Secret scanning push protection delegated bypass [Public Beta] #10362 (#49642)

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Courtney Claessens <courtneycl@github.com>

content/code-security/secret-scanning/index.md

@@ -27,6 +27,7 @@ children:
   - /enabling-ai-powered-generic-secret-detection
   - /push-protection-for-repositories-and-organizations
   - /push-protection-for-users
+  - /working-with-push-protection
   - /pushing-a-branch-blocked-by-push-protection
   - /troubleshooting-secret-scanning
 ---

content/code-security/secret-scanning/push-protection-for-repositories-and-organizations.md

@@ -26,19 +26,25 @@ shortTitle: Push protection for repositories
 
 {% data reusables.secret-scanning.bypass-reasons-and-alerts %}
 
+{% ifversion push-protection-delegated-bypass %}
+
+By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](#enabling-delegated-bypass-for-push-protection)."
+
+{% endif %}
+
 {% ifversion secret-scanning-bypass-filter %}
 
-On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection.
+On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
 
 {% endif %}
 
 You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
 
 {% ifversion security-overview-push-protection-metrics-page %}
-If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection-in-your-organization)."
-{% endif %}
 
-For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
+If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection-in-your-organization)."
+
+{% endif %}
 
 {% ifversion ghec or fpt %}
 {% note %}
@@ -48,11 +54,7 @@ For information on the secrets and service providers supported for push protecti
 {% endnote %}
 {% endif %}
 
-{% ifversion secret-scanning-push-protection-for-users %}
+For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
-
-{% data reusables.secret-scanning.push-protection-for-users %}
-
-{% endif %}
 
 ## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection
 
@@ -60,6 +62,8 @@ For you to use {% data variables.product.prodname_secret_scanning %} as a push p
 
 Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
 
+Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
+
 {% ifversion secret-scanning-enable-by-default-for-public-repos %}
 
 You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)."
@@ -186,57 +190,80 @@ Before enabling push protection for a custom pattern at repository level, you mu
 
 {% endif %}
 
-## Using secret scanning as a push protection from the command line
+{% ifversion push-protection-delegated-bypass %}
 
-{% data reusables.secret-scanning.push-protection-command-line-choice %}
+## Enabling delegated bypass for push protection
 
-Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
 
-Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
+Delegated bypass for push protection lets you control who can bypass push protection and which blocked pushes should be allowed.
 
-{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
+When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
 
-If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
+If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
 
-{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
+To configure delegated bypass, organization owners or repository administrators first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](#configuring-delegated-bypass-for-a-repository)."
 
-### Allowing a blocked secret to be pushed
+Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](#managing-requests-to-bypass-push-protection)."
 
-If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.
+Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
 
-{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
+### Configuring delegated bypass for an organization
 
-{% data reusables.secret-scanning.push-protection-allow-email %}
+{% data reusables.organizations.navigate-to-org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+{% ifversion security-configurations %}
+    {% data reusables.security-configurations.changed-org-settings-global-settings-callout %}
+{% endif %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
+1. Under "Bypass list", click **Add role or team**.
+1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
 
-1. Visit the URL returned by {% data variables.product.prodname_dotcom %} when your push was blocked.
+### Configuring delegated bypass for a repository
-{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
-{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
-1. Click **Allow me to push this secret**.
-1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.
 
-## Using secret scanning as a push protection from the web UI
+>[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.
 
-{% data reusables.secret-scanning.push-protection-web-ui-choice %}
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.navigate-to-code-security-and-analysis %}
+{% data reusables.repositories.navigate-to-ghas-settings %}
+1. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click **Specific roles or teams**.
+1. Under "Bypass list", click **Add role or team**.
+1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
 
-{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+## Managing requests to bypass push protection
 
-Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
+You can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the **Security** tab of the repository.
 
-You can remove the secret from the file using the web UI. Once you remove the secret, you will be able to commit your changes.
+You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:
 
-### Bypassing push protection for a secret
+|Status|Description|
+|---------|-----------|
+|`Cancelled`| The request has been cancelled by the contributor.|
+|`Completed`|The request has been approved and the commit(s) have been pushed to the repository.|
+|`Denied`|The request has been reviewed and denied.|
+|`Expired`| The request has expired. Requests are valid for 7 days. |
+|`Open`| The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository.  |
 
-{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)."
+When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.
 
-If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
+The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.
 
