jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-20 10:28:40 -05:00
Code Issues Projects Releases Wiki Activity

try to fix merge conflicts again

Browse Source
This commit is contained in:
mchammer01
2024-07-19 11:21:22 +01:00
parent 5bcf1cfeed b3990f3ab6
commit 42a22b7f3e
6 changed files with 104 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md
View File

@@ -30,7 +30,7 @@ shortTitle: Push protection for repositories
{% ifversion push-protection-delegated-bypass %} {% ifversion push-protection-delegated-bypass %}
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)." By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
{% endif %} {% endif %}
@@ -122,93 +122,8 @@ You can use the organization settings page for "Code security and analysis" to e
{% data reusables.repositories.navigate-to-ghas-settings %} {% data reusables.repositories.navigate-to-ghas-settings %}
{% data reusables.advanced-security.secret-scanning-push-protection-repo %} {% data reusables.advanced-security.secret-scanning-push-protection-repo %}
{% ifversion push-protection-delegated-bypass %}
## Enabling delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed.
When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)."
Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)."
Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
### Configuring delegated bypass for an organization
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.organizations.security-and-analysis %}
{% else %}
1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**.
{% endif %}
{% ifversion security-configurations-beta-only %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
{% endif %}
{% ifversion security-configurations-beta-and-pre-beta %}
{% data reusables.repositories.navigate-to-ghas-settings %}
{% else %}
1. Find "{% data variables.product.prodname_GH_advanced_security %}."
{% endif %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
### Configuring delegated bypass for a repository
>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
## Managing requests to bypass push protection
You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository.
You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:
|Status|Description|
|---------|-----------|
|`Cancelled`| The request has been cancelled by the contributor.|
|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.|
|`Denied`|The request has been reviewed and denied.|
|`Expired`| The request has expired. Requests are valid for 7 days. |
|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. |
When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.
The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.
### Managing requests to bypass push protection at the repository-level
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.bypass-requests-settings %}
1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review.
1. Click the request that you want to review.
1. Review the details of the request.
1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.
{% endif %}
## Further reading ## Further reading
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)" * "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %}
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %}

16
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md
View File

@@ -1,11 +1,9 @@
--- ---
title: About delegated bypass for push protection title: About delegated bypass for push protection
intro: 'TODO' intro: 'You can control which teams or roles have the ability to bypass push protection in your organization or repository.'
product: '{% data reusables.gated-features.push-protection-for-repos %}' product: '{% data reusables.gated-features.push-protection-for-repos %}'
versions: versions:
fpt: '*' feature: push-protection-delegated-bypass
ghes: '*'
ghec: '*'
type: overview type: overview
topics: topics:
- Secret scanning - Secret scanning
@@ -15,4 +13,12 @@ topics:
shortTitle: Delegated bypass shortTitle: Delegated bypass
--- ---
TODO ## About delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-overview %}
For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."

49
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md
View File

@@ -1,18 +1,53 @@
--- ---
title: Enabling delegated bypass for push protection title: Enabling delegated bypass for push protection
intro: 'TODO' intro: 'You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}.'
product: '{% data reusables.gated-features.push-protection-for-repos %}' product: '{% data reusables.gated-features.push-protection-for-repos %}'
permissions: 'Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.'
versions: versions:
fpt: '*' feature: push-protection-delegated-bypass
ghes: '*' type: how_to
ghec: '*'
type: overview
topics: topics:
- Secret scanning - Secret scanning
- Advanced Security - Advanced Security
- Alerts - Alerts
- Repositories - Repositories
shortTitle: Delegated bypass shortTitle: Enable delegated bypass
--- ---
TODO ## Enabling delegated bypass for push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %} For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start.
>[!NOTE] You can't add secret teams to the bypass list.
### Configuring delegated bypass for an organization
{% data reusables.organizations.navigate-to-org %}
{% data reusables.organizations.org_settings %}
{% data reusables.organizations.security-and-analysis %}
{% ifversion security-configurations %}
{% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
{% endif %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
### Configuring delegated bypass for a repository
>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-settings %}
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
{% data reusables.repositories.navigate-to-ghas-settings %}
1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
1. Under "Bypass list", click **Add role or team**.
>[!NOTE] You can't add secret teams to the bypass list.
1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.

43
content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection.md
View File

@@ -1,11 +1,10 @@
--- ---
title: Managing requests to bypass push protection title: Managing requests to bypass push protection
intro: 'TODO' intro: 'As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.'
product: '{% data reusables.gated-features.push-protection-for-repos %}' product: '{% data reusables.gated-features.push-protection-for-repos %}'
permissions: 'Members of the bypass list can process requests from non-members to bypass push protection.'
versions: versions:
fpt: '*' feature: push-protection-delegated-bypass
ghes: '*'
ghec: '*'
type: how_to type: how_to
topics: topics:
- Secret scanning - Secret scanning
@@ -15,4 +14,38 @@ topics:
shortTitle: Manage bypass requests shortTitle: Manage bypass requests
--- ---
TODO ## Managing requests to bypass push protection
{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
> [!NOTE] Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
### Managing requests to bypass push protection at the repository-level
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.bypass-requests-settings %}
1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet.
1. Click the request that you want to review.
1. Review the details of the request.
1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.
### Filtering by request status
You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:
|Status|Description|
|---------|-----------|
|`Cancelled`| The request has been cancelled by the contributor.|
|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.|
|`Denied`|The request has been reviewed and denied.|
|`Expired`| The request has expired. Requests are valid for 7 days. |
|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository. |
When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.
The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.

1
data/reusables/secret-scanning/push-protection-delegated-bypass-intro.md Normal file
View File

@@ -0,0 +1 @@
Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.

9
data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md Normal file
View File

@@ -0,0 +1,9 @@
When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)."
Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)."
Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.