Working with push protection from the command line

Learn your options for unblocking your push from the command line to GitHub if secret scanning detects a secret in your changes.

谁可以使用此功能?

具有写入访问权限的用户

在本文中

Resolving a blocked push

To resolve a blocked push, you must remove the secret from all of the commits it appears in.

Removing a secret introduced by the latest commit on your branch

  1. Remove the secret from your code.
  2. To commit the changes, run git commit --amend --all. This updates the original commit that introduced the secret instead of creating a new commit.
  3. Push your changes with git push.

Removing a secret introduced by an earlier commit on your branch

  1. Examine the error message that displayed when you tried to push your branch, which lists all of the commits that contain the secret.

    remote:   —— GitHub Personal Access Token ——————————————————————
remote:    locations:
remote:      - commit: 8728dbe67
remote:        path: README.md:4
remote:      - commit: 03d69e5d3
remote:        path: README.md:4
remote:      - commit: 8053f7b27
remote:        path: README.md:4

  2. Next, run git log to see a full history of all the commits on your branch, along with their corresponding timestamps.

    test-repo (test-branch)]$ git log
commit 8053f7b27 (HEAD -> main)
Author: Octocat <1000+octocat@users.noreply.github.com
Date:   Tue Jan 30 13:03:37 2024 +0100

  my fourth commit message

commit 03d69e5d3
Author: Octocat <1000+octocat@users.noreply.github.com>
Date:   Tue Jan 30 13:02:59 2024 +0100

  my third commit message

commit 8728dbe67
Author: Octocat <1000+octocat@users.noreply.github.com
Date:   Tue Jan 30 13:01:36 2024 +0100

  my second commit message

commit 6057cbe51
Author: Octocat <1000+octocat@users.noreply.github.com
Date:   Tue Jan 30 12:58:24 2024 +0100

  my first commit message

  3. Focusing only on the commits that contain the secret, use the output of git log to identify which commit comes earliest in your Git history.

    • In the example, commit 8728dbe67 was the first commit to contain the secret.

  4. Start an interactive rebase with git rebase -i <COMMIT-ID>~1.

    • For <COMMIT-ID>, use the commit identified in step 3. For example, git rebase -i 8728dbe67~1.

  5. In the editor, choose to edit the commit identified in step 3 by changing pick to edit on the first line of the text.

    edit 8728dbe67 my second commit message
pick 03d69e5d3 my third commit message
pick 8053f7b27 my fourth commit message

  6. Save and close the editor to start the interactive rebase.

  7. Remove the secret from your code.

  8. Add your changes to the staging area using git add ..

    注意

    The full command is git add .:

    • There is a space between add and ..
    • The period following the space is part of the command.

  9. Commit your changes using git commit --amend.

  10. Run git rebase --continue to finish the rebase.

  11. Push your changes with git push.

Bypassing push protection

注意

If you don't see the option to bypass a block, you should remove the secret from the commit, or submit a request for "bypass privileges" in order to push the blocked secret. See Requesting bypass privileges.

  1. 使用执行推送的同一用户身份,访问 GitHub 在推送被阻止时返回的 URL****。 如果其他用户尝试访问此 URL,他们将收到 404 错误。

  2. 选择最能描述为何应该能够推送机密的选项。

    • 如果机密仅在测试中使用,并且不会构成任何威胁,请单击“它在测试中使用”。

    • 如果检测到的字符串不是机密,请单击“它是误报”。

    • 如果机密是真实的,但你打算稍后修复它,请单击“稍后修复”。

    注意

    如果存储库启用了秘密扫描,则需要指定绕过推送保护的原因。

    当推送到未启用机密扫描的_公共_存储库时,由于_用户的推送保护_(默认情况下,用户帐户处于启用状态),仍然可以防止意外推送机密。

    通过用户的推送保护,如果公共存储库的推送包含受支持的机密,GitHub 将自动阻止这些推送,但无需指定允许该机密的原因,并且 GitHub 也不会生成警报。 有关详细信息,请参阅“管理用户的推送通知保护”。

  3. Click Allow me to push this secret.

  4. Reattempt the push on the command line within three hours. If you have not pushed within three hours, you will need to repeat this process.

Requesting bypass privileges

  1. 使用执行推送的同一用户身份,访问 GitHub 在推送被阻止时返回的 URL****。 如果其他用户尝试访问此 URL,他们将收到 404 错误。

  2. 在“或请求绕过特权”下,添加注释。 例如,可以解释为什么你认为推送机密是安全的,或者提供有关绕过阻止的请求的上下文。

  3. 单击“提交请求”。

  4. 查看电子邮件通知以获取对请求的响应。 审查完你的请求后,你将收到一封电子邮件,通知你该决定。

    • If your request is approved, you can push the commit (or commits) containing the secret to the repository, as well as any future commits that contain the same secret.
    • If your request is denied, you need to remove the secret from all commits before pushing again. For information on how to remove a blocked secret, see Resolving a blocked push.

Further reading