Deactivate pushing of secrets to bypass through own approval

[alaugks]

Select Topic Area

Question

Body

Hi

I have set up Secrets Push Protection. However, I do not want the user to be able to push the secret via the link "To push, remove secret from commit(s) or follow this URL to allow the secret." and their own approval.

How can I deactivate or restrict this so that only an administrator can approve it?

remote: Resolving deltas: 100% (1/1), completed with 1 local object.
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: 
remote: - GITHUB PUSH PROTECTION
remote:   —————————————————————————————————————————
remote:     Resolve the following violations before pushing again
remote: 
remote:     - Push cannot contain secrets
remote: 
remote:     
remote:      (?) Learn how to resolve a blocked push
remote:      https://docs.github.com/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push
remote:     
remote:     
remote:       —— OpenAI API Key ————————————————————————————————————
remote:        locations:
remote:          - commit: 41d3076cbd15bb58d0e8d0cbe76024f5598c829b
remote:            path: .env:8
remote:     
remote:        (?) To push, remove secret from commit(s) or follow this URL to allow the secret.
remote:        https://github.com/my-organisation/test-repository/security/secret-scanning/unblock-secret/36wtNYKWiLa1TwE1M2aifdJX3iA

To push, remove secret from commit(s) or follow this URL to allow the secret.

[shermsql]

You can disable the direct self-approval link (The "Allow This Secret" URL) and force a review process instead by enabling Delegated bypass for push protection.

This feature (Available In GitHub Advanced Security / Secret Protection, Typically On Team+ Plans With The Right Licensing) lets organization/repo admins create a list of users/teams/roles who can bypass directly.

Everyone else must submit a bypass request that only designated reviewers (Admins/Security Managers) can approve/deny.

How to set it up?
Go to your organization settings → Code security and analysis → Push protection → Enable Delegated bypass and configure the bypass list/reviewers.

Once enabled, regular users see no direct bypass link — they must request approval → only admins/reviewers decide.

See docs
https://docs.github.com/en/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection