## GitHub Push Protection Fails: Credential Leaked into HMPPS-DPR-Tools-API Repository
A critical security control has failed. GitHub's push protection feature, designed to block credentials before they enter a repository, did not prevent a live secret from being committed and pushed to the `hmpps-dpr-tools-api` repository. The exposure was only detected after the fact by GitHub's secret scanning, leaving the credential in the repository's history and triggering a security incident that now requires credential rotation and git history cleanup.

This failure strikes at the core of DevSecOps security controls, undermining confidence in GitHub's built-in protections. The incident is not a theoretical vulnerability but a concrete operational breakdown. A supported secret type was pushed without being blocked, directly contradicting the feature's stated purpose of preventing accidental exposure. The investigation must now determine whether the failure was due to a misconfiguration, a gap in the supported secret patterns, a bug in the push protection service, or another systemic flaw.

The implications extend beyond a single repository. It exposes organizations relying on this GitHub feature to unanticipated risk, forcing a reassessment of layered security controls. The failure creates immediate pressure on repository maintainers and security teams to verify the effectiveness of their entire secret management stack, as a primary automated defense layer proved unreliable. This incident serves as a stark warning that automated guardrails cannot be assumed to be fail-safe.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: GitHub, Security, DevSecOps, Credential Leak, Push Protection
- **Credibility**: unverified
- **Published**: 2026-04-13 15:23:01
- **ID**: 62229
- **URL**: https://whisperx.ai/en/intel/62229