Skip to main content

Secret scanning patterns

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Secret scanning for partner patterns is automatically run on public repositories in all products on Secret scanning for advanced security is available for repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

About secret scanning patterns

GitHub maintains these different sets of secret scanning patterns:

  1. Partner patterns. Used to detect potential secrets in all public repositories. For details, see "Supported secrets for partner patterns."
  2. Advanced security patterns. Used to detect potential secrets in repositories with secret scanning enabled.

Organizations using GitHub Enterprise Cloud with GitHub Advanced Security can enable secret scanning for advanced security on their repositories. For details of these patterns, see the GitHub Enterprise Cloud documentation.

Supported secrets for partner patterns

GitHub currently scans public repositories for secrets issued by the following service providers. For more information about secret scanning for partner patterns, see "About secret scanning for partner patterns."

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks.

PartnerSupported secret
Adafruit IOAdafruit IO Key
AdobeAdobe Device Token
AdobeAdobe Service Token
AdobeAdobe Short-Lived Access Token
AdobeAdobe JSON Web Token
Alibaba CloudAlibaba Cloud Access Key ID and Access Key Secret pair
Amazon Web Services (AWS)Amazon AWS Access Key ID and Secret Access Key pair
AtlassianAtlassian API Token
AtlassianAtlassian JSON Web Token
AzureAzure Active Directory Application Secret
AzureAzure DevOps Personal Access Token
AzureAzure ML Studio (classic) Web Service Key
AzureAzure SAS Token
AzureAzure Service Management Certificate
AzureAzure SQL Connection String
AzureAzure Storage Account Key Production Secret Key Test Secret Key
ChiefChief Tools Token
ClojarsClojars Deploy Token
CloudBees CodeShipCloudBees CodeShip Credential
Contributed SystemsContributed Systems Credentials
DatabricksDatabricks Access Token
DatadogDatadog API Key
DevCycleDevCycle Client API Key
DevCycleDevCycle Server API Key
DigitalOceanDigitalOcean Personal Access Token
DigitalOceanDigitalOcean OAuth Token
DigitalOceanDigitalOcean Refresh Token
DigitalOceanDigitalOcean System Token
DiscordDiscord Bot Token
DopplerDoppler Personal Token
DopplerDoppler Service Token
DopplerDoppler CLI Token
DopplerDoppler SCIM Token
DopplerDoppler Audit Token
DropboxDropbox Access Token
DropboxDropbox Short Lived Access Token
DynatraceDynatrace Access Token
DynatraceDynatrace Internal Token
FinicityFinicity App Key JSON Web Token Developer Token
FullStoryFullStory API Key
GitHubGitHub Personal Access Token
GitHubGitHub OAuth Access Token
GitHubGitHub Refresh Token
GitHubGitHub App Installation Access Token
GitHubGitHub SSH Private Key
GoCardlessGoCardless Live Access Token
GoCardlessGoCardless Sandbox Access Token
Google CloudGoogle API Key
Google CloudGoogle Cloud Private Key ID
Hashicorp TerraformTerraform Cloud / Enterprise API Token
HubspotHubspot API Key
IonicIonic Personal Access Token
IonicIonic Refresh Token
JD CloudJD Cloud Access Key
LinearLinear API Key
LinearLinear OAuth Access Token
MailchimpMailchimp API Key
MailchimpMandrill API Key
MailgunMailgun API Key
MessageBirdMessageBird API Key
MetaFacebook Access Token
npmnpm Access Token
NuGetNuGet API Key
Octopus DeployOctopus Deploy API Key
OpenAIOpenAI API Key
PalantirPalantir JSON Web Token
PlanetScalePlanetScale Database Password
PlanetScalePlanetScale OAuth Token
PlanetScalePlanetScale Service Token
PlivoPlivo Auth ID and Token
PostmanPostman API Key
PrefectPrefect Server API Key
PrefectPrefect User API Token
ProctorioProctorio Consumer Key
ProctorioProctorio Linkage Key
ProctorioProctorio Registration Key
ProctorioProctorio Secret Key
PulumiPulumi Access Token
ReadMeReadMe API Access Key API Token
RubyGemsRubyGems API Key
SamsaraSamsara API Token
SamsaraSamsara OAuth Access Token
SendGridSendGrid API Key
SendinblueSendinblue API Key
SendinblueSendinblue SMTP Key
ShopifyShopify App Shared Secret
ShopifyShopify Access Token
ShopifyShopify Custom App Access Token
ShopifyShopify Private App Password
SlackSlack API Token
SlackSlack Incoming Webhook URL
SlackSlack Workflow Webhook URL
SSLMateSSLMate Cluster Secret
StripeStripe Live API Secret Key
StripeStripe Test API Secret Key
StripeStripe Live API Restricted Key
StripeStripe Test API Restricted Key
SupabaseSupabase Service Key
Tencent CloudTencent Cloud Secret ID
TwilioTwilio Account String Identifier
TwilioTwilio API Key
TypeformTypeform Personal Access Token
UniwiseWISEflow API Key
ValourValour Access Token
YandexYandex.Cloud API Key
YandexYandex.Cloud IAM Cookie
YandexYandex.Cloud IAM Token
YandexYandex.Dictionary API Key
YandexYandex.Cloud Access Secret
YandexYandex.Passport OAuth Token
ZuploZuplo Consumer API

Further reading