Skip to main content

Protecting pushes with secret scanning

You can use secret scanning to prevent supported secrets from being pushed into your organization or repository by enabling push protection.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. 有关详细信息,请参阅“关于 GitHub Advanced Security”。

Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."

注意: Secret scanning 作为保护推送,目前为 beta 版本,可能会有变动。 要申请使用 beta 版本,请联系帐户管理团队

About push protection for secrets

Up to now, secret scanning checks for secrets after a push and alerts users to exposed secrets. 启用推送保护时,secret scanning 还会检查推送中是否存在高置信度机密(经识别误报率低的机密)。 Secret scanning 列出了它检测到的所有机密,便于作者进行查看和删除,或者根据需要允许推送这些机密。

If a contributor bypasses a push protection block for a secret, GitHub:

  • creates an alert in the "Security" tab of the repository in the state described in the table below.
  • adds the bypass event to the audit log.

此表显示了用户可以绕过推送保护块的每种方式的警报行为。

绕过原因警报行为
它在测试中使用GitHub 创建已关闭的警报,该警报解析为“在测试中使用”
这是假正GitHub 创建已关闭的警报,该警报解析为“假正”
我稍后会修复它GitHub 创建未结警报

For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

Enabling secret scanning as a push protection

For you to use secret scanning as a push protection, the organization or repository needs to have both GitHub Advanced Security and secret scanning enabled. For more information, see "Managing security and analysis settings for your organization," "Managing security and analysis settings for your repository," and "About GitHub Advanced Security."

Organization owners, security managers, and repository administrators can enable push protection for secret scanning via the UI and API. For more information, see "Repositories" and expand the "Properties of the security_and_analysis object" section in the REST API documentation.

Enabling secret scanning as a push protection for an organization

  1. On your GitHub Enterprise Server instance, navigate to the main page of the organization.

  2. 在组织名称下,单击“设置”。 组织设置按钮

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. 在“代码安全性和分析”下,查找“GitHub Advanced Security”。

  5. Under "Secret scanning", under "Push protection", click Enable all. Screenshot showing how to enable push protection for secret scanning for an organization

  6. Optionally, click "Automatically enable for repositories added to secret scanning."

Enabling secret scanning as a push protection for a repository

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. 在“代码安全性和分析”下,查找“GitHub Advanced Security”。

  5. 在“Secret scanning”下的“推送保护”下,单击“启用”。 演示如何为存储库的 secret scanning 启用推送保护的屏幕截图

Using secret scanning as a push protection from the command line

尝试在 secret scanning 作为推送保护启用的情况下将受支持的机密推送到存储库或组织时,GitHub 将组织推送。 可以从分支中删除该机密,或遵循提供的 URL 来允许推送。

Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, GitHub will not block that secret.

Screenshot showing that a push is blocked when a user attempts to push a secret to a repository

如果确认机密是真实的,则需要将机密从分支和出现机密的所有提交中删除,然后再次推送。 For more information about remediating blocked secrets, see "Pushing a branch blocked by push protection."

If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "Removing sensitive data from a repository."

注释

  • 如果 git 配置支持推送到多个分支,而不仅仅是推送到当前分支,则由于附加和意外的引用被推送,你的推送可能被阻止。 有关详细信息,请参阅 Git 文档中的 push.default 选项
  • 如果在推送超时后进行 secret scanning,GitHub 仍将在推送后扫描你的提交有无机密。

Tip: You can use secret scanning as a push protection from the web UI, as well as the command line, in GitHub Enterprise Server version 3.6 or later.

Allowing a blocked secret to be pushed

If GitHub blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.

允许推送机密时,将在“安全”选项卡中创建警报。如果指定机密为误报或仅在测试中使用,则 GitHub 会关闭警报,且不会发送通知。 如果指定机密是真实的并且稍后将修复它,GitHub 会将安全警报保持打开状态,并向提交的作者以及存储库管理员发送通知。 有关详细信息,请参阅管理来自机密扫描的警报

  1. Visit the URL returned by GitHub when your push was blocked. Screenshot showing form with options for unblocking the push of a secret
  2. 选择最能描述为何应该能够推送机密的选项。
    • 如果机密仅在测试中使用,并且不会构成任何威胁,请单击“它在测试中使用”。
    • 如果检测到的字符串不是机密,请单击“它是误报”。
    • 如果机密是真实的,但你打算稍后修复它,请单击“稍后修复”。
  3. Click Allow me to push this secret.
  4. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.