Enable push protection for an organization with PATCH /orgs/{org} and the body field secret_scanning_push_protection_enabled_for_new_repositories set to true, then enable per-repo via PATCH /repos/{owner}/{repo}.
Enable delegated bypass so that developer bypass attempts require reviewer approval: configure this in the organization's Code Security settings or via the API.
Poll pending bypass requests with GET /orgs/{org}/bypass-requests/secret-scanning or GET /repos/{owner}/{repo}/bypass-requests/secret-scanning using a token with security_events write scope.
Approve or deny a bypass request with PATCH on the bypass request endpoint and a body containing status: approved or status: denied.
Set up a webhook on the organization to receive push_protection_bypass event payloads for real-time alerting to your security team.
Review the audit log via GET /orgs/{org}/audit-log with the phrase secret_scanning to capture all push protection and bypass events.
Known gotchas
Delegated bypass is only available on GitHub Enterprise Cloud; GitHub Free and Team plans do not support the approval workflow.
Approving a bypass does not rotate the secret; the security team must still ensure the exposed credential is revoked in the upstream system.
Webhook payloads for push_protection_bypass may arrive slightly after the git push completes; do not rely on them as a synchronous gate.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp