Octomerger Bot
Binary file not shown.
|
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 208 KiB After Width: | Height: | Size: 36 KiB |
@@ -28,6 +28,8 @@ includeGuides:
|
||||
- /code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
|
||||
- /code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
|
||||
- /code-security/secret-scanning/managing-alerts-from-secret-scanning
|
||||
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
|
||||
- /code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection
|
||||
- /code-security/secret-scanning/secret-scanning-patterns
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/tracking-code-scanning-alerts-in-issues-using-task-lists
|
||||
- /code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
|
||||
|
||||
@@ -21,5 +21,6 @@ children:
|
||||
- /managing-alerts-from-secret-scanning
|
||||
- /secret-scanning-patterns
|
||||
- /protecting-pushes-with-secret-scanning
|
||||
- /pushing-a-branch-blocked-by-push-protection
|
||||
---
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ topics:
|
||||
- Advanced Security
|
||||
- Alerts
|
||||
- Repositories
|
||||
shortTitle: Push protection
|
||||
shortTitle: Enable push protection
|
||||
---
|
||||
|
||||
{% data reusables.secret-scanning.beta %}
|
||||
@@ -30,11 +30,7 @@ If a contributor bypasses a push protection block for a secret, {% data variable
|
||||
- adds the bypass event to the audit log.{% ifversion secret-scanning-push-protection-email %}
|
||||
- sends an email alert to organization owners, security managers, and repository administrators, with a link to the related secret and the reason why it was allowed.{% endif %}
|
||||
|
||||
{% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by the following service providers.
|
||||
|
||||
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
|
||||
|
||||
{% data reusables.secret-scanning.secret-list-private-push-protection %}
|
||||
For information on the secrets and service providers supported for push protection, see "[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-push-protection)."
|
||||
|
||||
## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection
|
||||
|
||||
@@ -58,32 +54,24 @@ Organization owners, security managers, and repository administrators can enable
|
||||
{% data reusables.repositories.navigate-to-ghas-settings %}
|
||||
{% data reusables.advanced-security.secret-scanning-push-protection-repo %}
|
||||
|
||||
## Using secret scanning as a push protection from the command line
|
||||
|
||||
## Using {% data variables.product.prodname_secret_scanning %} as a push protection from the command line
|
||||
|
||||
When you attempt to push a supported secret to a repository or organization with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, {% data variables.product.prodname_dotcom %} will block the push. You can remove the secret from your commit or follow a provided URL to allow the push.
|
||||
{% data reusables.secret-scanning.push-protection-command-line-choice %}
|
||||
|
||||
Up to five detected secrets will be displayed at a time on the command line. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
|
||||
|
||||
|
||||
|
||||
If you need to remove the secret from your latest commit (that is, `HEAD`) on the branch being pushed and any earlier commits that contain the secret, you can remove the secret from `HEAD`, then squash the commits between when the commit was introduced and the first version of `HEAD` for which the secret has been removed.
|
||||
{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Pushing a branch blocked by push protection](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-on-the-command-line)."
|
||||
|
||||
{% note %}
|
||||
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. Real secrets that have been exposed must be revoked to avoid unauthorized access. You might consider first rotating the secret before revoking it. For more information, see "[Removing sensitive data from a repository](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
|
||||
|
||||
**Notes**:
|
||||
|
||||
* If your git configuration supports pushes to multiple branches, and not only to the default branch, your push may be blocked due to additional and unintended refs being pushed. For more information, see the [`push.default` options](https://git-scm.com/docs/git-config#Documentation/git-config.txt-pushdefault) in the Git Docs.
|
||||
* If {% data variables.product.prodname_secret_scanning %} upon a push times out, {% data variables.product.prodname_dotcom %} will still run a scan after the push.
|
||||
|
||||
{% endnote %}
|
||||
{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
|
||||
|
||||
### Allowing a blocked secret to be pushed
|
||||
|
||||
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.
|
||||
|
||||
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For example, you might revoke the secret and remove the secret from the repository's commit history. For more information, see "[Removing sensitive data from a repository](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-allow-email %}
|
||||
@@ -97,9 +85,7 @@ If you confirm a secret is real and that you intend to fix it later, you should
|
||||
{% ifversion secret-scanning-push-protection-web-ui %}
|
||||
## Using secret scanning as a push protection from the web UI
|
||||
|
||||
When you use the web UI to attempt to commit a supported secret to a repository or organization with secret scanning as a push protection enabled, {% data variables.product.prodname_dotcom %} will block the commit. You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.
