Secret scanning is a great way to minimize the risk of leaking credentials like API keys and passwords. If you find an exposed certificate, you’ll first check if it is still active and what kind of access it has. Validity checks for GitHub Tokens can help. Validity checks determine if a token has ever been […]
Read More
Dependable is a tool that helps developers protect their software by automating security updates. When a security advisor is released that affects the dependency of a project, Dependabot attempts to submit a Pull Request that updates that dependency to a safer version if it is available. Of course, no rule says a security vulnerability will only […]
Read More
View the full article. Object Graph Notation Language is a Java-based expression language used by popular frameworks and apps, like Apache Struts or Atlassian Confluence. In the past, OGNL-based injections were responsible for tiny severe code injections (RCE), such as the Equifax hack. Over the years, mitigations and protection mechanisms against OGNL-based injections have improved and […]
Read More
GitHub discovered unauthorized access to a collection of repositories used for developing and planning GitHub Desktop and Atom. We have conducted a thorough investigation and concluded that there is no risk to GitHub.com. The certificates were password protected, and there is no evidence that they were used maliciously. As a precaution, we will revoke exposed certificates for the […]
Read More
Security vulnerabilities are increasing in number and severity. Is even though many teams have tried to secure their code for years. Why are vulnerabilities such a big problem? Development is slowed when teams implement security strategies and tools that do not optimize the developer’s experience. This leads to frustration, reduces the usability of software for […]
Read More
The Git project has released versions that address two security vulnerabilities ( CVE-2023-24290 and CVE-2023-23946), which affect versions 2.39.1 or older. They affect Git’s local optimization and git application. CVE-2023-22490 Git uses the transport mechanisms that are appropriate to your clone’s URL scheme when cloning. Git uses a different local optimization copying the files directly from source to destination when cloning local repositories. A […]
Read More
In this post, I’ll cover the details of CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU that I reported to Qualcomm in November 2021. The bug was a somewhat accidental find, and although it can only be used to leak information, it is nevertheless a mighty bug that can be used to spread large amounts of […]
Read More
Remember the basics. It’s easy to overlook the first step in meeting your compliance needs. There are quick ways to meet compliance requirements applicable in any industry, whether finance, government, tech, or automotive. Code Review Code review is a critical component of writing clean code. A repeatable, traceable code review process is vital to any compliance program. […]
Read More
We announced the beta public for free secret scan alerts across all public repositories in December. Since its release, 70 000 public repositories have turned on confidential scan alerts. This helps users as they triage thousands of leaked secrets. As of today, GitHub’s secret scanning alerts are available to all public repositories and are free. Confidential scanning […]
Read More
We are passionate about helping maintainers secure their code. This is the goal of the GitHub Security Lab. We love contributing to the community as users of open-source software (OSS) by improving the security postures of the OSS we use to build GitHub. The GitHub Security Lab audited DataHub, an open-source metadata platform that enables […]
Read More
