About delegated bypass for push protection
Note
Delegated bypass for push protection is currently in beta and subject to change.
Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.
When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection.
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for secret scanning" setting in the UI from Anyone with write access to Specific roles and teams.
Organization owners or repository administrators are then prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "Configuring delegated bypass for an organization" and "Configuring delegated bypass for a repository."
Alternatively, instead of creating a bypass list, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions. For more information, see "Using fine-grained permissions to control who can review and manage bypass requests."
Members with permission to review (approve or deny) bypass requests can manage these requests through the "Push protection bypass" page in the Security tab of the repository. For more information, see "Managing requests to bypass push protection."
Members with permission to review and manage bypass requests are still protected from accidentally pushing secrets to a repository. If they attempt to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. The following types of people can bypass push protection without requesting bypass privileges:
- Organization owners
- Security managers
- Users in teams, default roles, or custom roles that have been added to the bypass list.
- Users who are assigned (either directly or via a team) a custom role with the "review and manage secret scanning bypass requests" fine-grained permission.
For information about enabling delegated bypass, see "Enabling delegated bypass for push protection."