Security teams can now choose which secret scanning patterns are included in push protection. Previously, push protection only covered a subset of patterns that met strict criteria. With this update, you can customize push protection to better meet your organization’s security policies and prevent a wider range of secrets from being committed to your repositories.

You can configure push protected patterns at the Enterprise (Settings -> Advanced Security -> Additional Settings) or Organization level (Settings -> Advanced Security -> Global settings). Settings from the Enterprise level will be automatically inherited by the Organization level, however any changes made at the Organization level will take precedence. Pattern configurations are applied globally and cannot be applied to individual repositories or sets of repositories at this time. Push protection configuration for custom patterns has moved to a secondary tab within the Pattern configuration pages.

screenshot of org-level push protection config settings

The configuration table shows data derived from your Enterprise or Organization on alert volume, false positive resolution rates, and bypass rates. You can use this information to determine whether you should include a pattern in push protection. By default, all patterns are set to their GitHub recommended setting.

Configuration for push protected patterns is available with a Secret Protection license.

Learn more about securing your repositories with secret scanning and push protection.