Secret Scanning Protection is a key feature of GitHub Advanced Security (GHAS) that helps prevent the accidental exposure of sensitive information such as API keys, credentials, and tokens in source code.
Purpose
Secret scanning proactively detects and alerts on secrets committed to repositories. It includes push protection, which blocks commits containing specific secrets before they reach the repository.
Enablement Process at the Organization Level
Benefits
Remediation
Team members with maintainers role do not have access to view secrets in security tab at repo level. Only admin and security manager role has access to view/remediate secret alerts.
After Enabling Secret Protection:
Excluding folders and files from secret scanning
You can customize secret scanning to automatically close alerts for secrets found in specific directories or files by configuring a secret_scanning.yml file in your repository.
Feature | Description |
Validity checks | Automatically verify if a secret is valid by sending it to the relevant partner. |
Non-provider patterns | Scan for non-provider patterns. Learn more about non-provider patterns. |
Scan for generic passwords | Copilot Secret Scanning detects passwords using AI. Learn more about generic password detection. |
Push protection | Block commits that contain supported secrets. |
Copilot Secret Scanning:
Below is an example of a commit detected by secret scan. GH would alert the user through email.
Example:
The default alerts list displays alerts that relate to supported patterns and specified custom patterns. This is the main view for alerts.
The generic alerts list displays alerts that relate to non-provider patterns (such as private keys), or generic secrets detected using AI (such as passwords). These types of alerts can have a higher rate of false positives or secrets used in tests. You can toggle to the generic alerts list from the default alerts list.
Push Protection: Block commits that contain supported secrets.
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.
In above screenshots, user is provided with a github link to browse as shown below
Select a suitable option above to bypass push protection.
When you allow a secret to be pushed, an alert is created in the Security tab. GitHub closes the alert and doesn't send a notification if you specify that the secret is a false positive or used only in tests. If you specify that the secret is real and that you will fix it later, GitHub keeps the security alert open and sends notifications to the author of the commit, as well as to repository administrators. For more information, see Managing alerts from secret scanning.
About secret scanning - GitHub Docs
Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block. Push protection can be applied at the repository, organization, and user account level.
Who can use this feature?
Push protection is available for the following repository types:
In this article
Push protection is a secret scanning feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike secret scanning, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
You can enable push protection:
Push protection has some limitations. For more information, see Troubleshooting secret scanning.
Push protection works:
Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If a contributor bypasses a push protection block for a secret, GitHub:
This table shows the behavior of alerts for each way a user can bypass a push protection block.
Bypass reason | Alert behavior |
It's used in tests | GitHub creates a closed alert, resolved as "used in tests" |
It's a false positive | GitHub creates a closed alert, resolved as "false positive" |
I'll fix it later | GitHub creates an open alert |
If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see About delegated bypass for push protection.
About the benefits of push protection
Every user across GitHub can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on GitHub, without relying on that repository to have push protection enabled. For more information, see Push protection for users.
Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see Defining custom patterns for secret scanning.
From <https://docs.github.com/en/code-security/secret-scanning/introduction/about-push-protection>
Note
Push protection and validity checks are not supported for non-provider patterns.
Below link provides all supported secrets for push protection.
Review the Alert
While closing the alert, select appropriate action, add relevant comment and close the alert as shown below
More helpful articles listed below
Learn about the different types of secret scanning alerts.
Learn how to find and filter secret scanning alerts for users for your repository.
Learn about additional features that can help you evaluate alerts and prioritize their remediation, such as checking a secret's validity.
After reviewing the details of a secret scanning alert, you should fix and then close the alert.
Learn how and when GitHub will notify you about a secret scanning alert.