jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity
Files
8c62486a96baf5ee9b4771b28deaff6978375b18
docs/content/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md
Felicity Chapman 8c62486a96 Docs for new Secret risk assessment, GHAS SKU unbundling, and expansion to Team plan - ships 1st April (UK morning) (#54748) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Hector Alfaro <hectorsector@github.com>
Co-authored-by: Vanessa <vgrl@github.com>
Co-authored-by: Erin Havens <erinhav@github.com>
Co-authored-by: Aaron Waggener <73763104+aaronwaggener@users.noreply.github.com>
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com>
Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@github.com>
2025-04-01 10:29:37 +00:00

7.4 KiB
Raw Blame History

title, intro, permissions, versions, type, topics, shortTitle
title intro permissions versions type topics shortTitle
Enabling delegated bypass for push protection You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by {% data variables.product.prodname_secret_scanning %}. {% data reusables.permissions.delegated-bypass %}
feature
push-protection-delegated-bypass
how_to
Secret scanning
Secret Protection
Alerts
Repositories
Enable delegated bypass

About enabling delegated bypass for push protection

{% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}

{% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}

For more information, see AUTOTITLE.

When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start.

{% ifversion push-protection-bypass-fine-grained-permissions %}Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see Using fine-grained permissions to control who can review and manage bypass requests.{% endif %}

Configuring delegated bypass for a repository

[!NOTE] If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %}{% ifversion ghas-products %}

  1. Under "{% data variables.product.prodname_secret_protection %}", ensure that push protection is enabled for the repository.{% else %} {% data reusables.repositories.navigate-to-ghas-settings %}{% endif %}

  2. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click Specific roles or teams.

  3. Under "Bypass list", click Add role or team.

    Note

    When you add roles or teams to the "bypass list", these users will be granted the ability to bypass push protection, and they can also review and manage the requests from all other contributors to bypass push protection.

    You can't add secret teams to the bypass list.

  4. In the dialog box, select the roles and teams that you want to add to the bypass list, then click Add selected.

Configuring delegated bypass for an organization

{% ifversion push-protection-delegated-bypass-configurations %}

You must configure delegated bypass for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.

  1. Create a new custom security configuration, or edit an existing one. See AUTOTITLE.

  2. When defining the custom security configuration, under "{% data variables.product.prodname_secret_scanning_caps %}", ensure that {% ifversion ghas-products %}"Push protection" is set to Enabled{% else %}the dropdown menus for "Alerts" and "Push protection" are set to Enabled{% endif %}.

  3. Under "Push protection", to the right of "Bypass privileges", select the dropdown menu, then click Specific actors.

    Note

    When you assign bypass privileges to selected actors, these organization members are granted the ability to bypass push protection, and they also review and manage the requests from all other contributors to bypass push protection.

    You can't add secret teams to the bypass list.

  4. Click the "Select actors" dropdown menu, then select the roles and teams you want to assign bypass privileges to.

    Tip

    In addition to assigning bypass privileges to roles and teams, you can also grant individual organization members the ability to review and manage bypass requests using fine-grained permissions. See Using fine-grained permissions to control who can review and manage bypass requests.

  5. Click Save configuration.

  6. Apply the security configuration to all (or selected) repositories in your organization. See AUTOTITLE.

To learn more about security configurations, see AUTOTITLE.

{% else %}

{% data reusables.organizations.navigate-to-org %} {% data reusables.organizations.org_settings %} {% ifversion security-configurations %}

  1. In the "Security" section of the sidebar, select the {% data variables.product.UI_advanced_security %} dropdown menu, then click {% data variables.product.prodname_global_settings_caps %}. {% else %} {% data reusables.organizations.security-and-analysis %} {% data reusables.repositories.navigate-to-ghas-settings %} {% endif %}
  2. Under "Push protection", to the right of "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}", select the dropdown menu, then click Specific roles or teams.
  3. Under "Bypass list", click Add role or team.
  4. In the dialog box, select the roles and teams that you want to add to the bypass list, then click Add selected.

{% endif %}

{% ifversion push-protection-bypass-fine-grained-permissions %}

Using fine-grained permissions to control who can review and manage bypass requests

You can grant specific individuals or teams in your organization the ability to review and manage bypass requests using fine-grained permissions.

  1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-3 in Configuring delegated bypass for your organization and ensure you have saved and applied the security configuration to your selected repositories.
  2. Create (or edit) a custom organization role. For information on creating and editing custom roles, see AUTOTITLE.
  3. When choosing which permissions to add to the custom role, select the "Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests" permission.
  4. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see AUTOTITLE.

{% endif %}

Reference in New Issue View Git Blame Copy Permalink