From ce5f3ee895bffd0a45e4afa6dcec18af142cc87a Mon Sep 17 00:00:00 2001
From: Noah Omdal <nomdal@github.com>
Date: Wed, 2 Jul 2025 13:50:38 -0700
Subject: [PATCH 1/3] Create ghas-push-protection-resolve-block.prompt.md

A prompt file for Copilot agent mode to assist with automating the removal of secrets after a GitHub Advanced Security push protection blocked push.
---
 ...as-push-protection-resolve-block.prompt.md | 84 +++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 prompts/ghas-push-protection-resolve-block.prompt.md

diff --git a/prompts/ghas-push-protection-resolve-block.prompt.md b/prompts/ghas-push-protection-resolve-block.prompt.md
new file mode 100644
index 00000000..d64f901d
--- /dev/null
+++ b/prompts/ghas-push-protection-resolve-block.prompt.md
@@ -0,0 +1,84 @@
+---
+mode: "agent"
+tools: ["changes", "codebase", "editFiles", "problems", "terminal"]
+description: "Help developers resolve GitHub Advanced Security push protection blocked pushes containing secrets"
+---
+
+Your goal is to help me resolve a blocked push that was prevented by GitHub Advanced Security push protection due to detected secrets in my commits. You should automatically analyze the CLI output, detect the blocked push information, and guide me through the proper resolution strategy.
+
+## Automated Analysis and Strategy Selection
+
+You will automatically:
+
+1. **Gather context** by running diagnostic commands and parsing terminal output
+2. **Extract key information** from the push protection error:
+   - Commit IDs and file paths where secrets were detected
+   - Secret types (API keys, tokens, etc.) from error headers
+   - Chronological order of affected commits
+3. **Select optimal resolution strategy** based on commit analysis and recommendations detailed in GitHub Documentation:
+    - Resolving a blocked push: https://docs.github.com/en/code-security/secret-scanning/working-with-secret-scanning-and-push-protection/working-with-push-protection-from-the-command-line#resolving-a-blocked-push
+4. **Execute the resolution** with real-time validation, and if any manual intervention following a command in the CLI is expected of the user, I will inform them of this before I execute the command, with a recommendation of what they will need to do (such as entering ":q")
+
+### Error Pattern Recognition
+You will parse patterns like:
+```
+remote:   —— GitHub Personal Access Token ——————————————————————
+remote:      - commit: 8728dbe67
+remote:        path: README.md:4
+```
+
+## Resolution Strategies
+
+You will automatically choose and execute the appropriate strategy:
+
+### Latest Commit Only
+```bash
+# Remove secret from code, then:
+git add .
+git commit --amend --no-edit
+git push
+```
+
+### Earlier Commits
+```bash
+# Find earliest problematic commit and rebase:
+git rebase -i <EARLIEST_COMMIT>~1
+# When using interactive rebase to squash commits containing secrets, you will provide automated sed commands to modify the rebase TODO file without user manual intervention.
+```
+
+### Multiple Commits
+Plan comprehensive rebase strategy addressing all detected commit IDs.
+
+## Secret Removal Best Practices
+
+- **Remove the actual secret**: Replace API keys, tokens, passwords, or other sensitive data with placeholders or environment variables
+- **Use environment variables**: Move secrets to environment variables or secure configuration files
+- **Update .gitignore**: Add patterns to prevent similar files from being committed in the future
+
+## Automated Error Handling
+
+You will handle common scenarios:
+- **Merge conflicts** during rebase (identify conflicted files, guide resolution)
+- **Large repositories** (optimize commands for performance)
+- **Branch protection rules** (check for restrictions that might affect resolution)
+
+## Smart Bypass Assessment
+
+If patterns suggest false positives, you will analyze for:
+- Test data patterns ("test_api_key", "fake_token")
+- Placeholder values ("YOUR_API_KEY_HERE")
+- Example/documentation code
+
+You will extract bypass URLs from error messages and recommend appropriate reasons:
+- "It's used in tests" - for harmless test secrets
+- "It's a false positive" - for non-secrets
+- "I'll fix it later" - for real secrets to be addressed soon
+
+## Post-Resolution Verification
+
+After resolving, you will automatically:
+1. **Verify secret removal** using pattern matching and Git history checks
+2. **Test push capability** with `git push --dry-run`
+3. **Suggest prevention measures** (pre-commit hooks, .gitignore updates)
+
+**Goal**: Maintain security while enabling productive development. Always prioritize removing real secrets over bypassing protection.

From b5b369b5ffb5109bfb9c66acf810c6f797624937 Mon Sep 17 00:00:00 2001
From: Noah Omdal <nomdal@github.com>
Date: Wed, 2 Jul 2025 14:37:21 -0700
Subject: [PATCH 2/3] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index f70435ed..3cd88725 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,9 @@ Ready-to-use prompt templates for specific development scenarios and tasks, defi
 - [My Pull Requests](prompts/my-pull-requests.prompt.md)
 - [C# Documentation Best Practices](prompts/csharp-docs.prompt.md) - Ensure that C# types are documented with XML comments and follow best practices for documentation.
 
+### Security
+- [Resolve a GitHub Advanced Security Push Protection blocked push] - Automate removing secrets from commit history
+
 ### FinOps
 - [Azure Cost Optimize](prompts/az-cost-optimize.prompt.md) - Analyze Azure resources used in the app (IaC files and/or resources in a target rg) and optimize costs - creating GitHub issues for identified optimizations.
 

From cd887286513e4cd30db11d96b6dbc023fec6e675 Mon Sep 17 00:00:00 2001
From: Noah Omdal <nomdal@github.com>
Date: Mon, 25 Aug 2025 17:25:25 -0700
Subject: [PATCH 3/3] Enhance GHAS push protection resolution instructions

Added guidance for resolving blocked pushes due to GitHub Advanced Security.
---
 prompts/ghas-push-protection-resolve-block.prompt.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/prompts/ghas-push-protection-resolve-block.prompt.md b/prompts/ghas-push-protection-resolve-block.prompt.md
index d64f901d..8719883b 100644
--- a/prompts/ghas-push-protection-resolve-block.prompt.md
+++ b/prompts/ghas-push-protection-resolve-block.prompt.md
@@ -3,6 +3,7 @@ mode: "agent"
 tools: ["changes", "codebase", "editFiles", "problems", "terminal"]
 description: "Help developers resolve GitHub Advanced Security push protection blocked pushes containing secrets"
 ---
+# GHAS Push Protection: Resolve Blocked Push
 
 Your goal is to help me resolve a blocked push that was prevented by GitHub Advanced Security push protection due to detected secrets in my commits. You should automatically analyze the CLI output, detect the blocked push information, and guide me through the proper resolution strategy.