Merge pull request #51580 from github/mchammer01/intro1
Secret scanning reorg: about push protection conceptual article
This commit is contained in:
mc
@@ -17,10 +17,7 @@ topics:
|
||||
children:
|
||||
- /introduction
|
||||
- /enabling-secret-scanning-features
|
||||
- /about-secret-scanning
|
||||
- /managing-alerts-from-secret-scanning
|
||||
- /secret-scanning-patterns
|
||||
- /push-protection-for-repositories-and-organizations
|
||||
- /working-with-secret-scanning-and-push-protection
|
||||
- /using-advanced-secret-scanning-and-push-protection-features
|
||||
- /troubleshooting-secret-scanning-and-push-protection
|
||||
|
||||
@@ -0,0 +1,104 @@
|
||||
---
|
||||
title: About push protection
|
||||
intro: 'Push protection blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.{% ifversion secret-scanning-push-protection-for-users %} Push protection can be applied at the repository, organization, and user account level{% else %} You can apply push protection at repository or organization level{% endif %}.'
|
||||
product: '{% data reusables.gated-features.push-protection-for-repos %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
ghec: '*'
|
||||
redirect_from:
|
||||
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
|
||||
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
|
||||
- /code-security/secret-scanning/push-protection-for-repositories-and-organizations
|
||||
type: overview
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- Alerts
|
||||
- Repositories
|
||||
shortTitle: Push protection
|
||||
---
|
||||
|
||||
## About push protection
|
||||
|
||||
Push protection is a {% data variables.product.prodname_secret_scanning %} feature that is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. Unlike {% data variables.product.prodname_secret_scanning %}, which detects secrets after they have been committed, push protection proactively scans your code for secrets during the push process and blocks the push if any are detected.
|
||||
|
||||
Push protection helps you avoid the risks associated with exposed secrets, like unauthorized access to resources or services. With this feature, developers get immediate feedback and can address potential issues before they become a security concern.
|
||||
|
||||
{% ifversion secret-scanning-push-protection-for-users %}
|
||||
|
||||
You can enable push protection:
|
||||
|
||||
* At repository/organization level, if you are a repository administrator or an organization owner. You will see alerts in the **Security** tab of your repository when a contributor to the repository bypasses push protection.
|
||||
* For your account on {% data variables.product.prodname_dotcom %}, as a user. This type of push protection is referred to as "push protection for users". It protects you from pushing secrets to _any_ public repository on {% data variables.product.prodname_dotcom %}, but no alerts are generated.
|
||||
|
||||
{% endif %}
|
||||
|
||||
For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
|
||||
|
||||
## How push protection works
|
||||
|
||||
Once enabled, if push protection detects a potential secret during a push attempt, it will block the push and provide a detailed message explaining the reason for the block. You will need to review the code in question, remove any sensitive information, and reattempt the push.
|
||||
|
||||
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. {% data reusables.secret-scanning.push-protection-bypass %}
|
||||
|
||||
{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
|
||||
|
||||
{% ifversion push-protection-delegated-bypass %} If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "TODO: link to delegated bypass."{% endif %}
|
||||
|
||||
## About the benefits of push protection
|
||||
|
||||
* **Preventative security**: Push protection acts as a frontline defense mechanism by scanning code for secrets at the time of the push. This preventative approach helps to catch potential issues before they are merged into your repository.
|
||||
|
||||
* **Immediate feedback**: Developers receive instant feedback if a potential secret is detected during a push attempt. This immediate notification allows for quick remediation, reducing the likelihood of sensitive information being exposed.
|
||||
|
||||
* **Reduced risk of data leaks**: By blocking commits that contain sensitive information, push protection significantly reduces the risk of accidental data leaks. This helps in safeguarding against unauthorized access to your infrastructure, services, and data.
|
||||
|
||||
* **Efficient secret management**: Instead of retrospectively dealing with exposed secrets, developers can address issues at the source. This makes secret management more efficient and less time-consuming.
|
||||
|
||||
* **Integration with CI/CD pipelines**: Push Protection can be integrated into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, ensuring that every push is scanned for secrets before it gets deployed. This adds an extra layer of security to your DevOps practices.
