SlideShare a Scribd company logo
Secret Scanning
Securing API Tokens on GitHub
GitHub
Presented by @Josepalafox
@josepalafox
Director of Business Development
- Platform and App Security
Where the world builds
software
Developers
73M+
The world’s largest developer platform
Organizations
3M+
Top open source
communities
1,000s
Contributions
per year
2.6B+
Private and public
repositories
200M+
Agenda
● What is secret scanning
● How do Service Providers Integrate
● Best practices for secrets
● Service enabled by default on
GitHub.com
● Scans code contributions for
API Tokens
● Notifies the provider when
secrets are leaked
● Available through GitHub
Advanced Security for private
repositories
What is secret
scanning?
● On accident
● Left in git commit history
● Intentionally leaked
Leaked secrets allow malicious
actors to impersonate others,
fraudulently use services etc.
How do secrets get
leaked?
Secret scanning demo
Run secret detection
aws.amazon.com
github.com
github.com
github.com
aws.amazon.com
github.com
github.com
mail.google.com
mail.google.com
mail.google.com
17 attempts to use the
credential in under an
hour
aws.amazon.com
mail.google.com
GitHub
+65% CAGR
Source: GitHub data
We’re seeing more credential leaks than ever
Your Secrets are (probably)
already leaked on GitHub
We can solve this problem
together
Join the secret scanning partner
program
● Email us:
secret-scanning@github.com
● Provide a regex to identify your token
● Identify post-processing needs
● Build a receiving service
● Implement remediation plan
● Get a free disclosure data stream
from GitHub
● More information
Secret scanning
receiving service
Run secret detection
POST / HTTP/2
Host: HOST
Accept: */*
Content-Type: application/json
GITHUB-PUBLIC-KEY-IDENTIFIER:
90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a
GITHUB-PUBLIC-KEY-SIGNATURE:
MEQCIA6C6L8ZYvZnqgV0zwrrmRab10QmIFV396gsba/WYm9oAiAI6Q+/jNaWqkgG5YhaWshTXbRwIgqIK6
Ru7LxVYDbV5Q==
Content-Length: 0123
[{"token":"NMIfyYncKcRALEXAMPLE","type":"mycompany_api_token","url":"https://gi
thub.com/octocat/Hello-World/blob/12345600b9cbe38a219f39a9941c9319b600c002/foo/
bar.txt"}]
Sample Payload
Consider secret
identification
● Too often secrets are just random
strings
● Our best practices
● Use a prefix
● Implement a checksum
Examples of better API tokens
lin_api_neH3Dbir9oUTewyqldy8zvmnHcQAH3qnuY2aG0ok
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
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
tfp_Fbzs4w9UnM1nmVGKoQaBpq8NHxEhGoYCY5WXhG5UZdck_eoMLSNTXzmFH
Defined prefixes with “_” for highlighting
32 bit checksum - validate token
without hitting a database
High entropy random strings
Push Protection
● Push Protection is a feature
that prevents developers from
leaking API credentials
● Requires a highly identifiable
pattern
What’s New?
Push Protection
Questions? Concerns? Comments?

More Related Content

PDF
APIsecure 2023 - Securing API Credentials on GitHub.com, Jose Palafox & Natal...
PPTX
Github security bug bounty hunting
PDF
Introduction to Github Actions
PDF
Introduction to Github Actions
PDF
GitHub for partners
PPTX
Difference between Github vs Gitlab vs Bitbucket
PDF
SHIFT LEFT WITH DEVSECOPS
PPTX
AOC hacktoberfest meetup 2024. An open-source event
APIsecure 2023 - Securing API Credentials on GitHub.com, Jose Palafox & Natal...
Github security bug bounty hunting
Introduction to Github Actions
Introduction to Github Actions
GitHub for partners
Difference between Github vs Gitlab vs Bitbucket
SHIFT LEFT WITH DEVSECOPS
AOC hacktoberfest meetup 2024. An open-source event

Similar to 2022 APIsecure_Securing API Tokens on Github (20)

