Secret scanning push protection bypasses support fine-grained permiss…

…ions [GA] #15736 (#52119) Co-authored-by: Rupa Shankar <rupss@users.noreply.github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
github · Aug 29, 2024 · fd586ca · fd586ca
1 parent ab12c72
commit fd586ca
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 7 deletions.
diff --git a/...egated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md b/...egated-bypass-for-push-protection/about-delegated-bypass-for-push-protection.md
@@ -20,5 +20,3 @@ shortTitle: Delegated bypass
 {% data reusables.secret-scanning.push-protection-delegated-bypass-intro %}
 
 {% data reusables.secret-scanning.push-protection-delegated-bypass-overview %}
-
-For information about enabling delegated bypass, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection)."
diff --git a/...ted-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md b/...ted-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection.md
@@ -14,7 +14,7 @@ topics:
 shortTitle: Enable delegated bypass
 ---
 
-## Enabling delegated bypass for push protection
+## About enabling delegated bypass for push protection
 
 {% data reusables.secret-scanning.push-protection-delegate-bypass-beta-note %}
 
@@ -24,6 +24,8 @@ When you enable this feature, you will create a bypass list of roles and teams w
 
 >[!NOTE] You can't add secret teams to the bypass list.
 
+{% ifversion push-protection-bypass-fine-grained-permissions %}Alternatively, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions, which give you more refined control over which individuals and teams can approve and deny bypass requests. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %}
+
 ## Configuring delegated bypass for an organization
 
 {% data reusables.organizations.navigate-to-org %}
@@ -51,3 +53,16 @@ When you enable this feature, you will create a bypass list of roles and teams w
    >[!NOTE] You can't add secret teams to the bypass list.
 
 1. In the dialog box, select the roles and teams that you want to add to the bypass list, then click **Add selected**.
+
+{% ifversion push-protection-bypass-fine-grained-permissions %}
+
+## Using fine-grained permissions to control who can review and manage bypass requests
+
+You can grant specific individuals or teams the ability to review and manage bypass requests using fine-grained permissions.
+
+1. Ensure that delegated bypass is enabled for the organization. For more information, follow steps 1-5 in "[Configuring delegated bypass for your organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)."
+1. Create (or edit) a custom organization role. For information on creating and editing custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles#creating-a-custom-role)."
+1. When choosing which permissions to add to the custom role, select the "Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests" permission.
+1. Assign the custom role to individual members or teams in your organization. For more information on assigning custom roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles#assigning-an-organization-role)."
+
+{% endif %}
diff --git a/...oples-access-to-your-organization-with-roles/about-custom-organization-roles.md b/...oples-access-to-your-organization-with-roles/about-custom-organization-roles.md
@@ -51,5 +51,8 @@ Manage organization OAuth application policies | Access to the "OAuth applicatio
 |  {% ifversion actions-usage-metrics %} |
 | View organization Actions usage metrics | View {% data variables.product.prodname_actions %} usage metrics for your organization. | "[AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-usage-metrics-for-github-actions)" |
 |  {% endif %} |
+|  {% ifversion push-protection-bypass-fine-grained-permissions %} |
+| Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests | Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests for your organization. | "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection)" |
+|  {% endif %} |
 
 {% endrowheaders %}
diff --git a/...ging-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md b/...ging-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md
@@ -205,6 +205,9 @@ Some of the features listed below are limited to organizations using {% data var
 | {% ifversion repo-rules-enterprise %} |
 | Manage organization-level rulesets (see "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} |
 | {% endif %} |
+| {% ifversion push-protection-bypass-fine-grained-permissions %} |
+| Review and manage {% data variables.product.prodname_secret_scanning %} bypass requests (see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection)") | {% octicon "check" aria-label="Yes" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
+| {% endif %} |
 
 {% endrowheaders %}
 

diff --git a/data/features/push-protection-bypass-fine-grained-permissions.yml b/data/features/push-protection-bypass-fine-grained-permissions.yml
@@ -0,0 +1,5 @@
+# Issue 13329
+# Push protection bypass fine-grained permissions
+versions:
+  ghec: '*'
+  ghes: '>=3.16'
diff --git a/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md b/data/reusables/secret-scanning/push-protection-delegated-bypass-overview.md
@@ -1,9 +1,13 @@
-When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, contributors to a repository are instead obligated to request "bypass privileges." The request is sent to a designated group of reviewers, who either approve or deny the request to bypass push protection.
+When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection.
 
 If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.
 
-To configure delegated bypass, organization owners or repository administrators need to first create a "bypass list". The bypass list comprises specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)."
+To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for {% data variables.product.prodname_secret_scanning %}" setting in the UI from **Anyone with write access** to **Specific roles and teams**.
 
-Members of the bypass list view and manage requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[Managing requests to bypass push protection](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)."
+Organization owners or repository administrators are them prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "[Configuring delegated bypass for an organization](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-an-organization)" and "[Configuring delegated bypass for a repository](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#configuring-delegated-bypass-for-a-repository)."
 
-Members of the bypass list are still protected from accidentally pushing secrets to a repository. When a member of the bypass list attempts to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.
+{% ifversion push-protection-bypass-fine-grained-permissions %} Alternatively, instead of creating a bypass list, you can grant specific organization members the ability to review and manage bypass requests using fine-grained permissions. For more information, see "[Using fine-grained permissions to control who can review and manage bypass requests](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/enabling-delegated-bypass-for-push-protection#using-fine-grained-permissions-to-control-who-can-review-and-manage-bypass-requests)."{% endif %}
+
+Members {% ifversion push-protection-bypass-fine-grained-permissions %}with permission to review (approve or deny) bypass requests can manage these {% else %}of the bypass list can review and manage {% endif %}requests through the "Push protection bypass" page in the **Security** tab of the repository. For more information, see "[AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/managing-requests-to-bypass-push-protection)."
+
+Members {% ifversion push-protection-bypass-fine-grained-permissions %}with permission to review and manage bypass requests {% else %}of the bypass list{% endif %} are still protected from accidentally pushing secrets to a repository. If they attempt to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members {% ifversion push-protection-bypass-fine-grained-permissions %}with permission to review and manage bypass requests {% else %}of the bypass list {% endif %}do not have to request bypass privileges from other members in order to override the block.