GitHub Push Protection Fails: Credential Leaked into HMPPS-DPR-Tools-API Repository

A critical security control has failed. GitHub's push protection feature, designed to block credentials before they enter a repository, did not prevent a live secret from being committed and pushed to the `hmpps-dpr-tools-api` repository. The exposure was only detected after the fact by GitHub's secret scanning, leaving the credential in the repository's history and triggering a security incident that now requires credential rotation and git history cleanup.

This failure strikes at the core of DevSecOps security controls, undermining confidence in GitHub's built-in protections. The incident is not a theoretical vulnerability but a concrete operational breakdown. A supported secret type was pushed without being blocked, directly contradicting the feature's stated purpose of preventing accidental exposure. The investigation must now determine whether the failure was due to a misconfiguration, a gap in the supported secret patterns, a bug in the push protection service, or another systemic flaw.

The implications extend beyond a single repository. It exposes organizations relying on this GitHub feature to unanticipated risk, forcing a reassessment of layered security controls. The failure creates immediate pressure on repository maintainers and security teams to verify the effectiveness of their entire secret management stack, as a primary automated defense layer proved unreliable. This incident serves as a stark warning that automated guardrails cannot be assumed to be fail-safe.