Skip to main content

Pushing a branch blocked by push protection

The push protection feature of secret scanning proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. 有关详细信息,请参阅“关于 GitHub Advanced Security”。

About push protection for secret scanning

The push protection feature of secret scanning helps to prevent security leaks by scanning for secrets before you push changes to your repository. 启用推送保护时,secret scanning 还会检查推送中是否存在高置信度机密(经识别误报率低的机密)。 Secret scanning 列出了它检测到的所有机密,便于作者进行查看和删除,或者根据需要允许推送这些机密。 For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

如果确认机密是真实的,则需要将机密从分支和出现机密的所有提交中删除,然后再次推送。

Tip If GitHub blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed. For more information about bypassing push protection for a secret, see "Allowing a blocked secret to be pushed" and "Bypassing push protection for a secret" for the command line and the web UI, respectively.

Resolving a blocked push on the command line

尝试在 secret scanning 作为推送保护启用的情况下将受支持的机密推送到存储库或组织时,GitHub 将组织推送。 可以从分支中删除该机密,或遵循提供的 URL 来允许推送。

注释

  • 如果 git 配置支持推送到多个分支,而不仅仅是推送到当前分支,则由于附加和意外的引用被推送,你的推送可能被阻止。 有关详细信息,请参阅 Git 文档中的 push.default 选项
  • 如果在推送超时后进行 secret scanning,GitHub 仍将在推送后扫描你的提交有无机密。

If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.

  1. Remove the secret from your code.
  2. Commit the changes, by using git commit --amend.
  3. Push your changes with git push.

You can also remove the secret if the secret appears in an earlier commit in the Git history.

  1. Use git log to determine which commit surfaced in the push error came first in history.
  2. Start an interactive rebase with git rebase -i <commit-id>~1. is the id of the commit from step 1.
  3. Identify your commit to edit by changing pick to edit on the first line of the text that appears in the editor.
  4. Remove the secret from your code.
  5. Commit the change with git commit --amend.
  6. Run git rebase --continue to finish the rebase.

Resolving a blocked commit in the web UI

使用 Web UI 尝试将受支持的机密提交到启用了机密扫描作为推送保护的存储库或组织时,GitHub 将阻止提交。

你将在页面顶部看到一个横幅,其中包含有关机密位置的信息,并且文件中的机密将带有下划线,以便你轻松找到它。

屏幕截图显示因机密扫描推送保护而阻止在 Web UI 中提交

To resolve a blocked commit in the web UI, you need to remove the secret from the file, or use the Bypass protection dropdown to allow the secret. For more information about bypassing push protection from the web UI, see "Protecting pushes with secret scanning."

If you confirm a secret is real, you need to remove the secret from the file. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.