|
||||
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-web-ui-choice %}
|
||||
|
||||
{% data variables.product.prodname_dotcom %} will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, {% data variables.product.prodname_dotcom %} will not block that secret.
|
||||
|
||||
@@ -109,7 +95,11 @@ You can remove the secret from the file using the web UI. Once you remove the se
|
||||
|
||||
### Bypassing push protection for a secret
|
||||
|
||||
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed. If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible.
|
||||
{% data reusables.secret-scanning.push-protection-remove-secret %} For more information about remediating blocked secrets, see "[Pushing a branch blocked by push protection](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection#resolving-a-blocked-push-in-the-web-ui)."
|
||||
|
||||
If you confirm a secret is real and that you intend to fix it later, you should aim to remediate the secret as soon as possible. For more information, see "[Removing sensitive data from a repository](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)."
|
||||
|
||||
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed.
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-allow-secrets-alerts %}
|
||||
|
||||
@@ -124,4 +114,4 @@ If you confirm a secret is real and that you intend to fix it later, you should
|
||||
|
||||
1. Click **Allow secret**.
|
||||
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
@@ -0,0 +1,57 @@
|
||||
---
|
||||
title: Pushing a branch blocked by push protection
|
||||
intro: 'The push protection feature of {% data variables.product.prodname_secret_scanning %} proactively protects you against leaked secrets in your repositories. You can resolve blocked pushes and, once the detected secret is removed, you can push changes to your working branch from the command line or the web UI.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
miniTocMaxHeadingLevel: 3
|
||||
versions:
|
||||
feature: secret-scanning-push-protection
|
||||
type: how_to
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- Alerts
|
||||
- Repositories
|
||||
shortTitle: Push a blocked branch
|
||||
---
|
||||
|
||||
## About push protection for {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
The push protection feature of {% data variables.product.prodname_secret_scanning %} helps to prevent security leaks by scanning for secrets before you push changes to your repository. {% data reusables.secret-scanning.push-protection-overview %} For information on the secrets and service providers supported for push protection, see "[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-push-protection)."
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-remove-secret %}
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip**
|
||||
If {% data variables.product.prodname_dotcom %} blocks a secret that you believe is safe to push, you can allow the secret and specify the reason why it should be allowed. For more information about bypassing push protection for a secret, see "[Allowing a blocked secret to be pushed](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#allowing-a-blocked-secret-to-be-pushed)" and "[Bypassing push protection for a secret](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret)" for the command line and the web UI, respectively.
|
||||
|
||||
{% endtip %}
|
||||
|
||||
## Resolving a blocked push on the command line
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-command-line-choice %}
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-multiple-branch-note %}
|
||||
|
||||
If the blocked secret was introduced by the latest commit on your branch, you can follow the guidance below.
|
||||
|
||||
1. Remove the secret from your code.
|
||||
1. Commit the changes, by using `git commit --amend`.
|
||||
1. Push your changes with `git push`.
|
||||
|
||||
You can also remove the secret if the secret appears in an earlier commit in the Git history.
|
||||
|
||||
1. Use `git log` to determine which commit surfaced in the push error came first in history.
|
||||
1. Start an interactive rebase with `git rebase -i <commit-id>~1`. <commit-id> is the id of the commit from step 1.
|
||||
1. Identify your commit to edit by changing `pick` to `edit` on the first line of the text that appears in the editor.
|
||||
1. Remove the secret from your code.
|
||||
1. Commit the change with `git commit --amend`.
|
||||
1. Run `git rebase --continue` to finish the rebase.
|
||||
|
||||
## Resolving a blocked commit in the web UI
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-web-ui-choice %}
|
||||
|
||||
To resolve a blocked commit in the web UI, you need to remove the secret from the file, or use the **Bypass protection** dropdown to allow the secret. For more information about bypassing push protection from the web UI, see "[Protecting pushes with secret scanning](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret)."
|
||||
|
||||
If you confirm a secret is real, you need to remove the secret from the file. Once you remove the secret, the banner at the top of the page will change and tell you that you can now commit your changes.
