Skip to content

Resolving GitHub security alerts

We have controls on our Defra GitHub organisation that require approval to:

  • bypass GitHub push protection
  • dismiss GitHub security alerts

This guide covers how these processes work and how to request approval.

Push protection

All of our public repositories have GitHub secret scanning enabled, with push protection enforced.

This means that you will not be able to push code up to a public repository if GitHub detects a secret in your code.

Secret scanning is pretty good at avoiding false-positives, but occasionally this may happen. When it does, you'll need to bypass the push protection, which you can do through the GitHub UI, by providing a reason for the bypass.

When you do this, it will create a request that requires approval - you will need to post a message in the #github-support channel on the defra-digital Slack to have your request actioned

You should provide:

  • a link to the bypass request
  • a brief explanation of why the protection should be bypassed

Code security alerts

In addition to secret scanning, GitHub can raise other security alerts on your code, which can be seen under the Security tab in your repository.

We expect repository owners to be regularly reviewing these alerts and actioning them - either fixing the issue or dismissing it with a reason.

When you dismiss an alert, it will create a request that requires approval - you will need to post a message in the #github-support channel on the defra-digital Slack to have your request actioned

You should provide:

  • a link to the alert dismissal request
  • a brief explanation of why the alert can be dismissed

Approval

You'll receive a response on the Slack channel as soon as possible.

If we can, we'll just approve the request and let you know, but we may need to request further information - either way the communication will be via the Slack channel.