From e35c958dadf2a529e28ddcf0f0283b1da0db3ce6 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:41:01 +0200 Subject: [PATCH 01/22] move content across articles --- ...tion-for-repositories-and-organizations.md | 75 ------------------- ...ng-delegated-bypass-for-push-protection.md | 51 +++++++++++-- ...ging-requests-to-bypass-push-protection.md | 32 +++++++- 3 files changed, 73 insertions(+), 85 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 94b9ca4ddd..6424e4b38d 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,81 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -{% ifversion push-protection-delegated-bypass %} - -## Enabling delegated bypass for push protection - -{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} - -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. - -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. - -### Configuring delegated bypass for an organization - -{% data reusables.organizations.navigate-to-org %} -{% data reusables.organizations.org_settings %} -{% data reusables.organizations.security-and-analysis %} -{% ifversion security-configurations %} - {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} -{% endif %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -### Configuring delegated bypass for a repository - ->[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.repositories.navigate-to-code-security-and-analysis %} -{% data reusables.repositories.navigate-to-ghas-settings %} -1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. -1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. -1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. - -## Managing requests to bypass push protection - -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. - -You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: - -|Status|Description| -|---------|-----------| -|`Cancelled`| The request has been cancelled by the contributor.| -|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| -|`Denied`|The request has been reviewed and denied.| -|`Expired`| The request has expired. Requests are valid for 7 days. | -|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | - -When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. - -The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. - -{% endif %} - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 89a0c70e2d..360c49ea79 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -3,16 +3,55 @@ title: Enabling delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' -type: overview + feature: push-protection-delegated-bypass +type: how_to topics: - Secret scanning - Advanced Security - Alerts - Repositories -shortTitle: Delegated bypass +shortTitle: Enable delegated bypass --- -TODO +## Enabling delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. + +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. + +### Configuring delegated bypass for an organization + +{% data reusables.organizations.navigate-to-org %} +{% data reusables.organizations.org_settings %} +{% data reusables.organizations.security-and-analysis %} +{% ifversion security-configurations %} + {% data reusables.security-configurations.changed-org-settings-global-settings-callout %} +{% endif %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. + +### Configuring delegated bypass for a repository + +>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.navigate-to-code-security-and-analysis %} +{% data reusables.repositories.navigate-to-ghas-settings %} +1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. +1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. +1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index f79f795998..2d59321711 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -3,9 +3,7 @@ title: Managing requests to bypass push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: how_to topics: - Secret scanning @@ -15,4 +13,30 @@ topics: shortTitle: Manage bypass requests --- -TODO +## Managing requests to bypass push protection + +You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: + +|Status|Description| +|---------|-----------| +|`Cancelled`| The request has been cancelled by the contributor.| +|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.| +|`Denied`|The request has been reviewed and denied.| +|`Expired`| The request has expired. Requests are valid for 7 days. | +|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. | + +When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. + +The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. + +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From df3e6572f5844cf89ea263d838bfc6489678fa5c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:13:25 +0200 Subject: [PATCH 02/22] work --- .../push-protection-for-repositories-and-organizations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6424e4b38d..8679f7522a 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -122,6 +122,8 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} +TODO: add sentence about delegated bypass and link to new articles. + ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From fc0ea3da3ef8814d07a70a42e9ba7b79d0f356f2 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:51:39 +0200 Subject: [PATCH 03/22] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 10 ++++++---- .../enabling-delegated-bypass-for-push-protection.md | 8 +++++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 7c65ea9807..be950951ed 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -3,9 +3,7 @@ title: About delegated bypass for push protection intro: 'TODO' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: - fpt: '*' - ghes: '*' - ghec: '*' + feature: push-protection-delegated-bypass type: overview topics: - Secret scanning @@ -15,4 +13,8 @@ topics: shortTitle: Delegated bypass --- -TODO +TODO: + +## About delegated bypass for push protection + +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 360c49ea79..b97a77b340 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'TODO' +intro: 'You can enable ' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass @@ -17,7 +17,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. @@ -25,7 +25,7 @@ If the request to bypass push protection is approved, the contributor can push t To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)." +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. @@ -53,5 +53,7 @@ Members of the bypass list are still protected from accidentally pushing secrets {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. + >[!NOTE] You can't add secret teams to the bypass list. + 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. From 8d34e2de8b912b8e87540ab5665e2fbc764c51ae Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:53:14 +0200 Subject: [PATCH 04/22] more work on delegated bypass --- .../about-delegated-bypass-for-push-protection.md | 8 ++++++-- ...abling-delegated-bypass-for-push-protection.md | 15 ++++----------- ...managing-requests-to-bypass-push-protection.md | 11 +++++++++-- .../push-protection-delegated-bypass-intro.md | 1 + .../push-protection-delegated-bypass-overview.md | 9 +++++++++ 5 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md create mode 100644 data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index be950951ed..eb091f9bc4 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -13,8 +13,12 @@ topics: shortTitle: