Skip to main content

This version of GitHub Enterprise was discontinued on 2023-03-15. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Secret scanning patterns

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. For more information, see "About secret scanning" and "About GitHub Advanced Security."

Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."

About secret scanning alerts

When secret scanning is enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.

You can see these alerts on the Security tab of the repository.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."

Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."

Supported secrets

This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token.

  • Secret scanning alert—token for which leaks are reported to users on GitHub. Applies to private repositories where GitHub Advanced Security and secret scanning enabled.
TokenSecret scanning alert
adobe_device_token
adobe_jwt
adobe_service_token
adobe_short_lived_access_token
atlassian_api_token
atlassian_jwt
azure_sas_token
azure_management_certificate
azure_sql_connection_string
beamer_api_key
checkout_test_secret_key
codeship_credential
contentful_personal_access_token
dropbox_access_token
duffel_test_access_token
dynatrace_access_token
dynatrace_internal_token
easypost_test_api_key
fastly_api_token
finicity_app_key
flutterwave_test_api_secret_key
frameio_developer_token
frameio_jwt
gitlab_access_token
gocardless_live_access_token
gocardless_sandbox_access_token
firebase_cloud_messaging_server_key
google_oauth_access_token
google_oauth_refresh_token
google_api_key
hashicorp_vault_batch_token
hashicorp_vault_service_token
terraform_api_token
lob_live_api_key
lob_test_api_key
mailchimp_api_key
mailgun_api_key
mapbox_secret_access_token
messagebird_api_key
facebook_access_token
midtrans_sandbox_server_key
new_relic_license_key
notion_integration_token
notion_oauth_client_secret
octopus_deploy_api_key
onfido_sandbox_api_token
palantir_jwt
plivo_auth_id
plivo_auth_token
proctorio_consumer_key
proctorio_linkage_key
proctorio_registration_key
pulumi_access_token
pypi_api_token
rubygems_api_key
shippo_test_api_token
shopify_custom_app_access_token
shopify_private_app_password
slack_incoming_webhook_url
slack_workflow_webhook_url
square_access_token
square_production_application_secret
square_sandbox_application_secret
sslmate_api_key
sslmate_cluster_secret
stripe_api_key
stripe_live_restricted_key
stripe_live_secret_key
stripe_test_restricted_key
stripe_test_secret_key
stripe_webhook_signing_secret
supabase_service_key
tableau_personal_access_token
telegram_bot_token
twilio_access_token
twilio_account_sid
twilio_api_key
yandex_cloud_api_key
yandex_cloud_iam_cookie
yandex_cloud_iam_token
yandex_dictionary_api_key
yandex_predictor_api_key
yandex_translate_api_key

Further reading