GitHub Token Scanning—one billion tokens identified and five new partners
Token scanning has reached a new milestone: one billion tokens identified. We’ve also added five new partners—Atlassian, Dropbox, Discord, Proctorio, and Pulumi.
|
2 minutes
If you’ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it can be if a malicious user found and exploited it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally.
Since adding token scanning, we’ve sent our integration partners one billion tokens for validation.*
Five new token scanning partners
As part of GitHub’s commitment to protecting our customers from security threats, we’re happy to announce that we’ve partnered with Atlassian, Dropbox, Discord, Proctorio, and Pulumi to scan for their token formats. They’re in good company, joining other service providers including Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio in protecting developers. Now if you accidentally check in a token for products like Jira or Discord, the provider gets notified about a potential match within seconds of check-in, allowing them to revoke the token before it’s used maliciously.
How does token scanning work?
On a typical day, we see almost nine million commits pushed to GitHub. Within seconds of those commits being pushed (or private repositories being made public), we scan the contents for a number of known token formats. When we detect a match, we’ll notify the appropriate service provider and they’ll respond accordingly—revoking the tokens and notifying the affected users.
Here’s an example of how one user was notified about a Discord token that was accidentally submitted to a public repository:
Service providers—help us prevent security breaches before they happen
If you’re a cloud or API service provider using tokens for authentication and authorization and would like to protect your users from these rare, but potentially devastating scenarios, we’d love to work with you.
It’s as simple as a bit of paperwork, defining some regular expression to match your token format(s), and setting up an API endpoint.
Learn more about becoming a GitHub token scanning partner
* “Tokens for validation” represents the number of tokens we’ve sent to our token scanning partners for potential matches and thus may include false positives. GitHub notifies the appropriate service provider to respond accordingly—revoking the tokens and notifying the affected users—but we do not receive data on the number of validated tokens from partners.
Tags:
Written by
Related posts
How we improved availability through iterative simplification
Solving and staying ahead of problems when scaling up a system of GitHub’s size is a delicate process. Here’s a look at some of the tools in GitHub’s toolbox, and how we’ve used them to solve problems.
Exploring the challenges in creating an accessible sortable list (drag-and-drop)
Drag-and-drop is a highly interactive and visual interface. We often use drag-and-drop to perform tasks like uploading files, reordering browser bookmarks, or even moving a card in solitaire.
How we improved push processing on GitHub
Pushing code to GitHub is one of the most fundamental interactions that developers have with GitHub every day. Read how we have significantly improved the ability of our monolith to correctly and fully process pushes from our users.