Skip to main content
설명서에 자주 업데이트를 게시하며 이 페이지의 번역이 계속 진행 중일 수 있습니다. 최신 정보는 영어 설명서를 참조하세요.

비밀 검사 패턴

GitHub가 실수로 커밋된 비밀의 사기성 사용을 방지하기 위해 사용하는 지원되는 비밀 및 파트너 목록입니다.

파트너에 대한 비밀 검사 경고는 공용 리포지토리에서 자동으로 실행되어 GitHub.com에서 유출된 비밀에 대해 서비스 공급자에게 알립니다.

사용자에 대한 비밀 검사 경고은(는) 모든 퍼블릭 리포지토리에서 무료로 사용할 수 있습니다. GitHub Advanced Security에 대한 라이선스가 있는 GitHub Enterprise Cloud를 사용하는 조직은 프라이빗 및 내부 리포지토리에서 사용자에 대한 비밀 검사 경고를 사용하도록 설정할 수도 있습니다. 자세한 내용은 "비밀 검사 정보" 및 "GitHub Advanced Security 정보"을 참조하세요.

About secret scanning patterns

GitHub maintains these different sets of default secret scanning patterns:

  1. Partner patterns. Used to detect potential secrets in all public repositories. To find out about our partner program, see "Secret scanning partner program."

  2. User alert patterns. Used to detect potential secrets in public repositories with secret scanning alerts for users enabled.

Owners of public repositories, as well as organizations using GitHub Enterprise Cloud with GitHub Advanced Security, can enable secret scanning alerts for users on their repositories.

For details about all the supported patterns, see the "Supported secrets section below.

If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "Troubleshooting secret scanning."

About partner alerts

Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. GitHub currently scans public repositories for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about secret scanning alerts for partners, see "About secret scanning."

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

About user alerts

User alerts are alerts that are reported to users on GitHub. When secret scanning alerts for users are enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.

You can see these alerts on the Security tab of the repository. For more information about secret scanning alerts for users, see "About secret scanning."

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."

Supported secrets

This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.

  • Partner—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
  • User—token for which leaks are reported to users on GitHub. Applies to public repositories, and to private repositories where GitHub Advanced Security is enabled.
  • Validity check—token for which a validity check is implemented. Currently only applies to GitHub tokens.
TokenPartnerUserValidity check
adafruit_io_key
adobe_device_token
adobe_jwt
adobe_service_token
adobe_short_lived_access_token
alibaba_cloud_access_key_id
alibaba_cloud_access_key_secret
aws_access_key_id
aws_secret_access_key
atlassian_api_token
atlassian_jwt
azure_active_directory_application_secret
azure_batch_key_identifiable
azure_cosmosdb_key_identifiable
azure_devops_personal_access_token
azure_ml_studio_classic_web_service_key
azure_ml_web_service_classic_identifiable_key
azure_sas_token
azure_search_admin_key
azure_search_query_key
azure_management_certificate
azure_sql_connection_string
azure_storage_account_key
cds_canada_notify_api_key
checkout_production_secret_key
checkout_test_secret_key
chief_tools_token
clojars_deploy_token
codeship_credential
CONTRIBUTED_SYSTEMS_CREDENTIALS
databricks_access_token
DATADOG_API_KEY
devcycle_client_api_key
devcycle_server_api_key
digitalocean_oauth_token
digitalocean_personal_access_token
digitalocean_refresh_token
digitalocean_system_token
discord_bot_token
doppler_audit_token
doppler_cli_token
doppler_personal_token
doppler_scim_token
doppler_service_token
dropbox_access_token
dropbox_short_lived_access_token
dynatrace_access_token
dynatrace_internal_token
figma_pat
finicity_app_key
frameio_developer_token
frameio_jwt
fullstory_api_key
github_app_installation_access_token
github_oauth_access_token
github_personal_access_token
github_refresh_token
github_ssh_private_key
gocardless_live_access_token
gocardless_sandbox_access_token
google_api_key
google_cloud_private_key_id
terraform_api_token
hubspot_api_key
hubspot_api_personal_access_key
ionic_personal_access_token
ionic_refresh_token
jd_cloud_access_key
linear_api_key
linear_oauth_access_token
localstack_api_key
mailchimp_api_key
MANDRILL_API
mailgun_api_key
messagebird_api_key
facebook_access_token
npm_access_token
nuget_api_key
octopus_deploy_api_key
openai_api_key
palantir_jwt
planetscale_database_password
planetscale_oauth_token
planetscale_service_token
plivo_auth_id
plivo_auth_token
postman_api_key
prefect_server_api_key
PREFECT_USER_API_TOKEN
proctorio_consumer_key
proctorio_linkage_key
proctorio_registration_key
proctorio_secret_key
pulumi_access_token
pypi_api_token
readmeio_api_access_token
redirect_pizza_api_token
rubygems_api_key
samsara_api_token
samsara_oauth_access_token
segment_public_api_token
sendgrid_api_key
sendinblue_api_key
sendinblue_smtp_key
shopify_access_token
shopify_app_shared_secret
shopify_custom_app_access_token
shopify_private_app_password
slack_api_token
slack_incoming_webhook_url
slack_workflow_webhook_url
sslmate_api_key
sslmate_cluster_secret
stripe_live_restricted_key
stripe_live_secret_key
stripe_test_restricted_key
stripe_test_secret_key
supabase_service_key
telnyx_api_v2_key
tencent_cloud_secret_id
tencent_wechat_api_app_id
twilio_account_sid
twilio_api_key
typeform_personal_access_token
wiseflow_api_key
wakatime_pp_secret
wakatime_oauth_access_token
wakatime_oauth_refresh_token
yandex_iam_access_secret
yandex_cloud_api_key
yandex_cloud_iam_cookie
yandex_cloud_iam_token
yandex_dictionary_api_key
YANDEX_PASSPORT_OAUTH_TOKEN
zuplo_consumer_api_key

Further reading