How we use Github Token Scanning to check for API key exposure
As part of our on-going commitment to improve the security of our service and that of our customers we have implemented access token scanning across GitHub to check for API key exposure.
What does that mean for me?
During development, secrets such as API keys are necessary to connect through to services and authenticate. Managing these keys can be challenging – keeping them out of source code and keeping control over them often leads to turtles all the way down in storing these.
Using our partnership with Github for “Token Scanning”, we have added checks that mean if a GoCardless access token is checked into Github, we can take action to secure your account and protect you and your customers from fraud and data exposure.
We are really pleased to be an early adopter of this feature which is already delivering value.
What does GoCardless do?
When an access token is detected in Github, we utilise a webhook to trigger a workflow to validate the access token. When this happens, we automatically notify you to advise of a potential breach.
These checks provide an extra safety check to protect you and your customers from a potential security breach. It is one of the ways that we are applying privacy and security by design across our products. We already extensively use Dependabot (which was recently acquired by Github and started as a project at GoCardless) that we use to keep our third party dependencies up to date in our libraries and internal projects.
Our security team will investigate to understand why the access token ended up in GitHub and what else we can do to better support our integrators.
Visit our FAQs to find out more about how we approach security at GoCardless.