|
||||
|
||||
{% ifversion secret-scanning-push-protection-custom-patterns %}* **Ability to detect custom patterns**: Organizations can define custom patterns for detecting secrets unique to their environment. This customization ensures that push Protection can effectively identify and block even non-standard secrets.{% endif %}
|
||||
|
||||
{% ifversion push-protection-delegated-bypass %}* **Delegated bypass for flexibility**: For cases where false positives occur or when certain patterns are necessary, the delegated bypass feature allows designated users to approve specific pushes. This provides flexibility without compromising overall security.{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-push-protection-for-users %}
|
||||
|
||||
Every user across {% data variables.product.prodname_dotcom %} can also enable push protection for themselves within their individual settings. Enabling push protection for your user account means that your pushes are protected whenever you push to a public repository on {% data variables.product.prodname_dotcom %}, without relying on that repository to have push protection enabled. For more information, see "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/push-protection-for-users)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Customizing push protection
|
||||
|
||||
Once push protection is enabled, you can customize it further:
|
||||
|
||||
### Integration with CI/CD pipelines
|
||||
|
||||
Integrate push protection with your Continuous Integration/Continuous Deployment (CI/CD) pipelines to ensure that it runs scans during automated processes. This typically involves adding steps in your pipeline configuration file to call GitHub's APIs or using {% data variables.product.prodname_actions %}. For more information, see "TODO - add link to something here?"
|
||||
|
||||
### Handling false positives
|
||||
|
||||
If push protection occasionally flags non-sensitive information, you can configure the system to recognize these as false positives. For more information, see "TODO - not sure what to link to here?"
|
||||
|
||||
{% ifversion secret-scanning-push-protection-custom-patterns %}
|
||||
|
||||
### Defining custom patterns
|
||||
|
||||
Define custom patterns that push protection can use to identify secrets and block pushes containing these secrets. For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion push-protection-delegated-bypass %}
|
||||
|
||||
### Using delegated bypass
|
||||
|
||||
Define contributors who can bypass push protection and add an approval process for other contributors. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Further reading
|
||||
|
||||
* TODO: add link to enabling push protection article
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion secret-scanning-push-protection-custom-patterns %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning)"{% endif %}{% ifversion push-protection-delegated-bypass %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection)"{% endif %}
|
||||
@@ -0,0 +1,33 @@
|
||||
---
|
||||
title: About secret scanning for partners
|
||||
intro: '{% data variables.product.prodname_secret_scanning_caps %} sends alerts directly to partners when any of the partner''s secrets are found in repositories on {% data variables.product.prodname_dotcom %}. This allows partners to promptly take action to secure their systems.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
type: overview
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
shortTitle: Secret scanning for partners
|
||||
---
|
||||
|
||||
## About {% data variables.secret-scanning.partner_alerts %}
|
||||
|
||||
{% data variables.product.product_name %} scans public repositories and public npm packages for secrets issued by specific service providers who joined our partnership program, and alerts the relevant service provider whenever a secret is detected in a commit. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. {% data reusables.secret-scanning.partner-program-link %}
|
||||
|
||||
> [!NOTE]You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
|
||||
|
||||
The reason partner alerts are directly sent to the secret providers whenever a secret leak is reported for one of their secrets is because this helps ensure that secrets are not inadvertently exposed in public or private repositories. The notification for regular alerts is different. Regular alerts are displayed on the repository's **Security** tab on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}
|
||||
|
||||
## What are the supported secrets
|
||||
|
||||
For information about the secrets and service providers supported by push protection, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
|
||||
|
||||
## Further reading
|
||||
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/introduction/about-secret-scanning)"
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns)"
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/working-with-secret-scanning-and-push-protection)"
|
||||
* TODO: add link to "About alerts" article
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /articles/about-token-scanning-for-private-repositories
|
||||
- /github/administering-a-repository/about-secret-scanning
|
||||
- /code-security/secret-security/about-secret-scanning
|
||||
- /code-security/secret-scanning/about-secret-scanning
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
@@ -16,22 +17,112 @@ type: overview
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
shortTitle: Secret scanning
|
||||
---
|
||||
|
||||
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
|
||||
## What is {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
<a name="about-secret-scanning"></a>
|
||||
|
||||
If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
|
||||
{% data variables.product.prodname_secret_scanning_caps %} is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. When enabled, {% data variables.product.prodname_secret_scanning %} scans commits in public repositories for known types of secrets and alerts repository administrators upon detection.
