Enterprise governance and policy improvements for secret scanning

Source: GitHub Changelog

At GitHub, we care deeply about ensuring enterprise‑readiness of our products. From recent improvements including enterprise‑level delegated bypass controls for push protection, to support for the new Enterprise Security Manager role, secret scanning is no exception.

Today, we’re announcing additional recent improvements to alert‑level and enterprise‑level permissions for secret scanning. With these improvements, we’re unlocking more ways to scale governance and policy across GitHub, enhancing the ability for enterprises to more easily manage secret scanning alerts, custom patterns, and push protection bypasses.

Permissions for secret scanning alert assignees

We’ve expanded permissions for secret scanning alert assignees to make alerts more actionable.

• Assignment for anyone with alert write permissions: Added the ability to modify assignees for anyone who can modify or resolve secret scanning alerts. Anyone who can dismiss or reopen a secret scanning alert can now add or remove the alert assignment.
• Assignees and alert write permissions: Added the ability for alert assignees to modify alerts, including resolving the alert and removing themselves as an assignee.

Enterprise owners and enterprise security managers with custom patterns

Custom pattern management at the enterprise level is now more permissive; previously, only the pattern creator could edit them.

• Custom pattern management: Enterprise owners and enterprise security managers can now edit any custom patterns, regardless of who created them. This resolves the common pain point of orphaned custom patterns at the enterprise level.

Enterprise teams, roles, and apps with push protection bypasses

Support for Enterprise teams, organization roles, and GitHub Apps has been expanded to provide more flexible and secure policy management.

• Delegated push protection bypasses: You can now delegate push protection bypass permissions to Enterprise Teams, roles, and apps, streamlining the process for handling bypass requests across the enterprise.
• Removed 1‑actor requirement for bypass lists: Later this month we’ll remove the need to add at least one actor to the “push protection bypass list” in security configurations. Customers will be able to use custom roles with the push protection bypass fine‑grained permission without needing to provide access to a team or default role.

Learn more about delegated bypasses for push protection, custom patterns, and getting started with secret scanning.