Skip to main content

Pushing a branch blocked by push protection

The push protection feature of secret scanning proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.

Secret scanning for advanced security is available for organization-owned repositories in GitHub Enterprise Cloud if your enterprise has a license for GitHub Advanced Security. Para obter mais informações, confira "Sobre o GitHub Advanced Security".

About push protection for secret scanning

The push protection feature of secret scanning helps to prevent security leaks by scanning for secrets before you push changes to your repository. Quando você habilita a proteção por push, a secret scanning também verifica os pushes em busca de segredos de alta confiança (aqueles identificados com uma baixa taxa de falsos positivos). A Secret scanning lista todos os segredos detectados para que o autor possa revisar os segredos e removê-los ou, se necessário, permitir que esses segredos sejam enviados por push. For information on the secrets and service providers supported for push protection, see "Secret scanning patterns."

Se você confirmar que um segredo é real, precisará remover o segredo do branch, de todos os commits em que ele aparece, antes de efetuar push novamente.

Tip If GitHub blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed. For more information about bypassing push protection for a secret, see "Allowing a blocked secret to be pushed" and "Bypassing push protection for a secret" for the command line and the web UI, respectively.

Organization admins can provide a custom link that will be included in the message from GitHub Enterprise Cloud when your push is blocked. This custom link can contain resources and advice specific to your organization and its policies.

Note: The ability to add resource links to blocked push messages is currently in public beta and subject to change.

Resolving a blocked push on the command line

Quando você tentar efetuar push de um segredo compatível para um repositório ou uma organização com a secret scanning como uma proteção por push habilitada, o GitHub bloqueará o push. Você pode remover o segredo do branch ou seguir uma URL fornecida para permitir o push.

Observações:

  • Se a configuração do Git der suporte a pushes para vários branches e não apenas para o branch atual, o push poderá ser bloqueado devido a referências adicionais e não intencionais serem enviadas por push. Para obter mais informações, confira as opções push.default na documentação do Git.
  • Se secret scanning atingir o tempo limite após o push, GitHub ainda executará uma verificação dos seus commits para segredos após o push.

If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.

  1. Remove the secret from your code.
  2. Commit the changes, by using git commit --amend.
  3. Push your changes with git push.

You can also remove the secret if the secret appears in an earlier commit in the Git history.

  1. Use git log to determine which commit surfaced in the push error came first in history.
  2. Start an interactive rebase with git rebase -i <commit-id>~1. is the id of the commit from step 1.
  3. Identify your commit to edit by changing pick to edit on the first line of the text that appears in the editor.
  4. Remove the secret from your code.
  5. Commit the change with git commit --amend.
  6. Run git rebase --continue to finish the rebase.

Resolving a blocked commit in the web UI

When you use the web UI to attempt to commit a supported secret to a repository or organization with secret scanning as a push protection enabled, GitHub will block the commit.

You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.

Screenshot showing commit in web ui blocked because of secret scanning push protection

To resolve a blocked commit in the web UI, you need to remove the secret from the file, or use the Bypass protection dropdown to allow the secret. For more information about bypassing push protection from the web UI, see "Protecting pushes with secret scanning."

If you confirm a secret is real, you need to remove the secret from the file. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.