About push protection
Push protection is a secret scanning feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike secret scanning, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
You can enable push protection:
- At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the Security tab of your repository when a contributor to the repository bypasses push protection.
- For your account on GitHub, as a user. This type of push protection is referred to as "push protection for users." It protects you from pushing secrets to any public repository on GitHub, but no alerts are generated.
팁
Regardless of the enablement status of push protection, organizations on GitHub Team and GitHub Enterprise can run a free report to scan the code in the organization for leaked secrets. The report also tells you how many secret leaks in your organization could have been prevented by push protection. See About secret security with GitHub.
For information about the secrets and service providers supported by push protection, see 지원되는 비밀 검사 패턴.
Push protection has some limitations. For more information, see 비밀 검사 문제 해결.
How push protection works
Push protection blocks secrets detected in:
- Pushes from the command line. See 명령줄에서 푸시 보호 작업.
- Commits made in the GitHub UI. See GitHub UI에서 푸시 보호 작업.
- File uploads to a repository on GitHub.
- Requests to the REST API. See Working with push protection from the REST API.
- Interactions with the GitHub MCP server (public repositories only). See Working with push protection and the GitHub MCP server.
Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. 기여자가 비밀에 대한 푸시 보호 블록을 바이패스하는 경우 GitHub은(는) 다음을 수행합니다.
- 리포지토리의 보안 탭에서 경고를 만듭니다.
- 감사 로그에 바이패스 이벤트를 추가합니다.
- 비밀에 대한 링크와 허용된 이유를 포함하는 메일 경고를 리포지토리를 감시하는 조직 또는 개인 계정 소유자, 보안 관리자, 리포지토리 관리자에게 보냅니다.
이 테이블에서는 사용자가 푸시 보호 블록을 바이패스할 수 있는 각 방법에 대한 경고 동작을 보여 줍니다.
| 바이패스 이유 | 경고 동작 |
|---|---|
| 테스트에 사용됨 | GitHub은(는) "테스트에서 사용됨"으로 확인된 닫힌 경고를 만듭니다. |
| 가양성(false positive) 아님 | GitHub은(는) "가양성"(false positive)으로 확인된 닫힌 경고를 만듭니다. |
| 나중에 수정 | GitHub의 열린 경고 만들기 |
If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see About delegated bypass for push protection.
You can also bypass push protection using the REST API. For more information, see 비밀 검사를 위한 REST API 엔드포인트.
About the benefits of push protection
-
Preventative security: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
-
Immediate feedback: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
-
Reduced risk of data leaks: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
-
Efficient secret management: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
-
Ability to detect custom patterns: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.
-
Delegated bypass for flexibility: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.
Every user across GitHub can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on GitHub, without relying on that repository to have push protection enabled. For more information, see 사용자에 대한 푸시 보호.
Customizing push protection
Once push protection is enabled, you can customize it further:
Configure push protected patterns
Customize which secret patterns are included in push protection at the enterprise or organization level. See 엔터프라이즈에 대한 추가 비밀 검사 설정 구성 and 조직에 대한 글로벌 보안 설정 구성.
Define custom patterns
Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see 비밀 검사를 위한 사용자 지정 패턴 정의.
Configure delegated bypass
Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see About delegated bypass for push protection.