How to Enable GitHub Push Protection and Secret Scanning
GitHub native secret scanning detects known provider tokens; push protection rejects a push that introduces one.
Enable secret scanning and push protection in repository (or org) settings. Push protection blocks a push containing a recognized token unless the author explicitly bypasses it with a reason.
Steps
- Open Settings to Code security and analysis.
- Enable Secret scanning, then enable Push protection.
- For many repos, set an org-level default so new repos inherit it.
Terminal
Terminal
# enable at scale with the GitHub CLI (org-level)
gh api -X PATCH /orgs/ORG \
-f secret_scanning_push_protection_enabled_for_new_repositories=trueGotchas
- Native scanning covers partnered provider patterns; add a tool like Gitleaks for custom or generic secrets.
- A bypassed push still exposes the secret: rotate it, do not rely on the bypass reason as a fix.
Related guides
How to Roll Out Org-Wide Secret Scanning PolicyApply secret scanning consistently across an organization with a reusable workflow and org defaults, so every…
How to Upload Secret Scan Results as SARIF to Code ScanningPublish secret scanner findings to the GitHub Security tab by writing SARIF and uploading it with github/code…