|
||||
|
||||
{% data variables.product.prodname_secret_scanning_caps %} will scan your entire Git history on all branches present in your {% data variables.product.prodname_dotcom %} repository for secrets{% ifversion ghec or ghes %}, even if the repository is archived{% endif %}.{% ifversion ghes < 3.11 %} {% data variables.product.prodname_secret_scanning_caps %} does not scan issues.{% endif %}
|
||||
|
||||
{% data reusables.secret-scanning.what-is-scanned %}
|
||||
|
||||
For private repositories, {% data variables.product.prodname_secret_scanning %} is available if you have a {% data variables.product.prodname_GH_advanced_security %} (GHAS) license, providing additional scanning capabilities and custom patterns for detection.
|
||||
|
||||
Below is a typical workflow that explains how {% data variables.product.prodname_secret_scanning %} works:
|
||||
|
||||
* Detection of secrets: {% data variables.product.prodname_secret_scanning_caps %} automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
|
||||
|
||||
* Alerts and notifications: When a potential secret is detected, {% data variables.product.prodname_dotcom %} generates an alert and notifies the relevant repository administrators and users. This notification includes details about the detected secret, such as its location in the repository. For more information about alert types and alert details, see TODO: - link to "About alerts" article.
|
||||
|
||||
* Review Alerts: When a secret is detected, you'll need to review the alert details provided.
|
||||
|
||||
* *Remediation: You then need take appropriate actions to remediate the exposure. This might include:
|
||||
* Rotating the affected credential to ensure it is no longer usable.
|
||||
* Removing the secret from the repository's history (using tools like BFG Repo-Cleaner or {% data variables.product.prodname_dotcom %}'s built-in features).
|
||||
|
||||
* Audit and monitor: It's good practice to regularly audit and monitor your repositories to ensure no other secrets are exposed.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
* Integration with partners: {% data variables.product.prodname_dotcom %} works with various service providers to validate secrets. When a partner secret is detected, {% data variables.product.prodname_dotcom %} notifies the provider so they can take appropriate action, such as revoking the credential. For more information about the partnership program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## What are the benefits of {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
* **Enhanced security**—{% data variables.product.prodname_secret_scanning_caps %} scans your repositories for sensitive information like API keys, passwords, tokens, and other secrets. By detecting these early, you can mitigate potential security risks before they are exploited by malicious actors.
|
||||
|
||||
* **Automated detection**—The feature automatically scans your codebase, including commits, issues, and pull requests, ensuring continuous protection without requiring manual intervention. This automation helps in maintaining security even as your repository evolves.
|
||||
|
||||
* **Real-time alerts**—When a secret is detected, {% data variables.product.prodname_secret_scanning %} provides real-time alerts to repository administrators and contributors. This immediate feedback allows for swift remediation actions.
|
||||
|
||||
* **Historical scanning**—{% data variables.product.prodname_secret_scanning_caps %} can be configured to scan the entire commit history of your repository. This retrospective analysis helps in identifying and mitigating risks from previously committed secrets that may have gone unnoticed.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
* **Integration with service providers**—{% data variables.product.prodname_dotcom %} partners with various service providers to validate detected secrets. When a secret is identified, {% data variables.product.prodname_dotcom %} notifies the corresponding service provider to take appropriate actions, such as revoking the exposed credential. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes %}
|
||||
|
||||
* **Custom patterns**—Organizations can define custom patterns to detect proprietary or unique types of secrets that may not be covered by default patterns. This flexibility allows for tailored security measures specific to your environment.
|
||||
|
||||
{% endif %}
|
||||
|
||||
* **Educational value**—Developers receive notifications when secrets are detected, which serves as a learning opportunity. This ongoing education helps in fostering a culture of security awareness within the development team.
|
||||
|
||||
* **Remediation guidance**—Along with alerts, we provide remediation guidance, helping teams understand how to safely remove the sensitive information from their codebase and rotate the compromised credentials.
|
||||
|
||||
## Enabling {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
{% data variables.product.prodname_secret_scanning_caps %} is automatically enabled for all public repositories on {% data variables.product.prodname_dotcom %}.
|
||||
For private repositories, {% data variables.product.prodname_secret_scanning %} can be enabled as part of {% data variables.product.prodname_GH_advanced_security %}.
|
||||
|
||||
For more information, see TODO: - link to enabling article.
|
||||
|
||||
## What are the supported secrets
|
||||
|
||||
For information about the secrets and service providers supported by {% data variables.product.prodname_secret_scanning %}, see "[AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns#supported-secrets)."
|
||||
|
||||
## Customizing {% data variables.product.prodname_secret_scanning %}
|
||||
|
||||
Once {% data variables.product.prodname_secret_scanning %} is enabled, you can customize it further, if needed:
|
||||
|
||||
{% ifversion secret-scanning-non-provider-patterns %}
|
||||
|
||||
### Detection of non-provider patterns
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-ai-generic-secret-detection %}
|
||||
|
||||
### Generic secret detection
|
||||
|
||||
{% endif %}
|
||||
|
||||
### Performing validity checks
|
||||
|
||||
{% ifversion ghec or ghes %}
|
||||
|
||||
### Defining custom patterns
|
||||
|
||||
You can define advanced users, GitHub allows custom patterns to be added to Secret Scanning. This is useful if you have unique types of secrets that don’t match default patterns. Benefits are:
|
||||
|
||||
* Tailored Security Detect secrets unique to your applications, APIs, or internal tools.
|
||||
* Increased Coverage Capture additional types of sensitive data that default patterns might miss.
|
||||
* Prevent Data Leaks Proactively identify and mitigate risks associated with exposed proprietary secrets.
|
||||
|
||||
{% endif %}
|
||||
|
||||
OLD
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% data variables.product.prodname_secret_scanning_caps %} is available on {% data variables.product.prodname_dotcom_the_website %} in two forms:
|
||||
|
||||
1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see the "[About {% data variables.secret-scanning.partner_alerts %}](#about-secret-scanning-alerts-for-partners)" section below.
|
||||
1. **{% data variables.secret-scanning.partner_alerts_caps %}.** Runs automatically on all public repositories and public npm packages. Service providers can partner with {% data variables.product.company_short %} to provide their secret formats for scanning, hence the term "partners." {% data reusables.secret-scanning.partner-program-link %} Any strings that match patterns that were provided by secret scanning partners are reported directly to the relevant partner. For more information, see TODO:
|
||||
|
||||
1. **{% data variables.secret-scanning.user_alerts_caps %}.** These alerts are reported on {% data variables.product.prodname_dotcom_the_website %}{% ifversion secret-scanning-non-provider-patterns %} and can be high confidence alerts or non-provider alerts (such as private keys){% endif %}.
|
||||
{% ifversion fpt %}The following users can enable and configure additional scanning:
|
||||
@@ -45,33 +136,11 @@ If your project communicates with an external service, you might use a token or
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-high-level %} To proceed, contributors must either remove the secret(s) from the push or, if needed, bypass the protection. {% ifversion push-protection-custom-link-orgs %}Admins can also specify a custom link that is displayed to the contributor when a push is blocked; the link can contain resources specific to the organization to aid contributors. {% endif %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning)."
