Bypass list for secret scanning push protection can include the maintainer role

Starting in April 2024, GitHub Advanced Security customers using secret scanning have been able to specify which teams or roles have the ability to bypass push protection using a delegated bypass list.

Administrators can now add the maintainer role to this list.

Today, we’ve announced the general availability of Copilot Autofix for CodeQL alerts in GitHub code scanning! Powered by GitHub Copilot, this feature brings automatic fixes for vulnerabilities found by CodeQL into the developer workflow.

Through a deep integration in GitHub pull requests, autofixes help developers to fix vulnerabilities quickly and early in the development process, thereby preventing new vulnerabilities from entering your codebase. Data from our beta programme shows that vulnerabilities with a fix suggestion are fixed 3x faster across all vulnerability types, and even faster for complicated vulnerability types like cross-site scripting (7x faster) and SQL injection (12x faster). For security debt that already exists in your codebases, Copilot Autofix can help you with on-demand autofixes for historical alerts. Copilot Autofix for CodeQL code scanning was previously called “code scanning autofix”, and is now generally available for all GitHub Advanced Security customers on GitHub.com.

As developers start using autofixes, security teams can see an overview of how their organisation adopts autofixes generated by Copilot on their security overview dashboard. This includes detailed information about remediation rates.

For more information, see: About Copilot Autofix for CodeQL code scanning. If you have feedback for Copilot Autofix for code scanning, please join the discussion here.

Example of Copilot Autofix operating on a CodeQL alert in a pull request

See more

Push protection blocks you from pushing secrets to a repository and generates an alert whenever you bypass the block.

Push protection is now supported for the following REST API endpoints:
* Create a blob
* Create or update file contents

If the content of a PUT request to these endpoints includes a secret, the API will respond with a 409 error and provide a link for bypassing push protection, along with a placeholder_id.

There is also a new API endpoint to bypass push protection programatically, Create a push protection bypass. You or your application can use the placeholder_id from your push protection block in your call to this endpoint.

You need to be the individual or application that initially got blocked to be able to bypass the block successfully.

See more