Delegated bypass --- -TODO: - ## About delegated bypass for push protection {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-overview %} + +For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index b97a77b340..e4e51cc1dc 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,7 +1,8 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable ' +intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: feature: push-protection-delegated-bypass type: how_to @@ -17,17 +18,9 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. - -If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. - -To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)." - -Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." - -Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. ### Configuring delegated bypass for an organization diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2d59321711..063eb8f663 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,7 +1,8 @@ --- title: Managing requests to bypass push protection -intro: 'TODO' +intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' +permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to @@ -15,7 +16,13 @@ shortTitle: Manage bypass requests ## Managing requests to bypass push protection -You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} + +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." + +Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. + +> [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md new file mode 100644 index 0000000000..812d54293d --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -0,0 +1 @@ +Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md new file mode 100644 index 0000000000..274a575f4d --- /dev/null +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md @@ -0,0 +1,9 @@ +When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection. + +If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again. + +To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)." + +Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)." + +Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 1cdfcc872024f298e440adfd0b06ec3fa8731d99 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 20:57:16 +0200 Subject: [PATCH 05/22] fix TODO --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index eb091f9bc4..3674812d5a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'TODO' +intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From dde39a721d7146cd0914e140a3ad895ea722a2e8 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:09:54 +0200 Subject: [PATCH 06/22] fix typo --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index e4e51cc1dc..667edff41d 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repositotory so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From 08aa48d234fe62ee5c9111dcac4cb17ce5be861c Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 8 Jul 2024 21:20:39 +0200 Subject: [PATCH 07/22] fix failing test hopefully --- .../push-protection-for-repositories-and-organizations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 8679f7522a..f96fba9437 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -30,7 +30,7 @@ shortTitle: Push protection for repositories {% ifversion push-protection-delegated-bypass %} -By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)." +By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." {% endif %} @@ -122,8 +122,6 @@ You can use the organization settings page for "Code security and analysis" to e {% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %} -TODO: add sentence about delegated bypass and link to new articles. - ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" From 1ec9ea0366e3f2b88a66882421e7fce100b64736 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Tue, 9 Jul 2024 13:27:05 +0100 Subject: [PATCH 08/22] Update index.md to add missing quote --- .../delegated-bypass-for-push-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md index c22caaba11..6546c4d8f3 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/index.md @@ -2,7 +2,7 @@ title: Delegated bypass for push protection shortTitle: Delegated bypass allowTitleToDifferFromFilename: true -intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request. +intro: 'You can control the ability to bypass push protection by setting up a reviewers group to assess requests. When a contributor proposes bypassing protections, any member of the bypass list can approve or block the request.' product: '{% data reusables.gated-features.secret-scanning %}' versions: fpt: '*' From d601e9ebd7b2543958401ded39412d3868c5e779 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:15:50 +0200 Subject: [PATCH 09/22] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../about-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md index 3674812d5a..95e974880a 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: About delegated bypass for push protection -intro: 'With delegated bypass, you can control which teams or roles have the ability to bypass push protection in your organization or repository.' +intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' versions: feature: push-protection-delegated-bypass From be948a1adaa47e0e77c36c8b2ca2fb7dbd3d2f64 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:16:13 +0200 Subject: [PATCH 10/22] Update data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md Co-authored-by: Felicity Chapman --- .../secret-scanning/push-protection-delegated-bypass-intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md index 812d54293d..cffdc83e63 100644 --- a/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md +++ b/data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md @@ -1 +1 @@ -Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed. +Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors. From a590917fcae6acd538a5f9ca582971a7a26bf625 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:22:14 +0200 Subject: [PATCH 11/22] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md Co-authored-by: Felicity Chapman --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 667edff41d..12fe1b2947 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -1,6 +1,6 @@ --- title: Enabling delegated bypass for push protection -intro: 'You can enable delegated bypass for your organization or repository so that you have full control over who can bypass blocks, and which blocks are allowed.' +intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.' versions: From 212ea5c72445f78ed540441b7a99ff237064d3c9 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:03:25 +0100 Subject: [PATCH 12/22] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 063eb8f663..4ed5edcad5 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -18,9 +18,9 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %} -{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." +{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. From 261cf0b8262dfed801681d162baab95031837492 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:05:44 +0100 Subject: [PATCH 13/22] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 4ed5edcad5..ae4724e610 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -1,6 +1,6 @@ --- title: Managing requests to bypass push protection -intro: 'As a member of the bypass list for an organization or repository, you can process bypass requests from other members of the organization or repository.' +intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' versions: From 452df4db810709f847fc32dd12427fdea51c4572 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:31:26 +0100 Subject: [PATCH 14/22] add Felicitys suggestion --- .../enabling-delegated-bypass-for-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 12fe1b2947..6d6d6e0316 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -20,7 +20,7 @@ shortTitle: Enable delegated bypass {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)." -To enable this feature, you first need to create a bypass list to add roles and teams who will manage request to bypass push protection. This step is included in the sections below. +When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. ### Configuring delegated bypass for an organization From 332ad21934c74c38d8b863af5692400ad59ee68d Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:16 +0100 Subject: [PATCH 15/22] moved note as suggested --- .../enabling-delegated-bypass-for-push-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md index 6d6d6e0316..20c95220e0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md @@ -22,6 +22,8 @@ shortTitle: Enable delegated bypass When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start. +>[!NOTE] You can't add secret teams to the bypass list. + ### Configuring delegated bypass for an organization {% data reusables.organizations.navigate-to-org %} @@ -33,7 +35,6 @@ When you enable this feature, you will create a bypass list of roles and teams w {% data reusables.repositories.navigate-to-ghas-settings %} 1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**. 1. Under "Bypass list", click **Add role or team**. - >[!NOTE] You can't add secret teams to the bypass list. 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**. ### Configuring delegated bypass for a repository From 43e02c7d9ef173345d5fd501abf63d75c5e0d8b5 Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:33:58 +0100 Subject: [PATCH 16/22] Update content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md Co-authored-by: Felicity Chapman --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index ae4724e610..3a3437f5c0 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -2,7 +2,7 @@ title: Managing requests to bypass push protection intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.' product: '{% data reusables.gated-features.push-protection-for-repos %}' -permissions: 'Members of the bypass listcan process requests from non-members to bypass push protection.' +permissions: 'Members of the bypass list can process requests from non-members to bypass push protection.' versions: feature: push-protection-delegated-bypass type: how_to From 170eddcacf1723dad028fee324cff197a9884094 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:39:12 +0100 Subject: [PATCH 17/22] addressed more comments add added missing parenthesis --- .../push-protection-for-repositories-and-organizations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index f96fba9437..6fad831be8 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -126,3 +126,4 @@ You can use the organization settings page for "Code security and analysis" to e * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" From 6300de58ca0210bfb297ca36f8a4d90de67a39ea Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:41:23 +0100 Subject: [PATCH 18/22] addressed more comments --- ...ging-requests-to-bypass-push-protection.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 3a3437f5c0..87d5907ec1 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -20,10 +20,20 @@ shortTitle: Manage bypass requests {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} -An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection." +An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)." > [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block. +### Managing requests to bypass push protection at the repository-level + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.bypass-requests-settings %} +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Click the request that you want to review. +1. Review the details of the request. +1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| @@ -37,13 +47,3 @@ You can filter requests by approver (member of the bypass list), requester (cont When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires. The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository. - -### Managing requests to bypass push protection at the repository-level - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-security %} -{% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. -1. Click the request that you want to review. -1. Review the details of the request. -1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 329a2d27ac4c6e6a310757cb3b8693788a46210e Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:42:18 +0100 Subject: [PATCH 19/22] add heading --- .../managing-requests-to-bypass-push-protection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 87d5907ec1..65ee3f08cf 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -34,6 +34,8 @@ An organization owner or repository administrator defines which roles and teams 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. +### Filtering by request status + You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request: |Status|Description| From ed4809755a1d5adb87f66b2a46db188ae0579a40 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Thu, 18 Jul 2024 16:01:07 +0100 Subject: [PATCH 20/22] add versioning to fix test failure --- .../push-protection-for-repositories-and-organizations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md index 6fad831be8..8685f584d0 100644 --- a/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md +++ b/content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md @@ -125,5 +125,5 @@ You can use the organization settings page for "Code security and analysis" to e ## Further reading * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" -* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)" +* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %} +* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %} From 6de98b640f2c5bb5370159f00c309907f38811df Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:34:27 +0100 Subject: [PATCH 21/22] address anoter comment --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 65ee3f08cf..2308595dd8 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**. From 394780335694c7195bcd4530a7619fa9c91b7c0a Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Fri, 19 Jul 2024 08:40:15 +0100 Subject: [PATCH 22/22] improve --- .../managing-requests-to-bypass-push-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md index 2308595dd8..8dbb251678 100644 --- a/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md +++ b/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md @@ -29,7 +29,7 @@ An organization owner or repository administrator defines which roles and teams {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.bypass-requests-settings %} -1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed yet. +1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet. 1. Click the request that you want to review. 1. Review the details of the request. 1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.