Skip to content
Latchkey

How to Enable GitHub Push Protection and Secret Scanning

GitHub native secret scanning detects known provider tokens; push protection rejects a push that introduces one.

Enable secret scanning and push protection in repository (or org) settings. Push protection blocks a push containing a recognized token unless the author explicitly bypasses it with a reason.

Steps

  • Open Settings to Code security and analysis.
  • Enable Secret scanning, then enable Push protection.
  • For many repos, set an org-level default so new repos inherit it.

Terminal

Terminal
# enable at scale with the GitHub CLI (org-level)
gh api -X PATCH /orgs/ORG \
  -f secret_scanning_push_protection_enabled_for_new_repositories=true

Gotchas

  • Native scanning covers partnered provider patterns; add a tool like Gitleaks for custom or generic secrets.
  • A bypassed push still exposes the secret: rotate it, do not rely on the bypass reason as a fix.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →