To help prevent developers from inadvertently exposing credentials and other secrets, GitHub is enabling a new security feature called push protection that will alert developers when they’re attempting to push a commit containing a secret.
The new feature is now enabled for free on all public repositories and is available for all private repositories. Push protection is designed to work hand-in-hand with the existing secret scanning feature, which, as the name might imply, scans code for sensitive information. Both features are meant to help developers avoid costly errors that could expose credentials or keys or tokens or other sensitive data.
When the push protection feature detects a potential secret in a commit, it will display an alert directly in the developer’s command line interface or IDE and includes guidance on remediating the issue.
“If you are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location, and how to remediate the exposure. Once you have removed the secret from your commit history, you can re-push your commit. Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it’s worth investigating,” Mariam Sulakian and Zain Malik of GitHub said.
“In certain instances, you have an urgent circumstance to push code that has a secret in it–for example, fixing an outage with speed and addressing the secrets after. You can bypass push protection by providing a reason,for example, it’s used for testing, is a false positive, or is an acceptable risk that will be fixed later.”
Any time a developer bypass the new push protection feature, the admins of the repository and the organization, along with security managers will get emails informing them of the bypass. Repository administrators can enable the new feature in the code security and analysis section of the GitHub settings.