Oleria的动态

“GitHub emphasizes the importance of regular verification of GitHub.com commits outside of the platform, as well as vulnerability patching. Users conducting verifications, including those in GHES, are encouraged to import the new public key hosted by GitHub. Regularly pulling the public key is recommended to ensure the usage of the most current data from GitHub, facilitating seamless adoption of new keys in the future.

#NEWS #SHARE GitHub enables push protection by default to stop secrets #leak. GitHub has enabled push protection by default for all public repositories to prevent accidental exposure of secrets such as access #tokens and API keys when pushing new code. Today's announcement comes after the company?introduced push protection?in beta almost two years ago, in April 2022, as an easy way to prevent sensitive information leaks automatically. The feature became?generally available?for all public repos in May 2023. Push protection proactively prevents leaks by scanning for secrets before 'git #push' operations are accepted and blocking the commits when a secret is detected. https://lnkd.in/gAXF3g9a

One of the hardest parts of securing your company's secrets sprawl is first understanding your total exposure. You might have your corporate sources covered, but what about the public space? ?? GitGuardian has just released a free tool to help you get an instant audit of your GitHub attack surface, including: - The number of developers committing publicly - The number of secrets exposed - How many of those secrets are still valid You can run the audit yourself here: https://lnkd.in/ehyiBydH Try it out, and feel free to reach out directly if you want more info!

?? 1 in 10 authors exposed a secret in 2022 on #GitHub, making organizations & software prone to hacking?? Check out this guide by Nitin Naidu to enable #SecretScanning in popular #Git platforms to avoid accidentally exposing crucial passwords?? https://lnkd.in/gJjQENdW #itsecurity

Do you have a solution in place that’s continuously scans your repose for malicious codes? Come talk to me about a solution!

GitHub reconnaissance is an important aspect of attack surface management, particularly for organizations and individuals who rely heavily on software development and open-source code. You might find teh GitHub dork list useful: https://lnkd.in/gbudptGZ

In a recent post of my predictions, I talked about poison attacks on AI service from competition to make competetors look bad. This scenario will just do that if undetected. This is not the end to this scenario.

Couple of thoughts: first, please be careful who you share GitHub access tokens with. Powerful stuff. Second, let's not call a bug / flaw in your API an "attack" by default. I understand why you want to deflect blame, but owning your mistakes is the first step to rebuilding trust.

GitHub personal access tokens (PAT) are valuable loot. Use Gato-X to enumerate token permissions and identify potential lateral movement opportunities when you find a GitHub PAT. You might be surprised by the access you can gain within an organization. https://lnkd.in/dfyuXrWz

The Legit research team recently published The State of GitHub Actions Security report. This report highlights our findings and conclusions after analyzing 2,500,000 GitHub Actions workflow files belonging to 553,000 organizations and personal users. Ultimately, we found the state of GitHub Actions security concerning. The lack of dependency pinning is especially alarming. Dependency pinning specifies which package or library an Action can rely on. A famous example of the danger of using third-party software without dependency pinning is the CodeCov breach where attackers were able to modify the CodeCov CI script to exfiltrate the CI runner environment variable. Get more details on our analysis in our blog post: https://hubs.ly/Q02JcRgw0 #GitHub #ASPM #ApplicationSecurity #LegitSecurity