Push protection for users

In this article

You can use secret scanning to block commits containing secrets in any public repository by enabling push protection for yourself.

Note: Push protection for users is currently in beta and subject to change.

About push protection for users

With push protection for users, you can enable push protection for yourself, so that no matter which public repository you push to, you will be protected. Additionally, if you are a repository administrator, or an organization owner, you can enable push protection for your repository or organization, respectively. For more information, see "Push protection for repositories and organizations."

If push protection is not enabled for the repository you are pushing to, but you have push protection for yourself enabled, no alerts will be created after you push a secret. However, if the bypassed secret is a GitHub token, the token will be revoked and you will be notified by email.

For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

Enabling push protection for yourself

You can enable push protection for yourself through your personal account settings.

  1. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of GitHub's account menu showing options for users to view and edit their profile, content, and settings. The menu item "Settings" is outlined in dark orange.

  2. In the "Security" section of the sidebar, click Code security and analysis.

  3. Under "User", to the right of "Push protection for yourself", click Enable.

    Screenshot of the "User" section of the "Code security and analysis" settings page. A button labeled "Enable" is outlined in dark orange.