Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."
You may not be able to enable or disable secret scanning, if an enterprise owner has set a GitHub Advanced Security (GHAS) policy at the enterprise level. For more information, see "Enforcing policies for code security and analysis for your enterprise."
About secret scanning alerts
When secret scanning is enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.
You can see these alerts on the Security tab of the repository.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
If you use the REST API for secret scanning, you can use the Secret type
to report on secrets from specific issuers. For more information, see "Secret scanning."
Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."
About push protection alerts
Push protection alerts are user alerts that are reported by push protection. Secret scanning as a push protection currently scans repositories for secrets issued by some service providers.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see "Troubleshooting secret scanning."
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token.
- Provider—name of the token provider.
- Secret scanning alert—token for which leaks are reported to users on GitHub. Applies to private repositories where GitHub Advanced Security and secret scanning enabled.
- Push protection—token for which leaks are reported to users on GitHub. Applies to repositories with secret scanning and push protection enabled.
Provider | Token | Secret scanning alert | Push protection |
---|---|---|---|
Adafruit IO | adafruit_io_key | ||
Adobe | adobe_device_token | ||
Adobe | adobe_jwt | ||
Adobe | adobe_service_token | ||
Adobe | adobe_short_lived_access_token | ||
Alibaba Cloud | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | ||
Amazon | amazon_oauth_client_id amazon_oauth_client_secret | ||
Amazon Web Services (AWS) | aws_access_key_id aws_secret_access_key | ||
Amazon Web Services (AWS) | aws_session_token aws_temporary_access_key_id aws_secret_access_key | ||
Asana | asana_personal_access_token | ||
Atlassian | atlassian_api_token | ||
Atlassian | atlassian_jwt | ||
Atlassian | bitbucket_server_personal_access_token | ||
Azure | azure_active_directory_application_secret | ||
Azure | azure_cache_for_redis_access_key | ||
Azure | azure_devops_personal_access_token | ||
Azure | azure_function_key | ||
Azure | azure_sas_token | ||
Azure | azure_management_certificate | ||
Azure | azure_sql_connection_string | ||
Beamer | beamer_api_key | ||
Checkout.com | checkout_production_secret_key | ||
Checkout.com | checkout_test_secret_key | ||
Clojars | clojars_deploy_token | ||
CloudBees CodeShip | codeship_credential | ||
Contentful | contentful_personal_access_token | ||
Databricks | databricks_access_token | ||
DigitalOcean | digitalocean_oauth_token | ||
DigitalOcean | digitalocean_personal_access_token | ||
DigitalOcean | digitalocean_refresh_token | ||
DigitalOcean | digitalocean_system_token | ||
Discord | discord_bot_token | ||
Doppler | doppler_audit_token | ||
Doppler | doppler_cli_token | ||
Doppler | doppler_personal_token | ||
Doppler | doppler_scim_token | ||
Doppler | doppler_service_token | ||
Dropbox | dropbox_access_token | ||
Dropbox | dropbox_short_lived_access_token | ||
Duffel | duffel_live_access_token | ||
Duffel | duffel_test_access_token | ||
Dynatrace | dynatrace_access_token | ||
Dynatrace | dynatrace_internal_token | ||
EasyPost | easypost_production_api_key | ||
EasyPost | easypost_test_api_key | ||
Fastly | fastly_api_token | ||
Finicity | finicity_app_key | ||
Flutterwave | flutterwave_live_api_secret_key | ||
Flutterwave | flutterwave_test_api_secret_key | ||
Frame.io | frameio_developer_token | ||
Frame.io | frameio_jwt | ||
FullStory | fullstory_api_key | ||
GitHub | github_app_installation_access_token | ||
GitHub | github_oauth_access_token | ||
GitHub | github_personal_access_token | ||
GitHub | github_refresh_token | ||
GitHub | github_ssh_private_key | ||
GitLab | gitlab_access_token | ||
GoCardless | gocardless_live_access_token | ||
