About secret scanning patterns
GitHub maintains these different sets of secret scanning patterns:
- Partner patterns. Used to detect potential secrets in all public repositories. For details, see "Supported secrets for partner patterns."
- Advanced security patterns. Used to detect potential secrets in repositories with secret scanning enabled.
Organizations using GitHub Enterprise Cloud with GitHub Advanced Security can enable secret scanning for advanced security on their repositories. For details of these patterns, see the GitHub Enterprise Cloud documentation.
Supported secrets for partner patterns
GitHub currently scans public repositories for secrets issued by the following service providers. For more information about secret scanning for partner patterns, see "About secret scanning for partner patterns."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks.
| Partner | Supported secret |
|---|---|
| Adafruit IO | Adafruit IO Key |
| Adobe | Adobe Device Token |
| Adobe | Adobe Service Token |
| Adobe | Adobe Short-Lived Access Token |
| Adobe | Adobe JSON Web Token |
| Alibaba Cloud | Alibaba Cloud Access Key ID and Access Key Secret pair |
| Amazon Web Services (AWS) | Amazon AWS Access Key ID and Secret Access Key pair |
| Atlassian | Atlassian API Token |
| Atlassian | Atlassian JSON Web Token |
| Azure | Azure Active Directory Application Secret |
| Azure | Azure DevOps Personal Access Token |
| Azure | Azure ML Studio (classic) Web Service Key |
| Azure | Azure SAS Token |
| Azure | Azure Service Management Certificate |
| Azure | Azure SQL Connection String |
| Azure | Azure Storage Account Key |
| Checkout.com | Checkout.com Production Secret Key |
| Checkout.com | Checkout.com Test Secret Key |
| Chief | Chief Tools Token |
| Clojars | Clojars Deploy Token |
| CloudBees CodeShip | CloudBees CodeShip Credential |
| Contributed Systems | Contributed Systems Credentials |
| Databricks | Databricks Access Token |
| Datadog | Datadog API Key |
| DevCycle | DevCycle Client API Key |
| DevCycle | DevCycle Server API Key |
| DigitalOcean | DigitalOcean Personal Access Token |
| DigitalOcean | DigitalOcean OAuth Token |
| DigitalOcean | DigitalOcean Refresh Token |
| DigitalOcean | DigitalOcean System Token |
| Discord | Discord Bot Token |
| Doppler | Doppler Personal Token |
| Doppler | Doppler Service Token |
| Doppler | Doppler CLI Token |
| Doppler | Doppler SCIM Token |
| Doppler | Doppler Audit Token |
| Dropbox | Dropbox Access Token |
| Dropbox | Dropbox Short Lived Access Token |
| Dynatrace | Dynatrace Access Token |
| Dynatrace | Dynatrace Internal Token |
| Finicity | Finicity App Key |
| Frame.io | Frame.io JSON Web Token |
| Frame.io | Frame.io Developer Token |
| FullStory | FullStory API Key |
| GitHub | GitHub Personal Access Token |
| GitHub | GitHub OAuth Access Token |
| GitHub | GitHub Refresh Token |
| GitHub | GitHub App Installation Access Token |
| GitHub | GitHub SSH Private Key |
| GoCardless | GoCardless Live Access Token |
| GoCardless | GoCardless Sandbox Access Token |
| Google Cloud | Google API Key |
| Google Cloud | Google Cloud Private Key ID |
| Hashicorp Terraform | Terraform Cloud / Enterprise API Token |
| Hubspot | Hubspot API Key |
| Ionic | Ionic Personal Access Token |
| Ionic | Ionic Refresh Token |
| JD Cloud | JD Cloud Access Key |
| Linear | Linear API Key |
| Linear | Linear OAuth Access Token |
| Mailchimp | Mailchimp API Key |
| Mailchimp | Mandrill API Key |
| Mailgun | Mailgun API Key |
| MessageBird | MessageBird API Key |
| Meta | Facebook Access Token |
| npm | npm Access Token |
| NuGet | NuGet API Key |
| Octopus Deploy | Octopus Deploy API Key |
| OpenAI | OpenAI API Key |
| Palantir | Palantir JSON Web Token |
| PlanetScale | PlanetScale Database Password |
| PlanetScale | PlanetScale OAuth Token |
| PlanetScale | PlanetScale Service Token |
| Plivo | Plivo Auth ID and Token |
| Postman | Postman API Key |
| Prefect | Prefect Server API Key |
| Prefect | Prefect User API Token |
| Proctorio | Proctorio Consumer Key |
| Proctorio | Proctorio Linkage Key |
| Proctorio | Proctorio Registration Key |
| Proctorio | Proctorio Secret Key |
| Pulumi | Pulumi Access Token |
| PyPI | PyPI API Token |
| ReadMe | ReadMe API Access Key |
| redirect.pizza | redirect.pizza API Token |
| RubyGems | RubyGems API Key |
| Samsara | Samsara API Token |
| Samsara | Samsara OAuth Access Token |
| SendGrid | SendGrid API Key |
| Sendinblue | Sendinblue API Key |
| Sendinblue | Sendinblue SMTP Key |
| Shopify | Shopify App Shared Secret |
| Shopify | Shopify Access Token |
| Shopify | Shopify Custom App Access Token |
| Shopify | Shopify Private App Password |
| Slack | Slack API Token |
| Slack | Slack Incoming Webhook URL |
| Slack | Slack Workflow Webhook URL |
| SSLMate | SSLMate API Key |
| SSLMate | SSLMate Cluster Secret |
| Stripe | Stripe Live API Secret Key |
| Stripe | Stripe Test API Secret Key |
| Stripe | Stripe Live API Restricted Key |
| Stripe | Stripe Test API Restricted Key |
| Supabase | Supabase Service Key |
| Tencent Cloud | Tencent Cloud Secret ID |
| Twilio | Twilio Account String Identifier |
| Twilio | Twilio API Key |
| Typeform | Typeform Personal Access Token |
| Uniwise | WISEflow API Key |
| Valour | Valour Access Token |
| Yandex | Yandex.Cloud API Key |
| Yandex | Yandex.Cloud IAM Cookie |
| Yandex | Yandex.Cloud IAM Token |
| Yandex | Yandex.Dictionary API Key |
| Yandex | Yandex.Cloud Access Secret |
| Yandex | Yandex.Passport OAuth Token |
| Zuplo | Zuplo Consumer API |