|
||||
|
||||
{% ifversion secret-scanning-push-protection-for-users %}
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-for-users %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} or push protection enabled, these features are not enabled by default on the fork. You can enable {% data variables.product.prodname_secret_scanning %} or push protection on the fork the same way you enable them on a standalone repository.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
## About {% data variables.secret-scanning.partner_alerts %}
|
||||
|
||||
When you make a repository public, or push changes to a public repository, {% data variables.product.product_name %} always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If {% data variables.product.prodname_secret_scanning %} detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them. For more information, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
|
||||
|
||||
You cannot change the configuration of {% data variables.product.prodname_secret_scanning %} for partner patterns on public repositories.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## About {% data variables.secret-scanning.user_alerts %}{% ifversion ghes %} on {% data variables.product.product_name %}{% endif %}
|
||||
|
||||
{% data variables.secret-scanning.user_alerts_caps %} is available {% ifversion secret-scanning-user-owned-repos %}{% ifversion ghes %}on all repositories with a license for {% data variables.product.prodname_GH_advanced_security %}{% else %}for free on all public repositories, and for private and internal repositories that are owned by organizations using {% data variables.product.prodname_ghe_cloud %} with a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}{% elsif fpt %}for free on all public repositories that you own{% else %}on all organization-owned repositories with a license for {% data variables.product.prodname_GH_advanced_security %}. The feature is not available on user-owned repositories{% endif %}. {% data reusables.secret-scanning.secret-scanning-user-owned-repos-beta %}
|
||||
|
||||
When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %} For more information about the repository content that is scanned, see the [beginning of this article](#about-secret-scanning).
|
||||
When you enable {% data variables.product.prodname_secret_scanning %} for a repository, {% data variables.product.prodname_dotcom %} scans the code for patterns that match secrets used by many service providers. {% ifversion secret-scanning-backfill-email %}When the scan is completed, {% data variables.product.prodname_dotcom %} sends an email alert to the enterprise and organization owners, even if no secrets were found.{% endif %}
|
||||
|
||||
When a supported secret is leaked, {% data variables.product.product_name %} generates a {% data variables.product.prodname_secret_scanning %} alert. {% ifversion secret-scanning-backfills %}{% data variables.product.prodname_dotcom %} will also periodically run a full git history scan of existing content in {% ifversion fpt %}public{% else %}{% data variables.product.prodname_GH_advanced_security %}{% endif %} repositories where {% data variables.product.prodname_secret_scanning %} is enabled, and send alert notifications following the {% data variables.product.prodname_secret_scanning %} alert notification settings.{% endif %}{% ifversion secret-scanning-non-provider-patterns %} User alerts can be of two types: high confidence alerts, or non-provider alerts.{% endif %} For more information, see "{% ifversion fpt or ghec %}[About user alerts](/code-security/secret-scanning/secret-scanning-patterns#about-user--alerts){% else %}[{% data variables.product.prodname_secret_scanning_caps %} patterns](/code-security/secret-scanning/secret-scanning-patterns#about-user-secret-scanning-alerts){% endif %}."
|
||||
|
||||
@@ -84,22 +153,6 @@ You can also define custom {% data variables.product.prodname_secret_scanning %}
|
||||
{% ifversion secret-scanning-store-tokens %}
|
||||
{% data variables.product.company_short %} stores detected secrets using symmetric encryption, both in transit and at rest.{% endif %}{% ifversion ghes %} To rotate the encryption keys used for storing the detected secrets, you can contact us by visiting {% data variables.contact.contact_ent_support %}.{% endif %}
|
||||
|
||||
### Accessing {% data variables.secret-scanning.alerts %}
|
||||
|
||||
{% data reusables.secret-scanning.secret-scanning-about-alerts %}
|
||||
|
||||
* {% data variables.product.prodname_dotcom %} sends an email alert to the repository administrators and organization owners. You'll receive an alert if you are watching the repository{% ifversion secret-scanning-notification-settings %}, {% else %}, and {% endif %}if you have enabled notifications either for security alerts or for all the activity on the repository{% ifversion secret-scanning-notification-settings %}, and if, in your notification settings, you have selected to receive email notifications for the repositories that you are watching.{% else %}.{% endif %}
|
||||
* If the person who introduced the secret isn't ignoring the repository, {% data variables.product.prodname_dotcom %} will also send them an email alert. The email contains a link to the related {% data variables.product.prodname_secret_scanning %} alert. The person who introduced the secret can then view the alert in the repository, and resolve the alert.
