Secret scanning's delegated bypass controls for push protection (public beta) - feedback #121816
Replies: 2 comments 5 replies
-
We've deployed this internally and it's working great. I have a couple requests though!
Thanks! |
Beta Was this translation helpful? Give feedback.
-
Hi, @courtneycl! The delegated bypass feature is one we're planning to rely on as a key control to keep provider secrets out of our GitHub environment, so we're very excited about it. That said, our testing has uncovered some problems. Using the CLI, I was able to use a non-privileged account (i.e. a non-org-owner, non-security-managers account) to bypass push protection and commit a GitHub PAT to a repo in one of our orgs that has the delegated bypass turned on. Then, two of my colleagues were able to use the web UI to push an azure ad application key (push protection itself didn't even work on this one) and a hashi key (where delegated bypass didn't work). Have others reported similar concerns? Happy to get on a call with your team sometime to demo what we're seeing. Thank you! |
Beta Was this translation helpful? Give feedback.
-
GitHub Advanced Security customers using secret scanning can now specify which teams or roles have the ability to bypass push protection. This is intended to help reduce bypass rates within organizations that see high levels of live secrets being bypassed and committed into repositories.
This is managed through a new bypass list, where organizations can select which teams or roles are authorized to bypass push protection and act as reviewers for bypass requests. If an individual not included in this list needs to push a commit that is initially blocked, they must submit a bypass request. This request is then reviewed by an authorized individual who can either approve or deny it, determining whether the commit can proceed into the repository.
🗣️ We're looking for your feedback as we're in beta, both from the reviewer side and from the requestor side.
Things like:
Thank you very much -- we appreciate you ❤️
Learn more about secret scanning | Learn more about push protection
Beta Was this translation helpful? Give feedback.
All reactions