Configuration for push protected patterns in secret scanning [Public Preview] (#55891)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Courtney Claessens <courtneycl@github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2025-07-07 17:07:54 +01:00
parent ae8c7fe543
commit ba3c74fe01
7 changed files with 75 additions and 4 deletions
--- a/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md
+++ b/content/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise.md
@@ -16,7 +16,8 @@ topics:
 There are some additional {% data variables.product.prodname_secret_scanning %} settings that cannot be applied to repositories using {% data variables.product.prodname_security_configurations %}, so you must configure these settings separately:

 * [Configuring a resource link for push protection](#configuring-a-resource-link-for-push-protection)
-* [Controlling features for new repositories created in a user namespace](#controlling-features-for-new-repositories-created-in-a-user-namespace)
+* [Controlling features for new repositories created in a user namespace](#controlling-features-for-new-repositories-created-in-a-user-namespace){% ifversion push-protected-pattern-configuration %}
+* [Specifying patterns to include in push protection for your enterprise](#specifying-patterns-to-include-in-push-protection-for-your-enterprise){% endif %}

 These additional settings apply only to repositories with {% data variables.product.prodname_secret_scanning %} and {% data variables.product.prodname_GHAS %} both enabled{% ifversion ghas-products %}, or with {% data variables.product.prodname_GH_secret_protection %} enabled{% endif %}.

@@ -31,7 +32,7 @@ These additional settings apply only to repositories with {% data variables.prod

 To provide context for developers when {% data variables.product.prodname_secret_scanning %} blocks a commit, you can display a link with more information on why the commit was blocked.

-1. Under "Additional settings", to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %}**.
+1. Under "Additional settings", in the "{% data variables.product.UI_secret_protection_scanning %}" section and to the right of "Resource link for push protection", click **{% octicon "pencil" aria-hidden="true" aria-label="pencil" %}**.
 1. In the text box, type the link to the desired resource, then click **{% octicon "check" aria-label="Save" %}**.

 ### Controlling features for new repositories created in a user namespace
@@ -39,3 +40,17 @@ To provide context for developers when {% data variables.product.prodname_secret
 To ensure that any repositories created by users outside of an organization are protected by the same security features as repositories created within an organization, you can enable or disable {% data variables.product.prodname_secret_scanning %} features for new repositories created in a user namespace.

 Under "Additional settings", use the options in the "User namespace repositories" section to enable or disable features for new repositories.
+
+{% ifversion push-protected-pattern-configuration %}
+
+### Specifying patterns to include in push protection for your enterprise
+
+{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %}
+
+You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your enterprise.
+
+1. Under "Additional settings", in the "{% data variables.product.UI_secret_protection_scanning %}" section, click anywhere inside the "Pattern configurations for push protection" row.
+1. In the page that gets displayed, make the desired changes in the "Enterprise setting" column.
+{% data reusables.secret-scanning.pattern-enablement-org-enterprise %}
+
+{% endif %}
--- a/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md
+++ b/content/admin/overview/establishing-a-governance-framework-for-your-enterprise.md
@@ -94,6 +94,14 @@ See [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protectio

 Push protection can be enabled at the organization, repository, and user account level. See [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository).

+{% ifversion push-protected-pattern-configuration %}
+
+{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %}
+
+To align secret detection with internal security policies and more effectively prevent unauthorized exposure of sensitive information in your repositories, you can customize which secret patterns are included in push protection at the enterprise or organization level. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#specifying-patterns-to-include-in-push-protection-for-your-enterprise) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#specifying-patterns-to-include-in-push-protection).
+
+{% endif %}
+
 {% ifversion push-protection-delegated-bypass %}

 ## Setting up an approval process for sensitive actions
--- a/content/code-security/secret-scanning/introduction/about-push-protection.md
+++ b/content/code-security/secret-scanning/introduction/about-push-protection.md
@@ -88,6 +88,14 @@ Every user across {% data variables.product.prodname_dotcom %} can also enable p

 Once push protection is enabled, you can customize it further:

+{% ifversion push-protected-pattern-configuration %}
+
+### Configure push protected patterns
+
+Customize which secret patterns are included in push protection at the enterprise or organization level. See [AUTOTITLE](/admin/managing-code-security/securing-your-enterprise/configuring-additional-secret-scanning-settings-for-your-enterprise#specifying-patterns-to-include-in-push-protection-for-your-enterprise) and [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#specifying-patterns-to-include-in-push-protection).
+
+{% endif %}
+
 ### Define custom patterns

 Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).
--- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
+++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md
@@ -78,7 +78,7 @@ You can customize several {% data variables.product.prodname_global_settings %}
 * [Enabling {% data variables.copilot.copilot_autofix_short %} for {% data variables.product.prodname_codeql %}](#enabling-copilot-autofix-for-codeql)
 * [Enabling {% data variables.copilot.copilot_autofix_short %} for third-party {% data variables.product.prodname_code_scanning %} tools](#enabling-copilot-autofix-for-third-party-code-scanning-tools) {% endif %}
 * [Recommending the extended query suite for default setup](#recommending-the-extended-query-suite-for-default-setup){% ifversion ghes < 3.17 %}
-* [Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests](#setting-a-failure-threshold-for-code-scanning-checks-in-pull-requests){% endif %}
+* [Setting a failure threshold for {% data variables.product.prodname_code_scanning %} checks in pull requests](#setting-a-failure-threshold-for-code-scanning-checks-in-pull-requests)

 {% endif %}

@@ -116,7 +116,8 @@ You can choose the severity levels at which {% data variables.product.prodname_c
 You can customize several {% data variables.product.prodname_global_settings %} for {% data variables.product.prodname_secret_scanning %}:

 * [Adding a resource link for blocked commits](#adding-a-resource-link-for-blocked-commits)
-* [Defining custom patterns](#defining-custom-patterns)
+* [Defining custom patterns](#defining-custom-patterns){% endif %}{% ifversion push-protected-pattern-configuration %}
+* [Specifying patterns to include in push protection](#specifying-patterns-to-include-in-push-protection){% endif %}

 ### Adding a resource link for blocked commits

@@ -126,6 +127,20 @@ To provide context for developers when {% data variables.product.prodname_secret

 You can define custom patterns for {% data variables.product.prodname_secret_scanning %} with regular expressions. Custom patterns can identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. To create a custom pattern, click **New pattern**, then enter the details for your pattern and click **Save and dry run**. For more information on custom patterns, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning).

+{% ifversion push-protected-pattern-configuration %}
+
+### Specifying patterns to include in push protection
+
+{% data reusables.secret-scanning.push-protected-pattern-configuration-org-enterprise-preview %}
+
+You can customize which secret patterns are included in push protection, giving security teams greater control over what types of secrets are blocked in the repositories in your organization.
+
+1. Under "Additional settings", in the "{% data variables.product.prodname_secret_scanning_caps %}" section and to the right of "Pattern configurations", click **{% octicon "gear" aria-label="The Gear icon" %}**.
+1. In the page that gets displayed, make the desired changes in the "Organization setting" column.
+{% data reusables.secret-scanning.pattern-enablement-org-enterprise %}
+
+{% endif %}
+
 ## Creating security managers for your organization

 The security manager role grants members of your organization the ability to manage security settings and alerts across your organization. Security managers can view data for all repositories in your organization through security overview.
--- a/data/features/push-protected-pattern-configuration.yml
+++ b/data/features/push-protected-pattern-configuration.yml
@@ -0,0 +1,6 @@
+# Issue 16897
+# Configuration for push protected patterns in secret scanning [Public Preview]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.18'
--- a/data/reusables/secret-scanning/pattern-enablement-org-enterprise.md
+++ b/data/reusables/secret-scanning/pattern-enablement-org-enterprise.md
@@ -0,0 +1,17 @@
+   You can enable or disable push protection for individual patterns by using the toggle in the relevant column: "Enterprise setting" at the enterprise level, and "Organization setting" at the organization level.
+
+   The data is limited to the scope, therefore the alert volume, false positives, bypass rate, or availability of custom patterns is reflective of user / alert activity within the _enterprise_ or _organization_.
+
+   The {% data variables.product.github %} default may change over time as we increase precision and promote patterns.
+
+   > [!NOTE] Organization administrators and security teams can override settings configured at the enterprise level.
+
+   | Column                                      | Description            |
+   |---------------------------------------------|----------------------------------------------|
+   | Name | Name of the pattern or secret |
+   | Alert total | Total number of alerts for the pattern (percentage and absolute numbers) |
+   | False positives | Percentage of false positives for the pattern |
+   | Bypass rate | Percentage of bypasses for the pattern |
+   | {% data variables.product.github %} default | Default behavior for push protection, as recommended by {% data variables.product.github %} |
+   | Enterprise setting | **Uneditable at organization level**</br>Current enablement status for push protection</br>Can be `Enabled`, `Disabled`, and `Default`.</br>At enterprise level, `Default` is the default value. |
+   | Organization setting | **Only valid at organization level**</br>Current enablement status for push protection</br>Can be `Enabled`, `Disabled`, and `Enterprise` (inherited from the enterprise).</br>`Enterprise` is the default value. |
--- a/data/reusables/secret-scanning/push-protected-pattern-configuration-org-enterprise-preview.md
+++ b/data/reusables/secret-scanning/push-protected-pattern-configuration-org-enterprise-preview.md
@@ -0,0 +1,2 @@
+> [!NOTE]
+> The configuration of patterns for push protection at enterprise and organization level is currently in {% data variables.release-phases.public_preview %} and subject to change.