Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
CategoryCICD-SEC-6
SeverityHIGH
Auto-fix
SourceRepository configuration

What the check does

Reads security_and_analysis.secret_scanning_push_protection.status. Fires when explicitly "disabled". Silent when the field is absent (the feature isn’t available for this repo).

Why it matters

Standard secret scanning is detective — it alerts you after the secret hits the remote. Push protection is preventative — the push is rejected before any secret reaches the server. Without push protection:
  • Leaked secrets live in git history forever (unless someone does a force-rewrite, which is a separate problem).
  • Every fork, every clone, every CI cache, every backup has the secret too.
  • The remediation is full rotation (the secret cannot be “removed”, only invalidated) — which is expensive and often goes incomplete.
With push protection on, the committer is notified before the leak ever leaves their machine, and they have the chance to rotate (or simply not commit) before any blast radius opens up.

How to fix

Settings → Code security → Secret scanningPush protectionEnable. Make sure Secret scanning itself is on; push protection requires it.
Like secret scanning, push protection is free for public repos and requires Advanced Security on private repos. Pipefort stays silent when the feature is unavailable.