Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Checkout / 14 Sep 2022
GitHub / GitHub Checkout / 14 Sep 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Learn how to dry run custom patterns for secret scanning

Description

GitHub Advanced Security customers can now dry run their secret scanning custom patterns on all repositories within an organization.

In this edition of GitHub Checkout, Secret Scanning Product Manager Mariam Sulakian shows us how to dry run custom patterns for your entire organization.

Presented by: Andrea Griffiths

A

Hi welcome to github checkout, I'm andrea and I have a very special guest with us today maryam would you join us hi miriam hi.

B

Thank you for having me, I am the product manager for github's secret scanning. So today I'm going to show you our dry run feature for secret scanning's custom patterns, which is now generally available to github advanced security customers. So let's hop right into it.

B

So in my organization and the organization of your choice, if you have github advanced security, enabled which I do here, I have secret scanning enabled I can go into my custom patterns and click new pattern. Again, I'm working at the org level, but I can do this at the repo enterprise level as well. Let's say I'm looking for a g private key there we go, I'm going to add in my pattern, string that I want to match and I have more options here too.

B

So if I want to add in something before my secret after or add additional requirements, I can do that. But, let's just say for time's sake, I'm just going to go into the sample test string and just to test things out, make sure they're working as they should now. I see I've had a match, I'm going to click, save and dryer. Now so I could select up to 10 repositories. I want to dry around this on.

B

Let's say this one here or I can just easily dry run on all repos in my organization, so I will click run here now, I'll just either wait for a dry run to be queued and wait for results to show up on screen or if I don't want to wait. Let's say you have a huge organization.

B

You could just wait for that email to pop up in your email inbox, which will let you know that the dry iron is complete. Let's say for now I just reload here you can see. I have a good number of findings within my organization, so I can give these a little test. I can go here see if it looks like a legitimate finding. I think that it does. I can easily do that through all the findings in my organization and if things look good and again, I just figured out yeah looks good to me.

B

I can just publish pattern and just like that. My pattern is published. So if I go in back to my code, security analysis, scroll down, I now see a gpg private key. That is a published pattern. So now, once you've published your pattern, what happens next? So let's say I go back to my organization.

B

I go to security secret scanning and there are all of my findings so now I can get the right people to go in and figure out what to do with this custom pattern.

A

Thank you so much for that demo, and can you explain to me a little bit about like why do we even build this to begin with? Why did we build.

B

That's a great question, so we launched custom patterns back in june of 2021 and almost immediately. We noticed that admins could write patterns, but they didn't want. They were sometimes afraid to just publish those patterns right off the bat, because custom patterns can be pretty noisy if you're scanning for generic type secrets, for example.

B

So we built custom patterns with dry runs so that admins could test their custom patterns before they actually publish the patterns and potentially spam their developers with thousands of alerts. So the idea is that, after a dry run, admins have the information they need to make a decision on whether or not they should publish that custom pattern or if they need to make a few tweaks before they hit that publish button.

A

That makes a lot of sense. No one likes a million notifications. Thank you. So, have you seen any experiences of customers where this actually has already helped them, and how do we know that.

B

Yeah, so custom patterns has helped unblock a lot of customers already using custom patterns, but maybe they were only using it at the repo level because they were a little iffy on taking a custom pattern and publishing it on the entire org. So we've seen a lot of especially large customers now using custom patterns at the org level.

B

A huge shift from just the repo to the org level and about 70 percent of customers, publish their patterns or 70 percent of patterns are published at the org level without being deleted or edited after publish this means that admins are creating patterns intentionally so that they don't need to go back in and change things once that pattern is live and once their organization is actually receiving those associated alerts.

B

It's a huge reduction in poorly defined patterns.

A

That's wonderful and miriam: how can we learn more about this.

B

Yeah, so we have a great blog post, explaining our feature: how we've brought it to be generally available for all of github advanced security. So you can check out that blog post.

A

That's awesome. Thank you for teaching us about dry runs today. Super excited for all of you to check it out. Try it out. Thank you miriam for being with us today. All of you folks, don't forget to subscribe to our channel for more kehalf check out.