|
||||
* {% data reusables.secret-scanning.repository-alert-location %}
|
||||
|
||||
For more information about viewing and resolving {% data variables.secret-scanning.alerts %}, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
|
||||
|
||||
{% ifversion secret-scanning-notification-settings %}
|
||||
For more information on how to configure notifications for {% data variables.secret-scanning.alerts %}, see "[Configuring notifications for secret scanning alerts](/code-security/secret-scanning/managing-alerts-from-secret-scanning#configuring-notifications-for-secret-scanning-alerts)."
|
||||
{% endif %}
|
||||
|
||||
Repository administrators and organization owners can grant users and teams access to {% data variables.secret-scanning.alerts %}. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
|
||||
|
||||
{% ifversion ghec or ghes %}
|
||||
You can use security overview to see an organization-level view of which repositories have enabled {% data variables.product.prodname_secret_scanning %} and the alerts found. For more information, see "[AUTOTITLE](/code-security/security-overview/about-security-overview)."
|
||||
{% endif %}
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Introduction to secret scanning
|
||||
shortTitle: Secret scanning
|
||||
shortTitle: Introduction
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Learn about {% data variables.product.prodname_secret_scanning_caps %} can keep your repositories secure by scanning them for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
@@ -12,4 +12,9 @@ type: overview
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
children:
|
||||
- /about-secret-scanning
|
||||
- /about-push-protection
|
||||
- /about-secret-scanning-for-partners
|
||||
- /supported-secret-scanning-patterns
|
||||
---
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Secret scanning patterns
|
||||
title: Supported secret scanning patterns
|
||||
intro: 'Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
versions:
|
||||
@@ -12,7 +12,9 @@ topics:
|
||||
- Advanced Security
|
||||
redirect_from:
|
||||
- /code-security/secret-scanning/secret-scanning-partners
|
||||
- /code-security/secret-scanning/secret-scanning-patterns
|
||||
layout: inline
|
||||
shortTitle: Supported patterns
|
||||
---
|
||||
|
||||
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
|
||||
@@ -1,129 +0,0 @@
|
||||
---
|
||||
title: Push protection for repositories and organizations
|
||||
intro: 'With push protection for repositories and organizations, {% data variables.product.prodname_secret_scanning %} blocks contributors from pushing secrets to a repository and generates an alert whenever a contributor bypasses the block.'
|
||||
product: '{% data reusables.gated-features.push-protection-for-repos %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
ghec: '*'
|
||||
redirect_from:
|
||||
- /early-access/code-security/secret-scanning/protecting-pushes-with-secret-scanning
|
||||
- /code-security/secret-scanning/protecting-pushes-with-secret-scanning
|
||||
type: how_to
|
||||
topics:
|
||||
- Secret scanning
|
||||
- Advanced Security
|
||||
- Alerts
|
||||
- Repositories
|
||||
shortTitle: Push protection for repositories
|
||||
---
|
||||
|
||||
{% data reusables.secret-scanning.enterprise-enable-secret-scanning %}
|
||||
|
||||
## About push protection for repositories and organizations
|
||||
|
||||
{% data reusables.secret-scanning.pre-push-protection %} {% data reusables.secret-scanning.push-protection-overview %} {% data reusables.secret-scanning.push-protection-custom-pattern %} {% ifversion secret-scanning-push-protection-custom-patterns %}For more information, see "[AUTOTITLE](/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning)."{% endif %}
|
||||
|
||||
{% data reusables.secret-scanning.push-protection-bypass %}
|
||||
|
||||
{% data reusables.secret-scanning.bypass-reasons-and-alerts %}
|
||||
|
||||
{% ifversion push-protection-delegated-bypass %}
|
||||
|
||||
By default, anyone with write access to the repository can choose to bypass push protection by specifying one of the bypass reasons outlined in the table. If you want greater control over which contributors can bypass push protection and which pushes containing secrets should be allowed, you can enable delegated bypass for push protection. Delegated bypass lets you configure a designated group of reviewers to oversee and manage requests to bypass push protection from contributors pushing to the repository. For more information, see "[Enabling delegated bypass for push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-bypass-filter %}
|
||||
|
||||
On the {% data variables.product.prodname_secret_scanning %} alerts page for a repository or organization, you can apply the `bypassed:true` filter to easily see which alerts are the result of a user bypassing push protection. For more information on viewing these alerts, see "[AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
You can monitor security alerts to discover when users are bypassing push protections and creating alerts. For more information, see "[AUTOTITLE](/code-security/getting-started/auditing-security-alerts)."
