About push protection in the GitHub UI
When you upload, create, or edit files from the GitHub UI, push protection prevents you from accidentally committing secrets to a repository by blocking commits containing supported secrets.
GitHub will also block the commit if you attempt to upload files containing supported secrets.
注意
Web UI 中文件上传的推送保护目前为 公共预览版,可能会有变动。
You should either:
- Remove the secret from the commit. For more information, see Resolving a blocked commit.
- Review the instructions in the dialog box to see what options are available to you to allow the push. For more information, see Bypassing push protection and Requesting bypass privileges.
GitHub will only display one detected secret at a time in the web UI. If a particular secret has already been detected in the repository and an alert already exists, GitHub will not block that secret.
Organization owners can provide a custom link that will be displayed when a push is blocked. This custom link can contain resources and advice specific to your organization. For example, the custom link can point to a README file with information about the organization's secret vault, which teams and individuals to escalate questions to, or the organization's approved policy for working with secrets and rewriting commit history.
Resolving a blocked commit
使用 Web UI 尝试将受支持的机密提交到受推送保护保护的存储库时,GitHub 将阻止提交。
你将看到一个对话框,其中包含有关机密位置的信息,以及允许推送机密的选项。 机密还会在文件中加下划线,以便可以轻松找到它。
To resolve a blocked commit in the web UI, you need to remove the secret from the file. Once you remove the secret, you will be able to commit your changes.
注意
To learn how to resolved a blocked push on the command line, see Working with push protection from the command line.
Bypassing push protection
If GitHub blocks a secret that you believe is safe to commit, you may be able to bypass the block by specifying a reason for allowing the secret.
允许推送机密时,将在“安全性”选项卡中创建警报。如果指定机密为误报或仅在测试中使用,则 GitHub 会关闭警报,且不会发送通知。 如果指定机密是真实的并且稍后将修复它,GitHub 会将安全警报保持打开状态,并向提交的作者以及存储库管理员发送通知。 有关详细信息,请参阅“管理来自机密扫描的警报”。
当参与者绕过机密的推送保护块时,GitHub 还会向选择接收电子邮件通知的组织所有者、安全管理员和仓库管理员发送电子邮件警报。
-
In dialog box that appeared when GitHub blocked your commit, review the name and location of the secret.
-
选择最能描述为何应该能够推送机密的选项。
-
如果机密仅在测试中使用,并且不会构成任何威胁,请单击“它在测试中使用”。
-
如果检测到的字符串不是机密,请单击“它是误报”。
-
如果机密是真实的,但你打算稍后修复它,请单击“稍后修复”。
注意
如果存储库启用了秘密扫描,则需要指定绕过推送保护的原因。
当推送到未启用机密扫描的_公共_存储库时,由于_用户的推送保护_(默认情况下,用户帐户处于启用状态),仍然可以防止意外推送机密。
通过用户的推送保护,如果公共存储库的推送包含受支持的机密,GitHub 将自动阻止这些推送,但无需指定允许该机密的原因,并且 GitHub 也不会生成警报。 有关详细信息,请参阅“Push protection for users”。
-
-
Click Allow secret.
If you don't see the option to bypass the block, the repository administrator or organization owner has configured tighter controls around push protection. Instead, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. For more information, see Requesting bypass privileges.
Requesting bypass privileges
If your commit has been blocked by push protection, you can request permission to bypass the block. The request is sent to a designated group of reviewers, who will either approve or deny the request.
Requests expire after 7 days.
- In dialog box that appeared when GitHub blocked your commit, review the name and location of the secret.
- Click Start request. The request will open in a new tab.
- 在“或请求绕过特权”下,添加注释。 例如,可以解释为什么你认为推送机密是安全的,或者提供有关绕过阻止的请求的上下文。
- 单击“提交请求”。
- 查看电子邮件通知以获取对请求的响应。
审查完你的请求后,你将收到一封电子邮件,通知你该决定。
If your request is approved, you can commit the changes containing the secret to the file. You can also commit any future changes that contain the same secret.
If your request is denied, you will need to remove the secret from the file before you can commit your changes.