Exempting trusted actors from push protection

Reduce friction for trusted automation by granting exemptions from push protection.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

In this article

Warning

Push protection exemptions are designed for trusted automation that needs to push many commits with minimal friction. Exemptions may lead to leaked secrets, and should be granted with caution.

Granting exemptions for your repository

Note

If an organization or enterprise owner configures delegated bypass at the organization or enterprise level, the repository-level settings are disabled.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Advanced Security.

  4. Under "Secret Protection," ensure that push protection is enabled for the repository.

  5. Under "Push protection," to the right of "Who can bypass push protection for secret scanning," select the dropdown menu, then click Specific roles or teams.

  6. Under "Bypass list," click Add role or team.

  7. In the dialog box, select the roles and teams that you want to add to the bypass list, then click Add selected.

    Note

    You can't add secret teams to the bypass list.

  8. To fully exempt the actors from push protection, to the right of the actors' details, select , then click Exempt.

Granting exemptions for your organization

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.

  4. Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration.

  5. When defining the custom security configuration, under "Secret scanning," ensure that "Push protection" is set to Enabled.

  6. Under "Push protection," to the right of "Bypass privileges," select the dropdown menu, then click Specific actors.

  7. Select the Select actors dropdown menu, then choose the actors you want to add to the bypass list.

    Note

    • You can't add secret teams to the bypass list.

  8. To fully exempt the actors from push protection, to the right of the actors' details, select , then click Exempt.

  9. Click Save configuration.

  10. Apply the security configuration to repositories in your organization. See Applying a custom security configuration.

Granting exemptions for your enterprise

  1. Navigate to your enterprise. For example, from the Enterprises page on GitHub.com.

  2. At the top of the page, click Settings.

  3. In the left sidebar, click Advanced Security.

  4. In the "Security" section of the sidebar, select the Advanced Security dropdown menu, then click Configurations.

  5. Create a new custom security configuration, or edit an existing one. See Creating a custom security configuration for your enterprise.

  6. Under Secret scanning, ensure Push protection is enabled.

  7. Under "Push protection," to the right of "Bypass privileges," select the dropdown menu, then click Specific actors.

    Note

    You can't add secret teams to the bypass list.

  8. Select the Select actors dropdown menu, then choose the actors you want to add to the bypass list.

  9. To fully exempt the actors from push protection, to the right of the actors' details, select , then click Exempt.

  10. Click Save configuration.

  11. Apply the security configuration to organizations and repositories in your enterprise. See Applying a custom security configuration to your enterprise.