About secret scanning patterns
GitHub maintains these different sets of default secret scanning patterns:
-
Partner patterns. Used to detect potential secrets in all public repositories. To find out about our partner program, see "Secret scanning partner program."
-
User alert patterns. Used to detect potential secrets in public repositories with secret scanning alerts for users enabled.
Owners of public repositories, as well as organizations using GitHub Enterprise Cloud with GitHub Advanced Security, can enable secret scanning alerts for users on their repositories.
For details about all the supported patterns, see the "Supported secrets section below.
If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "Troubleshooting secret scanning."
About partner alerts
Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. GitHub currently scans public repositories for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about secret scanning alerts for partners, see "About secret scanning."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
About user alerts
User alerts are alerts that are reported to users on GitHub. When secret scanning alerts for users are enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.
You can see these alerts on the Security tab of the repository. For more information about secret scanning alerts for users, see "About secret scanning."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
- Partner—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
- User—token for which leaks are reported to users on GitHub. Applies to public repositories, and to private repositories where GitHub Advanced Security is enabled.
- Validity check—token for which a validity check is implemented. Currently only applies to GitHub tokens.
| Token | Partner | User | Validity check |
|---|---|---|---|
| adafruit_io_key | |||
| adobe_device_token | |||
| adobe_jwt | |||
| adobe_service_token | |||
| adobe_short_lived_access_token | |||
| alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | |||
| aws_access_key_id aws_secret_access_key | |||
| atlassian_api_token | |||
| atlassian_jwt | |||
| azure_active_directory_application_secret | |||
| azure_batch_key_identifiable | |||
| azure_cosmosdb_key_identifiable | |||
| azure_devops_personal_access_token | |||
| azure_ml_studio_classic_web_service_key azure_ml_web_service_classic_identifiable_key | |||
| azure_sas_token | |||
| azure_search_admin_key | |||
| azure_search_query_key | |||
| azure_management_certificate | |||
| azure_sql_connection_string | |||
| azure_storage_account_key | |||
| cds_canada_notify_api_key | |||
| checkout_production_secret_key | |||
| checkout_test_secret_key | |||
| chief_tools_token | |||
| clojars_deploy_token | |||
| codeship_credential | |||
| CONTRIBUTED_SYSTEMS_CREDENTIALS | |||
| databricks_access_token | |||
| DATADOG_API_KEY | |||
| devcycle_client_api_key | |||
| devcycle_server_api_key | |||
| digitalocean_oauth_token | |||
| digitalocean_personal_access_token | |||
| digitalocean_refresh_token | |||
| digitalocean_system_token | |||
| discord_bot_token | |||
| doppler_audit_token | |||
| doppler_cli_token | |||
| doppler_personal_token | |||
| doppler_scim_token | |||
| doppler_service_token | |||
| dropbox_access_token | |||
| dropbox_short_lived_access_token | |||
| dynatrace_access_token | |||
| dynatrace_internal_token | |||
| figma_pat | |||
| finicity_app_key | |||
| frameio_developer_token | |||
| frameio_jwt | |||
| fullstory_api_key | |||
| github_app_installation_access_token | |||
| github_oauth_access_token | |||
| github_personal_access_token | |||
| github_refresh_token | |||
| github_ssh_private_key | |||
| gocardless_live_access_token | |||
| gocardless_sandbox_access_token | |||
| google_api_key | |||
| google_cloud_private_key_id | |||
| terraform_api_token | |||
| hubspot_api_key | |||
| hubspot_api_personal_access_key | |||
| ionic_personal_access_token | |||
| ionic_refresh_token | |||
| jd_cloud_access_key | |||
| linear_api_key | |||
| linear_oauth_access_token | |||
| localstack_api_key | |||
| mailchimp_api_key | |||
| MANDRILL_API | |||
| mailgun_api_key | |||
| messagebird_api_key | |||
| facebook_access_token | |||
| npm_access_token | |||
| nuget_api_key | |||
| octopus_deploy_api_key | |||
| openai_api_key | |||
| palantir_jwt | |||
| planetscale_database_password | |||
| planetscale_oauth_token | |||
| planetscale_service_token | |||
| plivo_auth_id plivo_auth_token | |||
| postman_api_key | |||
| prefect_server_api_key | |||
| PREFECT_USER_API_TOKEN | |||
| proctorio_consumer_key | |||
| proctorio_linkage_key | |||
| proctorio_registration_key | |||
| proctorio_secret_key | |||
| pulumi_access_token | |||
| pypi_api_token | |||
| readmeio_api_access_token | |||
| redirect_pizza_api_token | |||
| rubygems_api_key | |||
| samsara_api_token | |||
| samsara_oauth_access_token | |||
| segment_public_api_token | |||
| sendgrid_api_key | |||
| sendinblue_api_key | |||
| sendinblue_smtp_key | |||
| shopify_access_token | |||
| shopify_app_shared_secret | |||
| shopify_custom_app_access_token | |||
| shopify_private_app_password | |||
| slack_api_token | |||
| slack_incoming_webhook_url | |||
| slack_workflow_webhook_url | |||
| sslmate_api_key | |||
| sslmate_cluster_secret | |||
| stripe_live_restricted_key | |||
| stripe_live_secret_key | |||
| stripe_test_restricted_key | |||
| stripe_test_secret_key | |||
| supabase_service_key | |||
| telnyx_api_v2_key | |||
| tencent_cloud_secret_id | |||
| tencent_wechat_api_app_id | |||
| twilio_account_sid | |||
| twilio_api_key | |||
| typeform_personal_access_token | |||
| wiseflow_api_key | |||
| wakatime_pp_secret | |||
| wakatime_oauth_access_token | |||
| wakatime_oauth_refresh_token | |||
| yandex_iam_access_secret | |||
| yandex_cloud_api_key | |||
| yandex_cloud_iam_cookie | |||
| yandex_cloud_iam_token | |||
| yandex_dictionary_api_key | |||
| YANDEX_PASSPORT_OAUTH_TOKEN | |||
| zuplo_consumer_api_key |