GitHub Secret-Blocking Feature Now Generally Available

GitHub today announced the general availability of push protection, a feature designed to prevent developers from unknowingly exposing secrets in their code.

Push protection was initially announced in December 2022 as part of secret scanning, a new feature meant to help developers and organizations identify any secrets exposed in their repositories.

In March 2023, the Microsoft-owned code hosting platform announced the general availability of secret scanning, after previously making it available for free for public repositories.

Now, the push protection feature is also generally available and is free for all public repositories. It can also be used for private repositories with a GitHub Advanced Security (GHAS) license.

With push protection enabled, developers are warned as soon as they push a commit containing a highly identifiable secret, and are also provided with guidance on how to remove that secret. As soon as the exposure has been eliminated, the developer can re-push the commit.

“Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it’s worth investigating,” GitHub says.

The platform is working with service providers to ensure a low false positive rate and is delivering exposure alerts directly in the developers’ IDEs or command line interfaces.

Push protection, GitHub explains, can be bypassed in urgent circumstances, by providing a reason, such as ‘testing’, ‘false positive’, or ‘acceptable risk’.

Whenever a bypass occurs, security managers and repository and organization administrators receive an email alert. They can audit all bypasses via audit logs, REST API, alert view UI, and webhook events.

Push protection can be enabled in the ‘Code security and analysis’ settings, in the ‘Secret scanning’ section. By clicking on the ‘Enable all’ button, both features will be enabled at once.

“You can automatically enable push protection or provide a custom resource link that will appear in a push protection message via the checkboxes under the ‘Push Protection’ section. This will ensure push protection is applied to any new repository created in your enterprise or organization,” GitHub explains.

GitHub customers with a GHAS license can also enable push protection on their custom secret patterns.

Related: GitHub Announces New Security Improvements

Related: GitHub Rotates Publicly Exposed RSA SSH Private Key

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery