GitHub has moved push protection into general availability and made it free for all public repositories. Push protection helps detect secrets in code as changes are pushed. As part of the GA release, push protection is also available to all private repositories with a GitHub Advanced Security (GHAS) license.
If code is pushed that contains a secret, push protection will trigger a prompt indicating the secret type, location, and steps to remediate. These prompts occur inline with the developer experience, either in the IDE or CLI. According to Zain Malik, senior product marketing manager at GitHub, and Mariam Sulakian, product manager at GitHub, "push protection only blocks secrets with low false positive rates." A full list of secrets supported by push protection is available within the GitHub docs.
Push protection can be bypassed if needed by providing a reason. The options presented include marking the secret as needed for a test, marking it as a false positive, and marking it to be fixed later. Bypassing push protection will automatically trigger an email alert to repository and organization administrators as well as defined security managers. All bypasses can be reviewed via audit logs, the alert view UI, the REST API, or via webhook events. If marked as "fix later", an open security alert is created. In all other cases, a closed and resolved security alert is created.
Push protection can be enabled via the Code security and analysis settings. It is possible to have push protection enabled automatically for all new public and GHAS-enabled private repositories. A custom resource link can also be specified that will appear in the CLI and web UI when push protection blocks a commit.
Custom patterns can be defined for push protection to scan for and block. It is recommended to first test custom patterns using the built-in dry-run feature before publishing and enabling the pattern. The pattern is specified as a regular expression.
User greysteil noted on Hacker News that they worked on this feature while at GitHub. They shared that:
This release is a repo-level setting, which is nice, but it will be even more useful when the team releases a user-level setting in June/July. That will allow you to configure GitHub to (softly) prevent you from pushing any easily identifiable secrets to any public repo. The plan is for it to be on by default.
They continued by sharing that approximately 200 new GitHub personal access tokens (PAT) are exposed in public repositories daily. User darthbanane raised a concern that if the scanner detects a secret then that implies that the secret has already left the user's machine and has traversed the internet. User awesome_dude replied that:
The scanner has seen the credentials, yes, and it's then up to the individual to decide if that credential should be considered "compromised" or not (seeing as the GitHub scanner has seen that credential).
In response to a query about how GitHub is performing the scan, greysteil noted that "it’s a bespoke scanning setup designed to deal with GitHub’s scale, minimise false positives, and scan fast enough to be in the `git push` request/response cycle." They continued by sharing that it is leveraging Intel's Hyperscan as the regex engine.
GitHub push protection is available free of charge to all public repositories. It is available for use in private repositories as part of GitHub Advanced Security.