GitHub token scanning comes to Alibaba, AWS, Azure, Google and more

Credit: ID 155364515 © Mars-Production | Dreamstime.com

Microsoft-owned GitHub has expanded its token scanning service for identifying exposed developer credentials, bringing to several major cloud firms that provide access tokens. 

GitHub’s new token scanning partners include Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio. 

GitHub already scans for its own OAuth tokens and personal access tokens and if it finds exposed credentials, GitHub notifies cloud providers, which in turn alerts the owner of the credential. The new partnerships mean GitHub's token scanning include access token formats from these firms. 

Now if developers accidentally publish a token for products like Atlassian's Jira or chat app, Discord, the provider gets notified about a potential match -- within seconds, according to GitHub -- allowing them to revoke the token before it’s used maliciously, explained GitHub’s Justin Hutchings.

The token scanning service attempts to resolve a common problem that occurs when developers hard-code access keys and API keys for third-party services in apps or if they publish them in a pubically accessible repository, like on GitHub. In some cases, the keys can be used by an attacker to access sensitive data or systems that should normally be protected by those access keys. 

Slack or Discord tokens, for example, could give access to private chats between developers who may be working with sensitive customer data.   

GitHub’s token scanning works by scanning millions of commits pushed to public repositories hosted on GitHub. It scans for known token formats and when a match is found, it notifies the appropriate service provider who then should revoke the tokens and notify affected users. 

Discord did just this a few weeks ago after a developer posted a Discord token in a pubic repository on GitHub.    

GitHub has been running a private beta of the token scanning service with several cloud providers since April last year. 

GitHub’s Patrick Twoomey explained last year that the token challenge arises from modern cloud-based development practices which involve “composing cloud services”, often with the help of access tokens. 

“Composing cloud services like this is the norm going forward, but it comes with inherent security complexities,” wrote Twoomey. “Each cloud service a developer typically uses requires one or more credentials, often in the form of API tokens. 

“In the wrong hands, they can be used to access sensitive customer data—or vast computing resources for mining cryptocurrency, presenting significant risks to both users and cloud service providers.”  

GitHub has been scanning pubic repositories for GitHub OAuth tokens since 2015 and today said that since then it has flagged one billion tokens for validation by providers which then decide whether to revoke the token.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags CloudMicrosoftGoogleazureGitHubAlibaba GroupAWSAtlassian Corporation

More about Alibaba CloudAtlassianAWSGitHubGoogleMicrosoftStripe

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts