GitHub Advanced Security customers can now push protect their custom patterns
With just one click, admins in GitHub Advanced Security organizations can protect their custom patterns on push.
The most successful application security initiatives help developers work more efficiently. You need to know when vulnerabilities exist in code so that you can fix them. But what if you could prevent those vulnerabilities in the first place?
With GitHub Advanced Security, organizations use push protection to prevent secret leaks and save hundreds of hours in downstream remediation time. Push protection has already prevented more than 8,000 secret leaks across 100 secret types since its initial release in April.
Now, organizations that have defined custom patterns can enable push protection for those patterns. Push protection for custom patterns can be configured on a pattern-by-pattern basis. So, just like how you can already choose which patterns to publish (and which to first refine in draft mode), you can decide which patterns to push protect based on false positives.
If I attempt to push a secret, I immediately know it. GitHub’s secret scanning push protection stops me before a secret is pushed into the code base, saving me tons of time. If, instead, I rely solely on external scanning tools to scan the repository after the secret’s already been exposed, I’ll need to quickly revoke the secret and refactor my code. The integration of GitHub’s secret scanning and push protection directly in a developer’s flow saves time and helps educate developers on best practices.
Enabling push protection
You can define custom patterns at the repository, organization, and enterprise levels. And now, you can also enable push protection for custom patterns at the organization or repository level. With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern.
To define a custom pattern, navigate to your organization’s code security settings page. Once you have GitHub Advanced Security and secret scanning enabled, you can create a new custom pattern through the UI. We allow you to dry run any custom pattern—before you publish.
Once you publish your pattern, and feel confident that the pattern creates alerts with low false positives, you can click “Enable” besides “Push protection” in your custom pattern’s page. GitHub recommends regularly checking your custom pattern’s alerts to make sure that you’re keeping false positive noise as low as possible for your developers. This strategic use of push protection can help you build trust between your contributors and their security alerts, so that alerts are properly actioned when needed.
Learn more about secret scanning
Secret scanning alerts are available for free for all public repositories. We provide push protection as well as coverage for private repositories as part of GitHub Advanced Security, which also includes code scanning and supply chain security insights. To try GitHub Advanced Security in your organization or see a demo, please reach out to your GitHub sales partner.
Become a GitHub secret scanning partner
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.
Tags:
Related posts
GitHub Availability Report: January 2025
In January, we experienced two incidents that resulted in degraded performance across GitHub services.
GitHub Copilot: The agent awakens
Introducing agent mode for GitHub Copilot in VS Code, announcing the general availability of Copilot Edits, and providing a first look at our SWE agent.
That’s a wrap: GitHub Innovation Graph in 2024
Discover the latest trends and insights on public software development activity on GitHub with the release of Q2 & Q3 2024 data for the Innovation Graph.