GitHub has made push protection, a feature that prevents developers from accidentally revealing secrets in their code, generally available. The feature was first announced in December 2022 as part of secret scanning to help developers and organizations identify any secrets exposed in their repositories.
GitHub later announced the general availability of secret scanning in March 2023 after offering it for free for public repositories. Push protection is now also generally available and is free for all public repositories and can be used for private repositories with a GitHub Advanced Security license.
When push protection is enabled, developers are alerted as soon as they push a commit that contains a highly identifiable secret and are provided with guidance on how to remove that secret. As soon as the exposure has been removed, the developer can re-push the commit.
Push protection only blocks secrets with low false positive rates, so when a commit is blocked, it is worth investigating. The platform is working with service providers to ensure a low false positive rate and is delivering exposure alerts directly to the developers’ IDEs or command line interfaces.
Push protection can be bypassed in urgent circumstances by providing a reason, such as “testing,” “false positive,” or “acceptable risk,” but whenever a bypass occurs, security managers and repository and organization administrators receive an email alert.
They can audit all bypasses via audit logs, REST API, alert view UI, and webhook events. Push protection can be enabled in the “Code security and analysis” settings in the “Secret scanning” section.
By clicking on the “Enable all” button, both features will be enabled at once. GitHub customers with a GHAS license can also enable push protection on their custom secret patterns.
