Managing requests to bypass push protection

As a member of the bypass list for an organization or repository, you can review bypass requests from other members of the organization or repository.

Who can use this feature?

Members of the bypass list can process requests from non-members to bypass push protection.

Push protection is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security.

Managing requests to bypass push protection

Note

Delegated bypass for push protection is currently in beta and subject to change.

Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.

An organization owner or repository administrator defines which roles and teams are included in a bypass list. Members of the bypass list can view and manage all requests for bypass privileges on the "Push protection bypass" page, located under the Security tab of the repository. For more information, see "Enabling delegated bypass for push protection."

Members of the bypass list are still protected from accidentally pushing secrets to a repository. If they attempt to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.

To help you effectively triage secrets for which there is a bypass request, GitHub displays the following information in the request:

Name of the user who attempted the push.
Repository where the push was attempted.
Commit hash of the push.
Timestamp of the push.

Managing requests to bypass push protection at the repository level

On GitHub, navigate to the main page of the repository.
Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
In the left sidebar, under "Requests," click Push protection bypass.
Select the All statuses dropdown menu, then click Open to view requests that are awaiting review, or that have been approved but for which the commits haven't been pushed to the repository yet.
Click the request that you want to review.
Review the details of the request.
To allow the contributor to push the commit containing the secret, click Approve bypass request. Or, to require the contributor to remove the secret from the commit, click Deny bypass request.

Filtering by request status

You can filter requests by approver (member of the bypass list), requester (contributor making the request), timeframe, and status. The following statuses are assigned to a request:

Status	Description
`Cancelled`	The request has been cancelled by the contributor.
`Completed`	The request has been approved and the commit(s) have been pushed to the repository.
`Denied`	The request has been reviewed and denied.
`Expired`	The request has expired. Requests are valid for 7 days.
`Open`	The request has either not yet been reviewed, or has been approved but the commit(s) have not been pushed to the repository.

When a contributor requests bypass privileges to push a commit containing a secret, members of the bypass list all receive an email notification containing a link to the request. Members of the bypass list then have 7 days to review and either approve or deny the request before the request expires.

The contributor is notified of the decision by email and must take the required action. If the request is approved, the contributor can push the commit containing the secret to the repository. If the request is denied, the contributor must remove the secret from the commit in order to successfully push the commit to the repository.