{"id":2360,"date":"2025-08-12T16:08:45","date_gmt":"2025-08-12T16:08:45","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/12\/hunting-living-secrets-secret-validity-checks-arrive-in-github-advanced-security-for-azure-devops\/"},"modified":"2025-08-12T16:08:45","modified_gmt":"2025-08-12T16:08:45","slug":"hunting-living-secrets-secret-validity-checks-arrive-in-github-advanced-security-for-azure-devops","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/08\/12\/hunting-living-secrets-secret-validity-checks-arrive-in-github-advanced-security-for-azure-devops\/","title":{"rendered":"Hunting Living Secrets: Secret Validity Checks Arrive in GitHub Advanced Security for Azure DevOps"},"content":{"rendered":"

If you\u2019ve ever waded through a swamp of secret scanning alerts wondering, \u201cWhich of these are actually dangerous right now?\u201d \u2014 this enhancement is for you.<\/p>\n

Secret validity checks in GitHub Advanced Security for Azure DevOps<\/strong> (and the standalone Secret Protection<\/strong> experience) add a high\u2011signal field to each alert: Active (still usable), or Unknown (couldn\u2019t be verified).<\/p>\n

Instead of treating every alert like a five\u2011alarm fire, you can now fast\u2011path the truly risky stuff and spend less time chasing ghosts.<\/p>\n

TL;DR<\/h3>\n

Status
\nWhat it really means
\nFirst instinct<\/p>\n

Active
\nThe credential still works right now.
\nFix immediately.<\/p>\n

Unknown
\nCouldn\u2019t verify (no activity, unsupported, provider issue, throttling, network).
\nTreat as possibly active; retry or rotate if sensitive.<\/p>\n

Why This Matters<\/h3>\n

Traditional secret scanning:<\/p>\n

Found something \u2192 raise alert \u2192 you investigate \u2192 sometimes it was revoked months ago \u2192 wasted cycles.<\/p>\n

Secret scanning + validity checks:<\/p>\n

Found something \u2192 provider queried automatically \u2192 you know if it still opens doors.<\/p>\n

This feature doesn\u2019t revoke secrets for you\u2014it improves prioritization<\/strong>. You spend your time on \u201cliving\u201d (Active) secrets first, not archaeological specimens.<\/p>\n

How It Works<\/h3>\n

Secret scanning detects a string matching a supported partner\/provider pattern.
\nThe platform securely queries the provider to confirm whether the credential still works.
\nYou get a status: Active or Unknown.
\nYou trigger an on\u2011demand verification after remediation to confirm it is no longer active.<\/p>\n

Supported provider patterns are listed here <\/a>(bookmark it; it will evolve). If a pattern isn\u2019t supported, the alert may remain Unknown<\/strong>\u2014that\u2019s expected.<\/p>\n

Before You Start<\/h3>\n

Make sure:<\/p>\n

GitHub Advanced Security for Azure DevOps is enabled for the project\/repository (or Secret protection is enabled in the standalone experience).
\nSecret scanning is turned on (validity checks are an enhancement, not a standalone feature).<\/p>\n

Once those are true, validity checks just start for newly detected supported secret types. No extra toggle. No YAML fiddling.<\/p>\n\n

Typical Workflow<\/h3>\n

\n Filter for Active secrets<\/strong>\n <\/p>\n\n

\n I see list filters to only results that are Active <\/strong>\n <\/p>\n\n

\n Open an Active alert and see when it was last verified<\/strong>\n <\/p>\n\n

\n I then proceed with the recommended remediation, including rotation\/revocation and code removal.<\/strong>\n <\/p>\n

\n Run on\u2011demand verification by clicking \u201cVerify Secret\u201d<\/strong>\n <\/p>\n\n

\n Wait a couple of minutes, verification has updated<\/strong>\n <\/p>\n\n

\n Sweep Unknown secrets<\/strong>\n <\/p>\n

Strategy: Retry verification later, or treat as Active if it\u2019s high\u2011privilege or high\u2011impact.<\/p>\n

\n Close alerts<\/strong> according to your policy once remediation + verification (if applicable) are complete.\n <\/p>\n

Dealing with \u201cUnknown\u201d<\/h3>\n

Unknown \u2260 safe.<\/strong> Classify Unknown secrets with three quick questions:<\/p>\n

What is the potential blast radius? (Production infrastructure vs. internal sandbox.)
\nHow sensitive is the data it gates?
\nWhat\u2019s the rotation cost? (Cheap to rotate? Do it.)<\/p>\n

If 2+ factors lean \u201crisky,\u201d act as if Active and remediate.<\/p>\n

FAQ Quick Hits<\/h3>\n

Does this revoke secrets automatically?<\/strong>
\nNo. It informs prioritization; remediation is manual (or via your automation).<\/p>\n

Will all secret types support validation?<\/strong>
\nMore partners will onboard over time\u2014track the supported patterns list.<\/p>\n

Final Call to Action<\/h3>\n

Confirm secret scanning is enabled.
\nFilter for Active secrets today.
\nUse built-in Recommendations & Remediation.
\nRun on-demand verification to validate your fix.
\nTrack how quickly you neutralize live credentials, then improve from there.<\/p>\n

Fewer ghosts. More real wins.<\/p>\n

Happy hunting.<\/strong><\/p>\n

Appendix: Reference Link<\/h3>\n

Explore secret scanning in greater depth<\/a>
\nSupported provider patterns for validation<\/a>
\nConfigure GitHub Advanced Security for Azure DevOps features \u2013 Azure Repos | Microsoft Learn<\/a>
\nCurious what\u2019s new? Our release notes have the highlights<\/a><\/p>\n

The post Hunting Living Secrets: Secret Validity Checks Arrive in GitHub Advanced Security for Azure DevOps<\/a> appeared first on Azure DevOps Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

If you\u2019ve ever waded through a swamp of secret scanning alerts wondering, \u201cWhich of these are actually dangerous right now?\u201d […]<\/p>\n","protected":false},"author":0,"featured_media":2361,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2360"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/2361"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}