In today's cybersecurity landscape, protecting sensitive information is crucial, especially for organizations working with the Centers for Medicare & Medicaid Services (CMS). GitHub Secret Scanning has emerged as a valuable tool in this effort, not only enhancing security but also aiding in meeting various requirements within the Zero Trust Applications Pillar and the Acceptable Risk Safeguards (ARS) controls.

What is GitHub Secret Scanning?

GitHub Secret Scanning is a security feature that automatically detects and verifies secret tokens, private keys, and other sensitive information in GitHub repositories. It helps prevent the accidental exposure of credentials that could lead to security breaches.

Why use GitHub Secret Scanning?

• High-Confidence Validation: GitHub can verify detected secrets with service providers, significantly reducing false positives. This allows security teams to focus on real, actionable threats.
• Native Integration: As a built-in GitHub feature, it seamlessly integrates with existing workflows, requiring no additional setup.
• Partner Program: GitHub collaborates with numerous service providers to enable automatic revocation of exposed secrets, offering an unparalleled level of protection.
• Push Protection: GitHub can block commits containing secrets, preventing sensitive information from being added to the repository.
• Custom Patterns: Organizations can define secret patterns specific to their internal tools and systems, extending protection beyond standard API keys and tokens.
• Retroactive Scanning: GitHub can scan entire Git histories, not just new commits, helping identify previously exposed secrets.

Real-world example: Secret Scanning in action

Let's walk through a realistic scenario that showcases how GitHub Secret Scanning's push protection feature works:

A developer is working on a project that requires AWS credentials to implement S3 uploading. They accidentally include an AWS access key in their code while setting up the new feature. Here's how GitHub Secret Scanning prevents this secret from being exposed:

1. Local commit: The developer commits the changes locally, including the file containing the AWS access key.

       $ git commit -m "Add S3 upload functionality"

2. Attempted push fails via Github's push protection: The developer attempts to push their commits to the remote GitHub repository. As part of the push process, GitHub Secret Scanning analyzes the contents of the push in real-time.  The scanning process identifies the AWS access key in the code being pushed. The developer receives a clear notification that the push was rejected due to the presence of a secret (in this case, an AWS access key). Along with the rejection notice, GitHub provides guidance on how to remove the secret from the code and store it securely (e.g., using environment variables or a secure secret management system).

        $ git push

        ...

        remote: error GH009: Secrets detected! This push failed.
        remote:
        remote: GITHUB PUSH PROTECTION
        remote: Resolve the following secrets before pushing again.
        remote:
        remote: (?) Learn how to resolve a blocked push
        remote: https://docs.github.com/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection
        ...   

3. Revision and retry: The developer removes the secret from their code, replaces it with a secure alternative, commits the changes, and attempts the push again.

       $ git commit --amend -u origin

4. Successful push: With the secret removed, the subsequent push is successful.

Supporting ARS controls

GitHub Secret Scanning supports several ARS controls:

• SI-4 (Information System Monitoring): Acts as a continuous monitoring tool, constantly scanning repositories for potential security risks.
• SI-7 (Software, Firmware, and Information Integrity): Helps maintain the integrity of software by detecting unauthorized changes that might include the addition of secrets.
• SI-12 (Information Management and Retention): Aids in proper handling of sensitive information throughout its lifecycle in the development process.
• AC-3 (Access Enforcement): Prevents unauthorized access by identifying exposed secrets that could lead to credential leaks.
• RA-5 (Vulnerability Scanning): While not a traditional vulnerability scanner, it identifies potential security weaknesses in code repositories.
• SC-28 (Protection of Information at Rest): Detects secrets in code repositories, helping protect sensitive information at rest.
• IR-4 (Incident Handling): Enables quick detection and response to potential security incidents involving exposed secrets.

How does GitHub Secret Scanning apply to the Zero Trust Application Pillar?

GitHub Secret Scanning aligns closely with the Zero Trust Applications and Workloads Pillar, as outlined in CISA's Zero Trust Maturity Model 2.0. It significantly contributes to maturing CMS Systems' application security practices, moving them from traditional approaches towards more advanced and optimal states. Let's explore how GitHub Secret Scanning advances key functions within this pillar:

1. Application Threat Protections: GitHub Secret Scanning integrates advanced threat protection directly into the application development workflow. By providing real-time detection of potential secrets in code, it offers immediate, application-specific protection against the critical threat of sensitive information exposure. This helps move CMS systems from traditional, minimally integrated protections towards optimal, real-time, content-aware protections tailored to applications.
2. Secure Application Development and Deployment Workflow: While not creating fully immutable workloads, GitHub Secret Scanning significantly enhances the security of the development and deployment process. By integrating secret detection at the push stage, it adds an automated security check before code reaches production environments, advancing CMS systems towards a more mature state of automated, secure deployment processes.
3. Application Security Testing: GitHub Secret Scanning automates a crucial aspect of application security testing by continuously scanning for secrets throughout the development process. This helps move CMS systems closer to the optimal state of integrating automated security testing throughout the entire software development lifecycle, including after deployment.
4. Visibility and Analytics Capability: By providing real-time alerts on detected secrets, GitHub Secret Scanning enhances visibility and analytics capabilities for application security. It offers continuous monitoring for secret exposure, advancing CMS systems towards more comprehensive, automated security monitoring.

By incorporating GitHub Secret Scanning, CMS Systems make significant strides in maturing their Zero Trust approach, particularly in the Applications and Workloads pillar. While it doesn't single-handedly bring systems to the optimal stage in all functions, it represents a substantial advancement from traditional or initial stages towards advanced or even optimal in several key areas. This tool embodies core Zero Trust principles by continuously verifying security at the application level, never trusting that code is secure just because it's within the development environment.

As CMS Systems continue to evolve their Zero Trust architecture, GitHub Secret Scanning serves as a cornerstone in ensuring that application security is integrated, automated, and continuously enforced throughout the development lifecycle.

Next Steps: CMS Hybrid Cloud Security Operations Team Guidance

The CMS Hybrid Cloud Security Operations (SecOps) team is developing further guidance and operational responses, including:

1. Configuring and optimizing GitHub Secret Scanning for https://github.com/CMS-Enterprise.
2. Best practices for integrating secret scanning into existing processes.
3. Strategies for responding to and managing detected secrets effectively.
4. Information on how this tool fits into our broader security and compliance strategy.

Stay tuned for announcements about upcoming sessions and resources.

Conclusion

GitHub Secret Scanning is a powerful ally in maintaining robust security practices, achieving ARS compliance, and supporting zero trust principles. By automatically detecting and alerting on exposed secrets, it addresses multiple ARS controls, reinforces zero trust security, and provides an extra layer of protection for sensitive information. While it's a valuable tool, it should be part of a comprehensive security strategy. With guidance from our SecOps team, we'll be well-equipped to maximize its benefits across our organization, further strengthening our approach to zero trust security.