Skip to main content

Pushing a branch blocked by push protection

The push protection feature of secret scanning proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. 有关详细信息,请参阅“关于 GitHub Advanced Security”。

About push protection for secret scanning

The push protection feature of secret scanning helps to prevent security leaks by scanning for secrets before you push changes to your repository. 启用推送保护时,secret scanning 还会检查推送中是否存在高置信度机密(经识别误报率低的机密)。 Secret scanning 列出了它检测到的所有机密,便于作者进行查看和删除,或者根据需要允许推送这些机密。 For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

如果确认机密是真实的,则需要将机密从分支和出现机密的所有提交中删除,然后再次推送。

Tip If GitHub blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed. For more information about bypassing push protection for a secret, see "Allowing a blocked secret to be pushed" and "Bypassing push protection for a secret" for the command line and the web UI, respectively.

Resolving a blocked push on the command line

尝试在 secret scanning 作为推送保护启用的情况下将受支持的机密推送到存储库或组织时,GitHub 将组织推送。 可以从分支中删除该机密,或遵循提供的 URL 来允许推送。

注释

  • 如果 git 配置支持推送到多个分支,而不仅仅是推送到当前分支,则由于附加和意外的引用被推送,你的推送可能被阻止。 有关详细信息,请参阅 Git 文档中的 push.default 选项
  • 如果在推送超时后进行 secret scanning,GitHub 仍将在推送后扫描你的提交有无机密。

If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.

  1. Remove the secret from your code.
  2. Commit the changes, by using git commit --amend.
  3. Push your changes with git push.

You can also remove the secret if the secret appears in an earlier commit in the Git history.

  1. Use git log to determine which commit surfaced in the push error came first in history.
  2. Start an interactive rebase with git rebase -i <commit-id>~1. is the id of the commit from step 1.
  3. Identify your commit to edit by changing pick to edit on the first line of the text that appears in the editor.
  4. Remove the secret from your code.
  5. Commit the change with git commit --amend.
  6. Run git rebase --continue to finish the rebase.

Resolving a blocked commit in the web UI

When you use the web UI to attempt to commit a supported secret to a repository or organization with secret scanning as a push protection enabled, GitHub will block the commit.

You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.

Screenshot showing commit in web ui blocked because of secret scanning push protection

To resolve a blocked commit in the web UI, you need to remove the secret from the file, or use the Bypass protection dropdown to allow the secret. For more information about bypassing push protection from the web UI, see "Protecting pushes with secret scanning."

If you confirm a secret is real, you need to remove the secret from the file. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.