-If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.
+### Managing requests to bypass push protection at the repository-level
 
-{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-security %}
+{% data reusables.repositories.bypass-requests-settings %}
+1. Select the **All statuses** dropdown menu, then click **Open** to view requests that are awaiting review.
+1. Click the request that you want to review.
+1. Review the details of the request.
+1. To allow the contributor to push the commit containing the secret, click **Approve bypass request**. Or, to require the contributor to remove the secret from the commit, click **Deny bypass request**.
 
-{% data reusables.secret-scanning.push-protection-allow-email %}
+{% endif %}
 
-1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
+## Further reading
-{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
+
-{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
+- "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
-1. Click **Allow secret**.
+- "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"

content/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection.md

@@ -19,7 +19,7 @@ Push protection helps to prevent security leaks by scanning for secrets before y
 
 When you try to push a secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} blocks the push. You must remove the secret from your branch before pushing again. For more information on how to resolve a blocked push, see "[Resolving a blocked push on the command line](#resolving-a-blocked-push-on-the-command-line)" and "[Resolving a blocked commit in the web UI](#resolving-a-blocked-commit-in-the-web-ui)" in this article.
 
-If you believe it's safe to allow the secret, you have the option to bypass the protection. For more information, see "[Allowing a blocked secret to be pushed](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#allowing-a-blocked-secret-to-be-pushed)" and "[Bypassing push protection for a secret](/code-security/secret-scanning/push-protection-for-repositories-and-organizations#bypassing-push-protection-for-a-secret)."
+If you believe it's safe to allow the secret, you {% ifversion push-protection-delegated-bypass %}may {% endif %}have the option to bypass the protection. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)."
 
 For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
 
@@ -106,9 +106,10 @@ You can also remove the secret if the secret appears in an earlier commit in the
 
 To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes.
 
-Alternatively, if you determine that it's safe to allow the secret, use the options displayed in the dialog box to bypass push protection. For more information about bypassing push protection from the web UI, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret)."
+Alternatively, if you determine that it's safe to allow the secret, use the options displayed in the dialog box to bypass push protection. For more information about bypassing push protection from the web UI, see "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection#bypassing-push-protection-when-working-with-the-web-ui)."
 
 # Further reading
 
+- "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"
 - "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"{% ifversion secret-scanning-push-protection-for-users %}
 - "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-users)"{% endif %}

