Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."
About secret scanning alerts
When secret scanning is enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.
You can see these alerts on the Security tab of the repository.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."
Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token.
- Provider—name of the token provider.
- Secret scanning alert—token for which leaks are reported to users on GitHub. Applies to private repositories where GitHub Advanced Security and secret scanning enabled.
| Provider | Token | Secret scanning alert |
|---|---|---|
| Adobe | adobe_device_token | |
| Adobe | adobe_jwt | |
| Adobe | adobe_service_token | |
| Adobe | adobe_short_lived_access_token | |
| Atlassian | atlassian_api_token | |
| Atlassian | atlassian_jwt | |
| Azure | azure_sas_token | |
| Azure | azure_management_certificate | |
| Azure | azure_sql_connection_string | |
| Beamer | beamer_api_key | |
| Checkout.com | checkout_test_secret_key | |
| CloudBees CodeShip | codeship_credential | |
| Contentful | contentful_personal_access_token | |
| Dropbox | dropbox_access_token | |
| Duffel | duffel_test_access_token | |
| Dynatrace | dynatrace_access_token | |
| Dynatrace | dynatrace_internal_token | |
| EasyPost | easypost_test_api_key | |
| Fastly | fastly_api_token | |
| Finicity | finicity_app_key | |
| Flutterwave | flutterwave_test_api_secret_key | |
| Frame.io | frameio_developer_token | |
| Frame.io | frameio_jwt | |
| GitLab | gitlab_access_token | |
| GoCardless | gocardless_live_access_token | |
| GoCardless | gocardless_sandbox_access_token | |
| firebase_cloud_messaging_server_key | ||
| google_oauth_access_token | ||
| google_oauth_refresh_token | ||
| Google Cloud | google_api_key | |
| HashiCorp | hashicorp_vault_batch_token | |
| HashiCorp | hashicorp_vault_service_token | |
| Hashicorp Terraform | terraform_api_token | |
| Lob | lob_live_api_key | |
| Lob | lob_test_api_key | |
| Mailchimp | mailchimp_api_key | |
| Mailgun | mailgun_api_key | |
| Mapbox | mapbox_secret_access_token | |
| MessageBird | messagebird_api_key | |
| Meta | facebook_access_token | |
| Midtrans | midtrans_sandbox_server_key | |
| New Relic | new_relic_license_key | |
| Notion | notion_integration_token | |
| Notion | notion_oauth_client_secret | |
| Octopus Deploy | octopus_deploy_api_key | |
| Onfido | onfido_sandbox_api_token | |
| Palantir | palantir_jwt | |
| Plivo | plivo_auth_id plivo_auth_token | |
| Proctorio | proctorio_consumer_key | |
| Proctorio | proctorio_linkage_key | |
| Proctorio | proctorio_registration_key | |
| Pulumi | pulumi_access_token | |
| PyPI | pypi_api_token | |
| RubyGems | rubygems_api_key | |
| Shippo | shippo_test_api_token | |
| Shopify | shopify_custom_app_access_token | |
| Shopify | shopify_private_app_password | |
| Slack | slack_incoming_webhook_url | |
| Slack | slack_workflow_webhook_url | |
| Square | square_access_token | |
| Square | square_production_application_secret | |
| Square | square_sandbox_application_secret | |
| SSLMate | sslmate_api_key | |
| SSLMate | sslmate_cluster_secret | |
| Stripe | stripe_live_restricted_key | |
| Stripe | stripe_api_key | |
| Stripe | stripe_test_restricted_key | |
| Stripe | stripe_test_secret_key | |
| Stripe | stripe_webhook_signing_secret | |
| Supabase | supabase_service_key | |
| Tableau | tableau_personal_access_token | |
| Telegram | telegram_bot_token | |
| Twilio | twilio_access_token | |
| Twilio | twilio_account_sid | |
| Twilio | twilio_api_key | |
| Yandex | yandex_cloud_api_key | |
| Yandex | yandex_cloud_iam_cookie | |
| Yandex | yandex_cloud_iam_token | |
| Yandex | yandex_dictionary_api_key | |
| Yandex | yandex_predictor_api_key | |
| Yandex | yandex_translate_api_key |
Further reading
- "Securing your repository"
- "Keeping your account and data secure"
- "Secret scanning partner program" in the GitHub Enterprise Cloud documentation