Summary
The secrets-management skill reviews secret detection tooling, allowlists, history scanning, and rotation, but it does not currently require reviewers to inspect push protection bypasses.
Hosted secret scanning push protection can still be bypassed. GitHub documents that bypasses create alerts and audit-log events, and delegated bypass can add an approval workflow. Without reviewing bypass evidence, an assessment can over-credit push protection while real secrets are allowed into the repository under "fix later," "used in tests," or "false positive" reasons.
Proposed improvement
Add push protection bypass governance gates requiring reviewers to verify:
- push protection enablement at repository, organization, or enterprise scope
- bypass alerts and audit-log evidence, including actor, reason, repository, secret type, commit, and timestamp
- delegated bypass configuration for sensitive repositories
- reviewer role/team restrictions for bypass approvals
- remediation tickets and revocation/rotation evidence for "fix later" bypasses
- proof that "used in tests" and "false positive" bypasses are non-sensitive or safely scoped
- monitoring for repeat bypasses, noisy rules, and repositories with high bypass rates
Why this matters
Push protection is preventative only when bypasses are controlled. Treating bypassed detections as harmless can hide real credential exposure and leave reusable production secrets in code after an alert is closed or deferred.
Summary
The
secrets-managementskill reviews secret detection tooling, allowlists, history scanning, and rotation, but it does not currently require reviewers to inspect push protection bypasses.Hosted secret scanning push protection can still be bypassed. GitHub documents that bypasses create alerts and audit-log events, and delegated bypass can add an approval workflow. Without reviewing bypass evidence, an assessment can over-credit push protection while real secrets are allowed into the repository under "fix later," "used in tests," or "false positive" reasons.
Proposed improvement
Add push protection bypass governance gates requiring reviewers to verify:
Why this matters
Push protection is preventative only when bypasses are controlled. Treating bypassed detections as harmless can hide real credential exposure and leave reusable production secrets in code after an alert is closed or deferred.