Github Push Protection

Ok, age old problem: someone on your team takes a shortcut for testing something by adding a credentials.txt file to the project folder, goes to lunch, then forgets about the file and pushes a commit, containing passwords. Couple hours later, the internet is having a party on the system in question…

So far, so bad. Github’s new solution for the problem? GitHub Advanced Security secret scanning! You can now enable “Push Protection” in your settings which will scan commits for known patterns looking like passwords, API keys, and so on from service providers that have partnered up with GitHub on this.

That’s right, Microsoft basically put snake oil an anti virus scanner engine in the GitHub commit queue. In other words, we finally have the equivalent of “I’m running AV software, so I can click on that mail attachment” for programmers - Progress!

If anyone still thinks, that’s a good idea, then I’ll put forward the following argument: this scanner does not prevent password leaks. Credentials are already leaked the moment, the negligent developer sends the push request. The secrets may no longer go public, but they are now conveniently aggregated by a subsystem, which has a nice big target on its back.

The point I’m making here is that this is the wrong approach to system security. It just teaches developers that they can be careless because there is might be a failsafe, while project owners could think, simply rejecting the push saves them from having to go through the whole recovery mechanism (changing passwords, notifying users, ripping the dev in question a new one, …).