Push Protection Exemptions Now Available at Repository Level

GitHub has expanded the management of secret scanning push protection exemptions to the repository level. Previously, exemptions could only be configured from security configurations at the organization and enterprise levels. This update gives teams more granular control over their security enforcement policies.

What Changed

Organizations with secret scanning push protection enabled can now designate specific roles, teams, and apps as exempt from push protection enforcement directly from their repository settings. Exemption status is evaluated at the time of each push.

How It Works

When an exempt actor—whether a specific role, team member, or authorized app—pushes content containing secrets, the push protection mechanism is automatically skipped and no bypass requests are created. This streamlines workflows for legitimate use cases where certain parties need to handle sensitive material without triggering security blocks.

Action Items

• Review your repository security settings to configure exemptions if needed
• Consult the updated secret scanning documentation for detailed configuration steps
• Consider implementing exemptions at the repository level for specific teams or applications that require them

This change is part of a broader GitHub Advanced Security update released in March 2026, which also includes improvements to push protection exemptions management, simplified advanced security setup, and other security enhancements.