|
||||
|
||||
{% ifversion security-overview-push-protection-metrics-page %}
|
||||
|
||||
If you are an organization owner or security manager, you can view metrics on how push protection is performing across your organization. For more information, see "[AUTOTITLE](/code-security/security-overview/viewing-metrics-for-secret-scanning-push-protection)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or fpt %}
|
||||
{% note %}
|
||||
|
||||
**Note:** The github.dev web-based editor doesn't support push protection. For more information about the editor, see "[AUTOTITLE](/codespaces/the-githubdev-web-based-editor)."
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
For information on the secrets and service providers supported for push protection, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)."
|
||||
|
||||
## Enabling {% data variables.product.prodname_secret_scanning %} as a push protection
|
||||
|
||||
For you to use {% data variables.product.prodname_secret_scanning %} as a push protection in public repositories, the {% ifversion secret-scanning-enterprise-level %}enterprise,{% endif %} organization{% ifversion secret-scanning-enterprise-level %},{% endif %} or repository needs to have {% data variables.product.prodname_secret_scanning %} enabled.{% ifversion secret-scanning-push-protection-private-internal %} To use {% data variables.product.prodname_secret_scanning %} as a push protection in private or internal repositories,{% ifversion secret-scanning-user-owned-repos %} or in user-owned repositories{% ifversion ghec %} for {% data variables.product.prodname_emus %}{% endif %},{% endif %} the enterprise or organization also needs to have {% data variables.product.prodname_GH_advanced_security %} enabled.{% endif %} For more information, see {% ifversion secret-scanning-enterprise-level %}"[AUTOTITLE](/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise),"{% endif %} "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization)," "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)," and "[AUTOTITLE](/get-started/learning-about-github/about-github-advanced-security)."
|
||||
|
||||
Organization owners, security managers, and repository administrators can also enable push protection for {% data variables.product.prodname_secret_scanning %} via the API. For more information, see "[AUTOTITLE](/rest/repos#update-a-repository)" and expand the "Properties of the `security_and_analysis` object" section.
|
||||
|
||||
Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain organization-specific resources and advice, such as directions on using a recommended secrets vault or who to contact for questions relating to the blocked secret.
|
||||
|
||||
{% ifversion secret-scanning-enable-by-default-for-public-repos %}
|
||||
|
||||
You can also enable push protection for all of your existing {% ifversion ghec %}user-owned {% endif %} public repositories through your personal account settings. For any new public repositories you create, push protection will be enabled by default. For more information, see "[AUTOTITLE](/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion secret-scanning-enterprise-level-api %}
|
||||
Enterprise administrators can also enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for the enterprise via the API. For more information, see "[AUTOTITLE](/rest/enterprise-admin/code-security-and-analysis)."{% endif %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** When you fork a repository with {% data variables.product.prodname_secret_scanning %} as a push protection enabled, this is not enabled by default on the fork. You can enable it on the fork the same way you enable it on a standalone repository.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% ifversion secret-scanning-enterprise-level %}
|
||||
|
||||
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for your enterprise
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
1. In the left sidebar, click **Code security and analysis**.
|
||||
{% data reusables.advanced-security.secret-scanning-push-protection-enterprise %}
|
||||
{% endif %}
|
||||
|
||||
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for an organization
|
||||
|
||||
{% ifversion security-configurations-ga %}
|
||||
You can find a set of repositories and enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for them all at the same time. For more information, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
|
||||
{% elsif security-configurations-beta-and-pre-beta %}
|
||||
|
||||
You can use the organization settings page for "Code security and analysis" to enable or disable {% data variables.product.prodname_secret_scanning %} as a push protection for all existing repositories in an organization.