|
||||
@@ -21,10 +21,11 @@ redirect_from:
|
||||
{% ifversion fpt or ghec %}
|
||||
## About {% data variables.product.prodname_secret_scanning %} patterns
|
||||
|
||||
{% data variables.product.product_name %} maintains two different sets of {% data variables.product.prodname_secret_scanning %} patterns:
|
||||
{% data variables.product.product_name %} maintains these different sets of {% data variables.product.prodname_secret_scanning %} patterns:
|
||||
|
||||
1. **Partner patterns.** Used to detect potential secrets in all public repositories. For details, see "[Supported secrets for partner patterns](#supported-secrets-for-partner-patterns)."
|
||||
2. **Advanced security patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} enabled. {% ifversion ghec %} For details, see "[Supported secrets for advanced security](#supported-secrets-for-advanced-security)."{% endif %}
|
||||
2. **Advanced security patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} enabled. {% ifversion ghec %} For details, see "[Supported secrets for advanced security](#supported-secrets-for-advanced-security)."{% endif %}{% ifversion secret-scanning-push-protection %}
|
||||
3. **Push protection patterns.** Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled. For details, see "[Supported secrets for push protection](#supported-secrets-for-push-protection)."{% endif %}
|
||||
|
||||
{% ifversion fpt %}
|
||||
Organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %} can enable {% data variables.product.prodname_secret_scanning_GHAS %} on their repositories. For details of these patterns, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-patterns#supported-secrets-for-advanced-security).
|
||||
@@ -59,6 +60,16 @@ If you use the REST API for secret scanning, you can use the `Secret type` to re
|
||||
{% data reusables.secret-scanning.partner-secret-list-private-repo %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-push-protection %}
|
||||
## Supported secrets for push protection
|
||||
|
||||
{% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by the following service providers.
|
||||
|
||||
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
|
||||
|
||||
{% data reusables.secret-scanning.secret-list-private-push-protection %}
|
||||
|
||||
{% endif %}
|
||||
## Further reading
|
||||
|
||||
- "[Securing your repository](/code-security/getting-started/securing-your-repository)"
|
||||
|
||||
@@ -64,6 +64,8 @@ secret_scanning:
|
||||
- '{% ifversion not fpt %}/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning{% endif %}'
|
||||
- '{% ifversion not fpt %}/code-security/secret-scanning/managing-alerts-from-secret-scanning{% endif %}'
|
||||
- '{% ifversion not fpt %}/code-security/secret-scanning/secret-scanning-patterns{% endif %}'
|
||||
- '{% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/protecting-pushes-with-secret-scanning{% endif %}'
|
||||
- '{% ifversion secret-scanning-push-protection %}/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection{% endif %}'
|
||||
|
||||
# Security overview feature available in GHEC and GHES 3.2+, so other articles hidden to hide the learning path in other versions
|
||||
security_alerts:
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
When you attempt to push a supported secret to a repository or organization with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, {% data variables.product.prodname_dotcom %} will block the push. You can remove the secret from your branch or follow a provided URL to allow the push.
|
||||
@@ -0,0 +1,8 @@
|
||||
{% note %}
|
||||
|
||||
**Notes**:
|
||||
|
||||
* If your git configuration supports pushes to multiple branches, and not only to the current branch, your push may be blocked due to additional and unintended refs being pushed. For more information, see the [`push.default` options](https://git-scm.com/docs/git-config#Documentation/git-config.txt-pushdefault) in the Git documentation.
|
||||
* If {% data variables.product.prodname_secret_scanning %} upon a push times out, {% data variables.product.prodname_dotcom %} will still scan your commits for secrets after the push.
|
||||
|
||||
{% endnote %}
|
||||
@@ -0,0 +1 @@
|
||||
If you confirm a secret is real, you need to remove the secret from your branch, _from all the commits it appears in_, before pushing again.
|
||||
@@ -0,0 +1,6 @@
|
||||
When you use the web UI to attempt to commit a supported secret to a repository or organization with secret scanning as a push protection enabled, {% data variables.product.prodname_dotcom %} will block the commit.
|
||||
|
||||
You will see a banner at the top of the page with information about the secret's location, and the secret will also be underlined in the file so you can easily find it.
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user