About push protection

Push protection is a secret scanning feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike secret scanning, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.

Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.

For information about the secrets and service providers supported by push protection, see 支持的机密扫描模式.

Push protection has some limitations. For more information, see 排查机密扫描问题.

How push protection works

Push protection blocks secrets detected in:

Pushes from the command line. See 从命令行使用推送保护.
Commits made in the GitHub UI. See 使用 GitHub UI 中的推送保护.
File uploads to a repository on GitHub.
Requests to the REST API. See Working with push protection from the REST API.
Interactions with the GitHub MCP server (public repositories only). See Working with push protection and the GitHub MCP server.

Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.

By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. 如果参与者绕过机密的推送保护块，GitHub：

在存储库的“安全性”选项卡中创建一条警报。****
将绕过事件添加到审核日志。
向监管存储库的组织或个人帐户所有者、安全管理员和存储库管理员发送一封电子邮件警报，其中包含指向机密的链接以及允许使用该机密的原因。

此表显示了用户可以绕过推送保护块的每种方式的警报行为。

绕过原因	警报行为
它在测试中使用	GitHub 创建已关闭的警报，该警报解析为“在测试中使用”
这是假正	GitHub 创建已关闭的警报，该警报解析为“假正”
我稍后会修复它	GitHub 创建未结警报

If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see About delegated bypass for push protection.

You can also bypass push protection using the REST API. For more information, see 适用于机密扫描的 REST API 终结点.

About the benefits of push protection

Preventative security: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
Immediate feedback: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
Reduced risk of data leaks: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
Efficient secret management: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
Ability to detect custom patterns: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.
Delegated bypass for flexibility: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.

About push protection

谁可以使用此功能？

本文内容