Managing requests to bypass push protection
When enabling delegated bypass for push protection, organization owners or repository administrators decide which individuals, roles or teams can review (approve or deny) requests to bypass push protection.
注意
You can also use GitHub Apps with fine-grained permissions to programmatically review and approve push protection bypass requests. This enables your organization to streamline security request reviews and enforce policies, or integrate with external security tools, ensuring that all reviews meet established standards. For GitHub Enterprise Server, the use of GitHub Apps to review bypass requests is available from version 3.19. For more information about permissions, see Organization permissions for "Organization bypass requests for secret scanning".
When a contributor requests bypass privileges to push a commit containing a secret, this designated group of reviewers:
- Receives an email notification containing a link to the request.
- Reviews the request in the "Bypass requests" page of the repository, or in the organization's security overview.
- Has 7 days to either approve or deny the request before the request expires.
To help reviewers efficiently triage secrets for which there is a bypass request, GitHub displays the following information in the request:
- Name of the user who attempted the push.
- Repository where the push was attempted.
- Commit hash of the push.
- Timestamp of the push.
- File path and branch information. The branch information is only available for pushes to single branches.
The contributor is notified of the decision by email and must take the required action:
- If the request is approved, the contributor can push the commit containing the secret to the repository.
- If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.
Managing requests for a repository
- 在 GitHub 上,导航到存储库的主页面。
- 在仓库名称下,单击 “Security”****。 如果看不到“Security”选项卡,请选择 下拉菜单,然后单击“Security”********。
- 在左侧边栏中的“请求”下,单击“推送保护绕过”。
- Select the All statuses dropdown menu, then click Open to view requests that are awaiting review, and those that have been approved but for which the commits haven't been pushed to the repository yet.
- Click the request that you want to review.
- Review the details of the request.
- (可选)添加评审注释。 注释将添加到评审请求时间线和secret scanning警报时间线。 例如,你可能希望出于审计和报告原因而解释批准或拒绝请求的原因,并为参与者提出后续步骤建议。
- To allow the contributor to push the commit containing the secret, click Approve bypass request. Or, to require the contributor to remove the secret from the commit, click Deny bypass request.
Managing requests for an organization
Organization owners, security managers and organization members with the relevant fine-grained permission (via a custom role) can review and manage bypass requests for all repositories in the organization using security overview. See Reviewing requests to bypass push protection.
Filtering requests
You can filter requests by:
- Approver (member of the bypass list)
- Requester (contributor making the request)
- Timeframe
- Status
Filtering by status
The following statuses are assigned to a request:
| Status | Description |
|---|---|
Cancelled | The request has been canceled by the contributor. |
Completed | The request has been approved and the commit(s) have been pushed to the repository. |
Denied | The request has been reviewed and denied. |
Expired | The request has expired. Requests are valid for 7 days. |
Open | The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. |