About delegated bypass for push protection

You can control which teams or roles have the ability to bypass push protection in your organization or repository.

Who can use this feature?

Push protection for repositories and organizations is available for user-owned public repositories for free. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable push protection on their private and internal repositories.

About delegated bypass for push protection

Note

Delegated bypass for push protection is currently in beta and subject to change.

Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.

When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection.

If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.

To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for secret scanning" setting in the UI from Anyone with write access to Specific roles and teams.

Organization owners or repository administrators are then prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "Configuring delegated bypass for an organization" and "Configuring delegated bypass for a repository."

Alternatively, instead of creating a bypass list, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions. For more information, see "Using fine-grained permissions to control who can review and manage bypass requests."

Members with permission to review (approve or deny) bypass requests can manage these requests through the "Push protection bypass" page in the Security tab of the repository. For more information, see "Managing requests to bypass push protection."

Members with permission to review and manage bypass requests are still protected from accidentally pushing secrets to a repository. If they attempt to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members with permission to review and manage bypass requests do not have to request bypass privileges from other members in order to override the block.

For information about enabling delegated bypass, see "Enabling delegated bypass for push protection."