|
||||
|
||||
{% data reusables.organizations.navigate-to-org %}
|
||||
{% data reusables.organizations.org_settings %}
|
||||
{% data reusables.organizations.security-and-analysis %}
|
||||
|
||||
{% ifversion security-configurations-beta-only %}
|
||||
{% data reusables.security-configurations.changed-org-settings-security-configurations-callout %} For next steps on enabling push protection and other security features at scale with {% data variables.product.prodname_security_configurations %}, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization)."
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-ghas-settings %}
|
||||
{% data reusables.advanced-security.secret-scanning-push-protection-org %}
|
||||
|
||||
{% data reusables.security.note-securing-your-org %}
|
||||
{% endif %}
|
||||
|
||||
### Enabling {% data variables.product.prodname_secret_scanning %} as a push protection for a repository
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.navigate-to-code-security-and-analysis %}
|
||||
{% data reusables.repositories.navigate-to-ghas-settings %}
|
||||
{% data reusables.advanced-security.secret-scanning-push-protection-repo %}
|
||||
|
||||
## Further reading
|
||||
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/pushing-a-branch-blocked-by-push-protection)"
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/working-with-push-protection)"{% ifversion push-protection-delegated-bypass %}
|
||||
* "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)"{% endif %}
|
||||
@@ -2,7 +2,7 @@
|
||||
title: Using advanced secret scanning and push protection features
|
||||
shortTitle: Advanced features
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company..'
|
||||
intro: 'Learn how you can customize {% data variables.secret-scanning.partner_alerts %} to meet the needs of your company.'
|
||||
product: '{% data reusables.gated-features.secret-scanning %}'
|
||||
versions:
|
||||
fpt: '*'
|
||||
|
||||
@@ -112,6 +112,7 @@ secret_scanning:
|
||||
Set up secret scanning to guard against accidental check-ins of tokens,
|
||||
passwords, and other secrets to your repository.
|
||||
guides:
|
||||
- /code-security/secret-scanning/introduction/about-secret-scanning
|
||||
- /code-security/secret-scanning/about-secret-scanning
|
||||
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository
|
||||
- /code-security/secret-scanning/enabling-secret-scanning-features/enabling-push-protection-for-your-repository
|
||||
@@ -123,10 +124,10 @@ secret_scanning:
|
||||
%}/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/custom-patterns/defining-custom-patterns-for-secret-scanning{%
|
||||
endif %}
|
||||
- /code-security/secret-scanning/managing-alerts-from-secret-scanning
|
||||
- /code-security/secret-scanning/secret-scanning-patterns
|
||||
- /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
|
||||
- >-
|
||||
{% ifversion secret-scanning-push-protection
|
||||
%}/code-security/secret-scanning/push-protection-for-repositories-and-organizations{%
|
||||
%}/code-security/secret-scanning/introduction/about-push-protection{%
|
||||
endif %}
|
||||
- >-
|
||||
{% ifversion secret-scanning-push-protection-for-users
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{% ifversion fpt or ghec %}
|
||||
To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partner-program)."
|
||||
To find out about our partner program, see "[AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)."
|
||||
{% else %}
|
||||
To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
|
||||
To find out about our partner program, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)" in the {% data variables.product.prodname_ghe_cloud %} documentation.
|
||||
{% endif %}
|
||||
|
||||
@@ -1 +1 @@
|
||||
When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{%else%}needed{% endif %}, allow those secrets to be pushed.
|
||||
When you enable push protection for your organization or repository, {% data variables.product.prodname_secret_scanning %} also checks pushes for supported secrets. {% data variables.product.prodname_secret_scanning_caps %} lists any secrets it detects so the author can review the secrets and remove them or, if {% ifversion push-protection-delegated-bypass %} permitted{% else %}needed{% endif %}, allow those secrets to be pushed.
|
||||
|
||||
Reference in New Issue
Block a user