PDF
Preventing Code Leaks & Other Critical Security Risks from Code
PDF
Managing Github via Terrafom.pdf
PDF
api-driven-development.pdf
PDF
The (r)evolution of CI/CD on GitHub
PDF
What is github.
PDF
Difference Between GitHub and GitLab: Code Warriors
PPT
Intro git github_ppt
PPTX
Code review and security audit in private cloud - Arief Karfianto
PDF
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
PDF
Electric Capital Crypto Dev Report · 2022
PPTX
concordia hacktoberfest.pptx
PDF
aautoPilot
PDF
Getting Started with GitHub
PDF
GDSC ZHCET GitHub Session.pdf
PPTX
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
PPTX
Pure APIs: Development workflows for successful API integrations
PDF
GitHub Actions in Action MEAP V03 Michael Kaufmann
PPTX
GitHub Copilot.pptx
PPTX
Hacktoberfest'24 _ GDG on Campus BU.pptx
PPT
2011 NASA Open Source Summit - Chris DiBona
Preventing Code Leaks & Other Critical Security Risks from Code
Managing Github via Terrafom.pdf
api-driven-development.pdf
The (r)evolution of CI/CD on GitHub
What is github.
Difference Between GitHub and GitLab: Code Warriors
Intro git github_ppt
Code review and security audit in private cloud - Arief Karfianto
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
Electric Capital Crypto Dev Report · 2022
concordia hacktoberfest.pptx
aautoPilot
Getting Started with GitHub
GDSC ZHCET GitHub Session.pdf
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Pure APIs: Development workflows for successful API integrations
GitHub Actions in Action MEAP V03 Michael Kaufmann
GitHub Copilot.pptx
Hacktoberfest'24 _ GDG on Campus BU.pptx
2011 NASA Open Source Summit - Chris DiBona
Ad

More from APIsecure_ Official (20)

PPTX
2022 APIsecure_The Real World, API Security Edition
PDF
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
PDF
2022 APIsecure_Shift Left API Security - The Right Way
PDF
2022 APIsecure_A day in the life of an API; Fighting the odds
PDF
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
PDF
2022 APIsecure_Securing Large API Ecosystems
PDF
2022 APIsecure_Quarterly Review of API Vulnerabilities
PPTX
2022 APIsecure_Top Ten Security Tips for APIs
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
PPTX
2022 APIsecure_Making webhook APIs secure for enterprise
PDF
2022 APIsecure_API Security & Fraud Detection - Are you ready?
PPTX
2022 APIsecure_Monitoring and Responding to API Breaches
PDF
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
PPTX
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
PPTX
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
PPTX
2022 APIsecure_Hackers with Valid Credentials
PDF
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
PDF
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
PDF
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Harnessing the Speed of Innovation
Ad

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
PDF
Getting Started with Data Integration: FME Form 101
PPTX
A Presentation on Artificial Intelligence
PPTX
Tartificialntelligence_presentation.pptx
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
PPT
Teaching material agriculture food technology
PDF
Assigned Numbers - 2025 - Bluetooth® Document
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
PPTX
1. Introduction to Computer Programming.pptx
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PDF
Empathic Computing: Creating Shared Understanding
PDF
Machine learning based COVID-19 study performance prediction
PDF
Encapsulation theory and applications.pdf
PPTX
Programs and apps: productivity, graphics, security and other tools
Spectroscopy.pptx food analysis technology
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Advanced methodologies resolving dimensionality complications for autism neur...
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
Getting Started with Data Integration: FME Form 101
A Presentation on Artificial Intelligence
Tartificialntelligence_presentation.pptx
Accuracy of neural networks in brain wave diagnosis of schizophrenia
Teaching material agriculture food technology
Assigned Numbers - 2025 - Bluetooth® Document
Univ-Connecticut-ChatGPT-Presentaion.pdf
1. Introduction to Computer Programming.pptx
Mobile App Security Testing_ A Comprehensive Guide.pdf
Diabetes mellitus diagnosis method based random forest with bat algorithm
Empathic Computing: Creating Shared Understanding
Machine learning based COVID-19 study performance prediction
Encapsulation theory and applications.pdf
Programs and apps: productivity, graphics, security and other tools

2022 APIsecure_Securing API Tokens on Github