GitHub Advanced Security customers can now push protect their custom patterns

With just one click, admins in GitHub Advanced Security organizations can protect their custom patterns on push.

Security in the Enterprise
| 3 minutes

The most successful application security initiatives help developers work more efficiently. You need to know when vulnerabilities exist in code so that you can fix them. But what if you could prevent those vulnerabilities in the first place?

With GitHub Advanced Security, organizations use push protection to prevent secret leaks and save hundreds of hours in downstream remediation time. Push protection has already prevented more than 8,000 secret leaks across 100 secret types since its initial release in April.

Now, organizations that have defined custom patterns can enable push protection for those patterns. Push protection for custom patterns can be configured on a pattern-by-pattern basis. So, just like how you can already choose which patterns to publish (and which to first refine in draft mode), you can decide which patterns to push protect based on false positives.

If I attempt to push a secret, I immediately know it. GitHub’s secret scanning push protection stops me before a secret is pushed into the code base, saving me tons of time. If, instead, I rely solely on external scanning tools to scan the repository after the secret’s already been exposed, I’ll need to quickly revoke the secret and refactor my code. The integration of GitHub’s secret scanning and push protection directly in a developer’s flow saves time and helps educate developers on best practices.

- David Florey, Software Engineering Director, Intel

Enabling push protection

You can define custom patterns at the repository, organization, and enterprise levels. And now, you can also enable push protection for custom patterns at the organization or repository level. With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern.

To define a custom pattern, navigate to your organization’s code security settings page. Once you have GitHub Advanced Security and secret scanning enabled, you can create a new custom pattern through the UI. We allow you to dry run any custom pattern—before you publish.

Once you publish your pattern, and feel confident that the pattern creates alerts with low false positives, you can click “Enable” besides “Push protection” in your custom pattern’s page. GitHub recommends regularly checking your custom pattern’s alerts to make sure that you’re keeping false positive noise as low as possible for your developers. This strategic use of push protection can help you build trust between your contributors and their security alerts, so that alerts are properly actioned when needed.


Gif demonstrating how to set up custom pattern push protection based on the user's private key.

Learn more about secret scanning

Secret scanning alerts are available for free for all public repositories. We provide push protection as well as coverage for private repositories as part of GitHub Advanced Security, which also includes code scanning and supply chain security insights. To try GitHub Advanced Security in your organization or see a demo, please reach out to your GitHub sales partner.

Become a GitHub secret scanning partner

If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.

Related posts