> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-6 — Secret-scanning push protection is disabled

> Commits containing a detected secret are not blocked at push time. Leaked credentials live in history until rotated.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-6`                               |
| Severity | **HIGH**                                   |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads `security_and_analysis.secret_scanning_push_protection.status`. Fires when explicitly `"disabled"`. Silent when the field is absent (the feature isn't available for this repo).

## Why it matters

Standard secret scanning is *detective* — it alerts you after the secret hits the remote. Push protection is *preventative* — the push is rejected before any secret reaches the server.

Without push protection:

* Leaked secrets live in git history forever (unless someone does a force-rewrite, which is a separate problem).
* Every fork, every clone, every CI cache, every backup has the secret too.
* The remediation is full rotation (the secret cannot be "removed", only invalidated) — which is expensive and often goes incomplete.

With push protection on, the committer is notified before the leak ever leaves their machine, and they have the chance to rotate (or simply not commit) before any blast radius opens up.

## How to fix

Settings → Code security → **Secret scanning** → **Push protection** → **Enable**.

Make sure [Secret scanning](/rules/cicd-sec-6-secret-scanning-off) itself is on; push protection requires it.

> Like secret scanning, push protection is free for public repos and requires Advanced Security on private repos. Pipefort stays silent when the feature is unavailable.
