How does secrets scanning push protection really work

[BAStos525]

Select Topic Area

Question: system flow under secrets scanning push protection mechanism

Body

Hello! We have some common information about how secrets scanning process is organized and what flows are under its hood. But there is not an informative page how secrets scanning push protection works. Is its flow the same as for secrets scanning that are already were committed to a repository and is it sends like pre-commit to GitHub remote regex searching endpoint before a "real" push in advance? It could be great to get some more information how does secrets scanning push protection is reliable. Thank you.

[BAStos525]

On which side push protection feature scans a changes in commit before they will be pushed? On GitHub endpoints side? So, roughly speaking, does GitHub still send every time the code changes in the commit to scan to a some remote endpoint, before actually pushing the commit to the repository?

[BAStos525]

I guess when we are talking about client-side check, git hooks are there. Since most likely that GitHub secrets scanning push protection feature based on git hooks, these checks are server-side, right?

[BAStos525]

Right. But it's still not transparent how much secrets scanning are reliable and protected on GitHub side, among those secrets scanning and sharing for partners.

[BAStos525]

Sure. Actually about GitHub security practices for secrets scanning was my question initially. But I see now that most likely this information could not be exposed.

[queenofcorgis]

These topics were hidden as a result of our Generative AI policy. We want to ensure the integrity of content published on the community and ensure members use Generative AI in good faith.