By Paul Krill
GitHub has begun rolling out push protection for all of its users, a secrets scanning feature that gives users the option to remove secrets from commits or bypass a block.
The policy, announced February 29, affects supported secrets. It might take one to two weeks for this change to apply to an account; developers can verify status and opt in early in code security and analysis settings. GitHub secret scanning guards more than 200 token types and patterns from more than 180 service providers.
With push protection, secret scanning lists secrets it detects and allows the developer to remove them or bypass the block and allow the secrets to be pushed. Developers can bypass a block even with push protection enabled. Secret scanning can also check pushes for custom patterns. Push protection is always on by default, but can be disabled in user security settings. GitHub recommends leaving push protection on and making exceptions on an as-needed basis.
GitHub said that, in the first eight weeks of 2024, it has detected more than 1 million leaked secrets on public repositories. Organizations in the GitHub Enterprise plan can add GitHub Advanced Security to keep secrets out of private repositories.