content/code-security/secret-scanning/working-with-push-protection.md

@@ -0,0 +1,119 @@
+---
+title: Working with push protection
+intro: 'Push protection proactively secures you against leaked secrets in your repositories by blocking pushes containing secrets. To push a commit containing a secret, you must specify a reason for bypassing the block{% ifversion push-protection-delegated-bypass %}, or, if required, request bypass privileges to bypass the block{% endif %}.'
+product: '{% data reusables.gated-features.push-protection-for-repos %}'
+versions:
+  feature: secret-scanning-push-protection
+type: how_to
+topics:
+  - Secret scanning
+  - Advanced Security
+  - Alerts
+  - Repositories
+shortTitle: Work with push protection
+---
+
+## About working with push protection
+
+Push protection prevents you from accidentally committing secrets to a repository by blocking pushes containing supported secrets.
+
+You can work with push protection from the command line or from the web UI.
+
+For more information on working with push protection, including how to bypass the block if necessary, see "[Using push protection from the command line](#using-push-protection-from-the-command-line)" and "[Using push protection from the web UI](#using-push-protection-from-the-web-ui)" in this article.
+
+## Using push protection from the command line
+
+{% data reusables.secret-scanning.push-protection-command-line-choice %}
+
+Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+
+{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
+
+If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
+
+{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
+
+In some cases, you may need to bypass the block on a secret. {% ifversion push-protection-delegated-bypass %} Whether or not you are able to bypass the block depends on the permissions that have been set for you by your repository adminstrator or organization owner.
+
+You may be able to bypass the block by specifying a reason for allowing the push. {% endif %} For more information on how to bypass push protection and push a blocked secret, see "[Bypassing push protection when working with the command line](#bypassing-push-protection-when-working-with-the-command-line)."
+
+{% ifversion push-protection-delegated-bypass %} Alternatively, you may be required to submit a request for "bypass privileges" in order to push the secret. For information on how to request permission to bypass push protection and push the blocked secret, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)."
+
+{% endif %}
+
+### Bypassing push protection when working with the command line
+
+If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret to be pushed.
+
+{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
+
+{% data reusables.secret-scanning.push-protection-allow-email %}
+
+{% ifversion push-protection-delegated-bypass %}
+
+If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see "[Requesting bypass privileges when working with the command line](#requesting-bypass-privileges-when-working-with-the-command-line)."
+
+{% endif %}
+
+{% data reusables.secret-scanning.push-protection-visit-URL %}
+{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
+{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
+1. Click **Allow me to push this secret**.
+1. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.
+
+{% ifversion push-protection-delegated-bypass %}
+
+### Requesting bypass privileges when working with the command line
+
+{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
+
+If your push has been blocked by push protection and you believe the secret is safe to push, you can request permission to bypass the block. Your request is sent to a designated group of reviewers, who will either approve or deny the request.
+
+Requests expire after 7 days.
+
+{% data reusables.secret-scanning.push-protection-visit-URL %}
+{% data reusables.secret-scanning.push-protection-bypass-request-add-comment %}
+{% data reusables.secret-scanning.push-protection-submit-bypass-request %}
+{% data reusables.secret-scanning.push-protection-bypass-request-check-email %}
+
+{% data reusables.secret-scanning.push-protection-bypass-request-decision-email %}
+
+If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret.
+
+If your request is denied, you will need to remove the secret from all commits containing the secret before pushing again. For information on how to remove a blocked secret, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
+
+{% endif %}
+
+## Using push protection from the web UI
+
+{% data reusables.secret-scanning.push-protection-web-ui-choice %}
+
+{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
+
+Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
+
+For a blocked commit, you can remove the secret from the file using the web UI. Once you remove the secret, you will be able to commit your changes.
+
+You can bypass the block by specifying a reason for allowing the secret. For more information on how to bypass push protection and commit the blocked secret, see "[Bypassing push protection when working with the web UI](#bypassing-push-protection-when-working-with-the-web-ui)."
+
+### Bypassing push protection when working with the web UI
+
+{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)."
+
+If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
+
+If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to commit, you {% ifversion push-protection-delegated-bypass %}may be able to {% else %}can {% endif %}bypass the block by specifying a reason for allowing the secret.
+
+{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
+
+{% data reusables.secret-scanning.push-protection-allow-email %}
+
+1. In dialog box that appeared when {% data variables.product.prodname_dotcom %} blocked your commit, review the name and location of the secret.
+{% data reusables.secret-scanning.push-protection-choose-allow-secret-options %}
+{% data reusables.secret-scanning.push-protection-public-repos-bypass %}
+1. Click **Allow secret**.
+
+## Further reading
+
+- "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
+- "[AUTOTITLE](/code-security/secret-scanning/push-protection-for-repositories-and-organizations)"

data/features/push-protection-delegated-bypass.yml

@@ -0,0 +1,4 @@
+# Issue 10362 - Push protection delegated bypass
+versions:
+  ghec: '*'
+  ghes: '>=3.14'

data/reusables/repositories/bypass-requests-settings.md

@@ -0,0 +1 @@
+1. In the left sidebar, under "Requests," click **Push protection bypass**.

data/reusables/secret-scanning/push-protection-bypass-request-add-comment.md

@@ -0,0 +1 @@
+1. Under "Or request bypass privileges", add a comment. For example, you might explain why you believe the secret is safe to push, or provide context about the request to bypass the block.

data/reusables/secret-scanning/push-protection-bypass-request-check-email.md

@@ -0,0 +1 @@
+1. Check your email notifications for a response to your request.

data/reusables/secret-scanning/push-protection-bypass-request-decision-email.md

@@ -0,0 +1 @@
+Once your request has been reviewed, you will receive an email notifying you of the decision.

data/reusables/secret-scanning/push-protection-command-line-choice.md

@@ -1 +1 @@
-When you attempt to push a supported secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. You can remove the secret from your branch or follow a provided URL to allow the push.
+When you attempt to push a supported secret to a repository secured by push protection, {% data variables.product.prodname_dotcom %} will block the push. You can remove the secret from your branch or follow a provided URL {% ifversion push-protection-delegated-bypass %}to see what options are available to you{% endif %} to allow the push.

data/reusables/secret-scanning/push-protection-delegate-bypass-beta-note.md

@@ -0,0 +1 @@
+>[!NOTE] Delegated bypass for push protection is currently in beta and subject to change.

data/reusables/secret-scanning/push-protection-overview.md

@@ -1 +1 @@
-When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if needed, allow those secrets to be pushed.
+When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed.

data/reusables/secret-scanning/push-protection-submit-bypass-request.md

@@ -0,0 +1 @@
+1. Click **Submit request**.

data/reusables/secret-scanning/push-protection-visit-URL.md

@@ -0,0 +1 @@
+1. Visit the URL returned by {% data variables.product.prodname_dotcom %} when your push was blocked.