GoCardless | gocardless_sandbox_access_token | ||
firebase_cloud_messaging_server_key | |||
google_cloud_storage_service_account_access_key_id google_cloud_storage_access_key_secret | |||
google_cloud_storage_user_access_key_id google_cloud_storage_access_key_secret | |||
google_oauth_access_token | |||
google_oauth_client_id google_oauth_client_secret | |||
google_oauth_refresh_token | |||
Google Cloud | google_api_key | ||
HashiCorp | hashicorp_vault_batch_token | ||
HashiCorp | hashicorp_vault_service_token | ||
Hashicorp Terraform | terraform_api_token | ||
Hubspot | hubspot_api_key | ||
Intercom | intercom_access_token | ||
Ionic | ionic_personal_access_token | ||
Ionic | ionic_refresh_token | ||
JD Cloud | jd_cloud_access_key | ||
Linear | linear_api_key | ||
Linear | linear_oauth_access_token | ||
Lob | lob_live_api_key | ||
Lob | lob_test_api_key | ||
Mailchimp | mailchimp_api_key | ||
Mailgun | mailgun_api_key | ||
Mapbox | mapbox_secret_access_token | ||
MessageBird | messagebird_api_key | ||
Meta | facebook_access_token | ||
Midtrans | midtrans_production_server_key | ||
Midtrans | midtrans_sandbox_server_key | ||
New Relic | new_relic_insights_query_key | ||
New Relic | new_relic_license_key | ||
New Relic | new_relic_personal_api_key | ||
New Relic | new_relic_rest_api_key | ||
Notion | notion_integration_token | ||
Notion | notion_oauth_client_secret | ||
npm | npm_access_token | ||
NuGet | nuget_api_key | ||
Octopus Deploy | octopus_deploy_api_key | ||
Onfido | onfido_live_api_token | ||
Onfido | onfido_sandbox_api_token | ||
OpenAI | openai_api_key | ||
Palantir | palantir_jwt | ||
PlanetScale | planetscale_database_password | ||
PlanetScale | planetscale_oauth_token | ||
PlanetScale | planetscale_service_token | ||
Plivo | plivo_auth_id plivo_auth_token | ||
Postman | postman_api_key | ||
Proctorio | proctorio_consumer_key | ||
Proctorio | proctorio_linkage_key | ||
Proctorio | proctorio_registration_key | ||
Proctorio | proctorio_secret_key | ||
Pulumi | pulumi_access_token | ||
PyPI | pypi_api_token | ||
RubyGems | rubygems_api_key | ||
Samsara | samsara_api_token | ||
Samsara | samsara_oauth_access_token | ||
SendGrid | sendgrid_api_key | ||
Sendinblue | sendinblue_api_key | ||
Sendinblue | sendinblue_smtp_key | ||
Shippo | shippo_live_api_token | ||
Shippo | shippo_test_api_token | ||
Shopify | shopify_access_token | ||
Shopify | shopify_app_client_credentials | ||
Shopify | shopify_app_client_secret | ||
Shopify | shopify_app_shared_secret | ||
Shopify | shopify_custom_app_access_token | ||
Shopify | shopify_marketplace_token | ||
Shopify | shopify_merchant_token | ||
Shopify | shopify_partner_api_token | ||
Shopify | shopify_private_app_password | ||
Slack | slack_api_token | ||
Slack | slack_incoming_webhook_url | ||
Slack | slack_workflow_webhook_url | ||
Square | square_access_token | ||
Square | square_production_application_secret | ||
Square | square_sandbox_application_secret | ||
SSLMate | sslmate_api_key | ||
SSLMate | sslmate_cluster_secret | ||
Stripe | stripe_live_restricted_key | ||
Stripe | stripe_api_key | ||
Stripe | stripe_legacy_api_key | ||
Stripe | stripe_test_restricted_key | ||
Stripe | stripe_test_secret_key | ||
Stripe | stripe_webhook_signing_secret | ||
Supabase | supabase_service_key | ||
Tableau | tableau_personal_access_token | ||
Telegram | telegram_bot_token | ||
Tencent Cloud | tencent_cloud_secret_id | ||
Twilio | twilio_access_token | ||
Twilio | twilio_account_sid | ||
Twilio | twilio_api_key | ||
Typeform | typeform_personal_access_token | ||
WorkOS | workos_production_api_key | ||
WorkOS | workos_staging_api_key | ||
Yandex | yandex_iam_access_secret | ||
Yandex | yandex_cloud_api_key | ||
Yandex | yandex_cloud_iam_cookie | ||
Yandex | yandex_cloud_iam_token | ||
Yandex | yandex_dictionary_api_key | ||
Yandex | yandex_predictor_api_key | ||
Yandex | yandex_translate_api_key |
Further reading
- "Securing your repository"
- "Keeping your account and data secure"
- "Secret scanning partner program" in the GitHub Enterprise Cloud documentation