Guide for configuring and managing GitHub secret scanning, push protection, custom patterns, and secret alert remediation. For pre-commit secret scanning in AI coding agents via the GitHub MCP Server, this skill references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill when enabling secret scanning, setting up push protection, defining custom patterns, triaging alerts, resolving blocked pushes, or when an agent needs to scan code for secrets before committing.
github30,320 Sterne24.03.2026
Beruf
Kategorien
Git-Workflows
Skill-Inhalt
This skill provides procedural guidance for configuring GitHub secret scanning — detecting leaked credentials, preventing secret pushes, defining custom patterns, and managing alerts.
When to Use This Skill
Use this skill when the request involves:
Enabling or configuring secret scanning for a repository or organization
Setting up push protection to block secrets before they reach the repository
Defining custom secret patterns with regular expressions
Resolving a blocked push from the command line
Triaging, dismissing, or remediating secret scanning alerts
Configuring delegated bypass for push protection
Excluding directories from secret scanning via secret_scanning.yml
Enabling validity checks or extended metadata checks
Scanning local code changes for secrets before committing (via MCP / AI coding agent) — see the Pre-Commit Scanning via AI Coding Agents section below for the recommended plugin
GitHub periodically tests detected credentials against provider APIs
Status shown in alert: active, inactive, or unknown
Extended metadata checks — additional context about who owns a secret:
Requires validity checks to be enabled first
Helps prioritize remediation and identify responsible teams
Core Workflow — Resolve Blocked Pushes
When push protection blocks a push from the command line:
Option A: Remove the Secret
If the secret is in the latest commit:
# Remove the secret from the file
# Then amend the commit
git commit --amend --all
git push
If the secret is in an earlier commit:
# Find the earliest commit containing the secret
git log
# Start interactive rebase before that commit
git rebase -i <COMMIT-ID>~1
# Change 'pick' to 'edit' for the offending commit
# Remove the secret, then:
git add .
git commit --amend
git rebase --continue
git push
Option B: Bypass Push Protection
Visit the URL returned in the push error message (as the same user)
Select a bypass reason:
It's used in tests — alert created and auto-closed
It's a false positive — alert created and auto-closed
I'll fix it later — open alert created
Click Allow me to push this secret
Re-push within 3 hours
Option C: Request Bypass Privileges
If delegated bypass is enabled and you lack bypass privileges:
Visit the URL from the push error
Add a comment explaining why the secret is safe
Click Submit request
Wait for email notification of approval/denial
If approved, push the commit; if denied, remove the secret
For detailed bypass and delegated bypass workflows, search references/push-protection.md.
Custom Patterns
Define organization-specific secret patterns using regular expressions.
Quick Setup
Settings → Advanced Security → Custom patterns → New pattern
Enter pattern name and regex for secret format
Add a sample test string
Click Save and dry run to test (up to 1,000 results)
Review results for false positives
Click Publish pattern
Optionally enable push protection for the pattern
Scopes
Custom patterns can be defined at:
Repository level — applies to that repo only
Organization level — applies to all repos with secret scanning enabled
Enterprise level — applies across all organizations
Copilot-Assisted Pattern Generation
Use Copilot secret scanning to generate regex from a text description of the secret type, including optional example strings.
For detailed custom pattern configuration, search references/custom-patterns.md.
Alert Management
Alert Types
Type
Description
Visibility
User alerts
Secrets found in repository
Security tab
Push protection alerts
Secrets pushed via bypass
Security tab (filter: bypassed: true)
Partner alerts
Secrets reported to provider
Not shown in repo (provider-only)
Alert Lists
Default alerts — supported provider patterns and custom patterns
Generic alerts — non-provider patterns and AI-detected secrets (limited to 5,000 per repo)
Remediation Priority
Rotate the credential immediately — this is the critical action
Review the alert for context (location, commit, author)
Check validity status: active (urgent), inactive (lower priority), unknown
Remove from Git history if needed (time-intensive, often unnecessary after rotation)
Dismissing Alerts
Dismiss with a documented reason:
False positive — detected string is not a real secret
Revoked — credential has already been revoked
Used in tests — secret is only in test code
For detailed alert types, validity checks, and REST API, search references/alerts-and-remediation.md.
Pre-Commit Scanning via AI Coding Agents
For scanning code changes for secrets inside an AI coding agent before committing, install the Advanced Security plugin which provides the run_secret_scanning MCP tool and a dedicated scanning skill.
GitHub Copilot CLI:
/plugin install advanced-security@copilot-plugins
Visual Studio Code:
In Copilot Chat, open Chat: Plugins (or use @agentPlugins) and install the advanced-security plugin