Enabling delegated bypass for push protection

You can use delegated bypass for your organization or repository to control who can push commits that contain secrets identified by secret scanning.

Who can use this feature?

Organization owners and repository administrators can enable delegated bypass for push protection for their organization and repository, respectively.

Push protection for repositories and organizations is available for user-owned public repositories for free. Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security can also enable push protection on their private and internal repositories.

In this article

About enabling delegated bypass for push protection

Note

Delegated bypass for push protection is currently in beta and subject to change.

Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors. For more information, see "About delegated bypass for push protection."

When you enable this feature, you will create a bypass list of roles and teams who can manage requests to bypass push protection. If you don't already have appropriate teams or roles to use, you should create additional teams before you start.

Note

You can't add secret teams to the bypass list.

Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see "Using fine-grained permissions to control who can review and manage bypass requests."

Configuring delegated bypass for an organization

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, click Code security and analysis.

    Note

    If your organization is enrolled in the security configurations and global settings public beta, instead of "Code security and analysis", you will see a "Code security" dropdown menu. Select Code security, then click Global settings.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Push protection", to the right of "Who can bypass push protection for secret scanning", select the dropdown menu, then click Specific roles or teams.

  6. Under "Bypass list", click Add role or team.

  7. In the dialog box, select the roles and teams that you want to add to the bypass list, then click Add selected.

Configuring delegated bypass for a repository

Note

If an organization owner configures delegated bypass at the organization-level, the repository-level settings are disabled.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Code security and analysis.

  4. Under "Code security and analysis", find "GitHub Advanced Security."

  5. Under "Push protection", to the right of "Who can bypass push protection for secret scanning", select the dropdown menu, then click Specific roles or teams.

  6. Under "Bypass list", click Add role or team.

    Note

    You can't add secret teams to the bypass list.

  7. In the dialog box, select the roles and teams that you want to add to the bypass list, then click Add selected.

Using fine-grained permissions to control who can review and manage bypass requests

You can grant specific individuals or teams the ability to review and manage bypass requests using fine-grained permissions.

  1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-5 in "Configuring delegated bypass for your organization."
  2. Create (or edit) a custom organization role. For information on creating and editing custom roles, see "Managing custom organization roles."
  3. When choosing which permissions to add to the custom role, select the "Review and manage secret scanning bypass requests" permission.
  4. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see "Using organization roles."