GitHub Push Protection Bypass Detection

This alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub’s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials. A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub’s audit logs, provided that the audit log streaming feature is enabled.

Attack Chain

1. Developer attempts to commit code containing a secret to a GitHub repository.
2. GitHub’s push protection mechanism detects the secret and blocks the push.
3. The developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.
4. The code, including the secret, is successfully pushed to the repository.
5. The secret becomes exposed within the repository’s history.
6. Unauthorized actors may discover the exposed secret by scanning the repository.
7. Unauthorized actors may use the exposed secret to gain unauthorized access to systems or data.

Impact

A successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.

Recommendation

• Enable audit log streaming in GitHub to ensure relevant events are captured.
• Deploy the Sigma rule “Github Push Protection Bypass Detected” to your SIEM and tune for your environment using GitHub audit logs.
• Investigate any detected bypass events to determine the context and impact of the bypassed secret.