Protecting pushes with secret scanning

About push protection for secrets

Up to now, secret scanning checks for secrets after a push and alerts users to exposed secrets. 启用推送保护时，secret scanning 还会检查推送中是否存在高置信度机密（经识别误报率低的机密）。 Secret scanning 列出了它检测到的所有机密，便于作者进行查看和删除，或者根据需要允许推送这些机密。

If a contributor bypasses a push protection block for a secret, GitHub:

• creates an alert in the "Security" tab of the repository in the state described in the table below.
• adds the bypass event to the audit log.

此表显示了用户可以绕过推送保护块的每种方式的警报行为。

绕过原因	警报行为
它在测试中使用	GitHub 创建已关闭的警报，该警报解析为“在测试中使用”
这是假正	GitHub 创建已关闭的警报，该警报解析为“假正”
我稍后会修复它	GitHub 创建未结警报

For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

Enabling secret scanning as a push protection

For you to use secret scanning as a push protection, the organization or repository needs to have both GitHub Advanced Security and secret scanning enabled. For more information, see "Managing security and analysis settings for your organization," "Managing security and analysis settings for your repository," and "About GitHub Advanced Security."

Organization owners, security managers, and repository administrators can enable push protection for secret scanning via the UI and API. For more information, see "Repositories" and expand the "Properties of the security_and_analysis object" section in the REST API documentation.

Enabling secret scanning as a push protection for an organization

1. On your GitHub Enterprise Server instance, navigate to the main page of the organization.

2. 在组织名称下，单击“设置”。

3. In the "Security" section of the sidebar, click Code security and analysis.

4. 在“代码安全性和分析”下，查找“GitHub Advanced Security”。

5. Under "Secret scanning", under "Push protection", click Enable all.

6. Optionally, click "Automatically enable for repositories added to secret scanning."

Enabling secret scanning as a push protection for a repository

1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

2. 在存储库名称下，单击 “设置”。

3. In the "Security" section of the sidebar, click Code security and analysis.

4. 在“代码安全性和分析”下，查找“GitHub Advanced Security”。

5. 在“Secret scanning”下的“推送保护”下，单击“启用”。

Using secret scanning as a push protection from the command line

尝试在 secret scanning 作为推送保护启用的情况下将受支持的机密推送到存储库或组织时，GitHub 将组织推送。 可以从分支中删除该机密，或遵循提供的 URL 来允许推送。

Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, GitHub will not block that secret.

如果确认机密是真实的，则需要将机密从分支和出现机密的所有提交中删除，然后再次推送。 For more information about remediating blocked secrets, see "Pushing a branch blocked by push protection."

If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "Removing sensitive data from a repository."

Allowing a blocked secret to be pushed

If GitHub blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.

允许推送机密时，将在“安全”选项卡中创建警报。如果指定机密为误报或仅在测试中使用，则 GitHub 会关闭警报，且不会发送通知。 如果指定机密是真实的并且稍后将修复它，GitHub 会将安全警报保持打开状态，并向提交的作者以及存储库管理员发送通知。 有关详细信息，请参阅管理来自机密扫描的警报。

1. Visit the URL returned by GitHub when your push was blocked.
2. 选择最能描述为何应该能够推送机密的选项。
   • 如果机密仅在测试中使用，并且不会构成任何威胁，请单击“它在测试中使用”。
   • 如果检测到的字符串不是机密，请单击“它是误报”。
   • 如果机密是真实的，但你打算稍后修复它，请单击“稍后修复”。
3. Click Allow me to push this secret.
4. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.