.

https://aegilops.github.io/posts/new-github-secret-scanning-custom-patterns/

#GitHub #SecretScanning #AppSec #SDLC #regex

I kicked off my blog with a post about writing regex for GitHub Secret Scanning's custom patterns (which you get if you pay for Advanced Security):

https://aegilops.github.io/posts/regex-for-secret-scanning/

#GitHub #SecretScanning #SecureCoding #DevSecOps #regex #HyperScan

Do you know if you have secrets in your own code or configuration files in your repository?

In part 7/12 of our video series, Patrick Steger and I will show you how to find secrets in your own code or configuration files using @github .

👉 https://youtu.be/k-uuPTLNXGM

Here you can find our comparison of GitLab vs. GitHub: https://www.romanoroth.com/post/gitlab-vs-github-devsecops

#github #devsecops #devops #secretscanning #vulnerability

I have enabled GitHub's Secret scanning for 14k forked repositories from the Actions Marketplace. Here is what I have found (and why you should make sure you have this enabled)!

https://devopsjournal.io/blog/2023/01/22/Making-the-case-for-secret-scanning?utm_source=dlvr.it&utm_medium=mastodon

#DevSecOps #SecretScanning #GitHub

This is excellent news! GitHub is now providing secrets scanning for free for everyone! #WootWoot #GitHub #SecretScanning #SecureCode https://thehackernews.com/2022/12/github-announces-free-secret-scanning.html