Skip to main content

This version of GitHub Enterprise was discontinued on 2023-03-15. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Secret scanning patterns

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. For more information, see "About secret scanning" and "About GitHub Advanced Security."

Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."

About secret scanning alerts

When secret scanning is enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.

You can see these alerts on the Security tab of the repository.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."

Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."

Supported secrets

This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token.

  • Provider—name of the token provider.
  • Secret scanning alert—token for which leaks are reported to users on GitHub. Applies to private repositories where GitHub Advanced Security and secret scanning enabled.
ProviderTokenSecret scanning alert
Adobeadobe_device_token
Adobeadobe_jwt
Adobeadobe_service_token
Adobeadobe_short_lived_access_token
Atlassianatlassian_api_token
Atlassianatlassian_jwt
Azureazure_sas_token
Azureazure_management_certificate
Azureazure_sql_connection_string
Beamerbeamer_api_key
Checkout.comcheckout_test_secret_key
CloudBees CodeShipcodeship_credential
Contentfulcontentful_personal_access_token
Dropboxdropbox_access_token
Duffelduffel_test_access_token
Dynatracedynatrace_access_token
Dynatracedynatrace_internal_token
EasyPosteasypost_test_api_key
Fastlyfastly_api_token
Finicityfinicity_app_key
Flutterwaveflutterwave_test_api_secret_key
Frame.ioframeio_developer_token
Frame.ioframeio_jwt
GitLabgitlab_access_token
GoCardlessgocardless_live_access_token
GoCardlessgocardless_sandbox_access_token
Googlefirebase_cloud_messaging_server_key
Googlegoogle_oauth_access_token
Googlegoogle_oauth_refresh_token
Google Cloudgoogle_api_key
HashiCorphashicorp_vault_batch_token
HashiCorphashicorp_vault_service_token
Hashicorp Terraformterraform_api_token
Loblob_live_api_key
Loblob_test_api_key
Mailchimpmailchimp_api_key
Mailgunmailgun_api_key
Mapboxmapbox_secret_access_token
MessageBirdmessagebird_api_key
Metafacebook_access_token
Midtransmidtrans_sandbox_server_key
New Relicnew_relic_license_key
Notionnotion_integration_token
Notionnotion_oauth_client_secret
Octopus Deployoctopus_deploy_api_key
Onfidoonfido_sandbox_api_token
Palantirpalantir_jwt
Plivoplivo_auth_id
plivo_auth_token
Proctorioproctorio_consumer_key
Proctorioproctorio_linkage_key
Proctorioproctorio_registration_key
Pulumipulumi_access_token
PyPIpypi_api_token
RubyGemsrubygems_api_key
Shipposhippo_test_api_token
Shopifyshopify_custom_app_access_token
Shopifyshopify_private_app_password
Slackslack_incoming_webhook_url
Slackslack_workflow_webhook_url
Squaresquare_access_token
Squaresquare_production_application_secret
Squaresquare_sandbox_application_secret
SSLMatesslmate_api_key
SSLMatesslmate_cluster_secret
Stripestripe_live_restricted_key
Stripestripe_api_key
Stripestripe_test_restricted_key
Stripestripe_test_secret_key
Stripestripe_webhook_signing_secret
Supabasesupabase_service_key
Tableautableau_personal_access_token
Telegramtelegram_bot_token
Twiliotwilio_access_token
Twiliotwilio_account_sid
Twiliotwilio_api_key
Yandexyandex_cloud_api_key
Yandexyandex_cloud_iam_cookie
Yandexyandex_cloud_iam_token
Yandexyandex_dictionary_api_key
Yandexyandex_predictor_api_key
Yandexyandex_translate_api_key

Further reading