With just one click, admins in GitHub Advanced Security organizations can protect their custom patterns on push.
The most successful application security initiatives help developers work more efficiently. You need to know when vulnerabilities exist in code so that you can fix them. But what if you could prevent those vulnerabilities in the first place?
With GitHub Advanced Security, organizations use push protection to prevent secret leaks and save hundreds of hours in downstream remediation time. Push protection has already prevented more than 8,000 secret leaks across 100 secret types since its initial release in April.
Now, organizations that have defined custom patterns can enable push protection for those patterns. Push protection for custom patterns can be configured on a pattern-by-pattern basis. So, just like how you can already choose which patterns to publish (and which to first refine in draft mode), you can decide which patterns to push protect based on false positives.
If I attempt to push a secret, I immediately know it. GitHub’s secret scanning push protection stops me before a secret is pushed into the code base, saving me tons of time. If, instead, I rely solely on external scanning tools to scan the repository after the secret’s already been exposed, I’ll need to quickly revoke the secret and refactor my code. The integration of GitHub’s secret scanning and push protection directly in a developer’s flow saves time and helps educate developers on best practices.
You can define custom patterns at the repository, organization, and enterprise levels. And now, you can also enable push protection for custom patterns at the organization or repository level. With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern.
To define a custom pattern, navigate to your organization’s code security settings page. Once you have GitHub Advanced Security and secret scanning enabled, you can create a new custom pattern through the UI. We allow you to dry run any custom pattern—before you publish.
Once you publish your pattern, and feel confident that the pattern creates alerts with low false positives, you can click “Enable” besides “Push protection” in your custom pattern’s page. GitHub recommends regularly checking your custom pattern’s alerts to make sure that you’re keeping false positive noise as low as possible for your developers. This strategic use of push protection can help you build trust between your contributors and their security alerts, so that alerts are properly actioned when needed.
Secret scanning alerts are available for free for all public repositories. We provide push protection as well as coverage for private repositories as part of GitHub Advanced Security, which also includes code scanning and supply chain security insights. To try GitHub Advanced Security in your organization or see a demo, please reach out to your GitHub sales partner.
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here's what we found and what you can do to better protect your own smart home.
Improve your GitHub Action’s security posture by securing your source repository, protecting your maintainers, and making it easy to report security incidents.
The GitHub Awards recognizes and celebrates the outstanding contributions and achievements in the developer community, honoring individuals, projects, and organizations for their impactful work, innovation, thought leadership, and creating an outsized positive impact on the community.
Mariam Sulakian 
Zain Malik 
