Skip to main content
Мы публикуем частые обновления нашей документации, и перевод этой страницы, возможно, еще выполняется. Актуальные сведения см. в документации на английском языке.

Шаблоны сканирования секретов

Списки поддерживаемых секретов и партнеров, с которыми работает GitHub для предотвращения мошеннического использования случайно зафиксированных секретов.

Оповещения о проверке секретов для партнеров автоматически запускается в общедоступных репозиториях для уведомления поставщиков служб об утечке секретов в GitHub.com.

Оповещения о проверке секретов для пользователей доступны бесплатно во всех общедоступных репозиториях. Организации, использующие GitHub Enterprise Cloud с лицензией на GitHub Advanced Security, также могут включить Оповещения проверки секретов для пользователей в своих частных и внутренних репозиториях. Дополнительные сведения см. в разделах "Сведения о проверке секретов" и "Сведения о GitHub Advanced Security".

About secret scanning patterns

GitHub Enterprise Cloud maintains these different sets of default secret scanning patterns:

  1. Partner patterns. Used to detect potential secrets in all public repositories. To find out about our partner program, see "Secret scanning partner program."

  2. User alert patterns. Used to detect potential secrets in repositories with secret scanning alerts for users enabled.

  3. Push protection patterns. Used to detect potential secrets in repositories with secret scanning as a push protection enabled.

For details about all the supported patterns, see the "Supported secrets section below.

If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "Troubleshooting secret scanning."

About partner alerts

Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. GitHub Enterprise Cloud currently scans public repositories for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about secret scanning alerts for partners, see "About secret scanning."

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

About user alerts

User alerts are alerts that are reported to users on GitHub. When secret scanning alerts for users are enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.

You can see these alerts on the Security tab of the repository. For more information about secret scanning alerts for users, see "About secret scanning."

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."

Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."

About push protection alerts

Push protection alerts are user alerts that are reported by push protection. Secret scanning as a push protection currently scans repositories for secrets issued by some service providers.

If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.

Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see "Troubleshooting secret scanning."

Supported secrets

This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.

  • Partner—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
  • User—token for which leaks are reported to users on GitHub. Applies to public repositories, and to private repositories where GitHub Advanced Security is enabled.
  • Push protection—token for which leaks are reported to users on GitHub. Applies to repositories with secret scanning and push protection enabled.
  • Validity check—token for which a validity check is implemented. Currently only applies to GitHub tokens.
TokenPartnerUserPush protectionValidity check
adafruit_io_key
adobe_device_token
adobe_jwt
adobe_service_token
adobe_short_lived_access_token
aiven_auth_token
aiven_service_password
alibaba_cloud_access_key_id
alibaba_cloud_access_key_secret
amazon_oauth_client_id
amazon_oauth_client_secret
aws_access_key_id
aws_secret_access_key
aws_session_token
aws_temporary_access_key_id
aws_secret_access_key
asana_personal_access_token
atlassian_api_token
atlassian_jwt
bitbucket_server_personal_access_token
azure_active_directory_application_secret
azure_batch_key_identifiable
azure_cache_for_redis_access_key
azure_cosmosdb_key_identifiable
azure_devops_personal_access_token
azure_ml_studio_classic_web_service_key
azure_ml_web_service_classic_identifiable_key
azure_ml_web_service_classic_identifiable_key
azure_sas_token
azure_search_admin_key
azure_search_query_key
azure_management_certificate
azure_sql_connection_string
azure_storage_account_key
beamer_api_key
cds_canada_notify_api_key
checkout_production_secret_key
checkout_test_secret_key
chief_tools_token
clojars_deploy_token
codeship_credential
contentful_personal_access_token
CONTRIBUTED_SYSTEMS_CREDENTIALS
databricks_access_token
DATADOG_API_KEY
devcycle_client_api_key
devcycle_mobile_api_key
devcycle_server_api_key
digitalocean_oauth_token
digitalocean_personal_access_token
digitalocean_refresh_token
digitalocean_system_token
discord_api_token_v2
discord_bot_token
doppler_audit_token
doppler_cli_token
doppler_personal_token
doppler_scim_token
doppler_service_token
dropbox_access_token
dropbox_short_lived_access_token
duffel_live_access_token
duffel_test_access_token
dynatrace_access_token
dynatrace_internal_token
easypost_production_api_key
easypost_test_api_key
ebay_production_client_id
ebay_production_client_secret
ebay_sandbox_client_id
ebay_sandbox_client_secret
fastly_api_token
figma_pat
finicity_app_key
flutterwave_live_api_secret_key
flutterwave_test_api_secret_key
frameio_developer_token
frameio_jwt
fullstory_api_key
github_app_installation_access_token
github_oauth_access_token
github_personal_access_token
github_refresh_token
github_ssh_private_key
gitlab_access_token
gocardless_live_access_token
gocardless_sandbox_access_token
firebase_cloud_messaging_server_key
google_cloud_storage_service_account_access_key_id
google_cloud_storage_access_key_secret
google_cloud_storage_user_access_key_id
google_cloud_storage_access_key_secret
google_oauth_access_token
google_oauth_client_id
google_oauth_client_secret
google_oauth_refresh_token
google_api_key
google_cloud_private_key_id
grafana_api_key
grafana_cloud_api_key
grafana_cloud_api_token
grafana_project_api_key
grafana_project_service_account_token
hashicorp_vault_batch_token
hashicorp_vault_batch_token
hashicorp_vault_root_service_token
hashicorp_vault_root_service_token
hashicorp_vault_service_token
hashicorp_vault_service_token
terraform_api_token
highnote_rk_live_key
highnote_rk_test_key
highnote_sk_live_key
highnote_sk_test_key
hubspot_api_key
hubspot_api_personal_access_key
intercom_access_token
ionic_personal_access_token
ionic_refresh_token
jd_cloud_access_key
jfrog_platform_access_token
jfrog_platform_api_key
linear_api_key
linear_oauth_access_token
lob_live_api_key
lob_test_api_key
localstack_api_key
logicmonitor_bearer_token
logicmonitor_lmv1_access_key
mailchimp_api_key
MANDRILL_API
mailgun_api_key
mapbox_secret_access_token
messagebird_api_key
facebook_access_token
midtrans_production_server_key
midtrans_sandbox_server_key
new_relic_insights_query_key
new_relic_license_key
new_relic_personal_api_key
new_relic_rest_api_key
notion_integration_token
notion_oauth_client_secret
npm_access_token
nuget_api_key
octopus_deploy_api_key
oculus_very_tiny_encrypted_session
onfido_live_api_token
onfido_sandbox_api_token
openai_api_key
palantir_jwt
persona_production_api_key
persona_sandbox_api_key
planetscale_database_password
planetscale_oauth_token
planetscale_service_token
plivo_auth_id
plivo_auth_token
postman_api_key
postman_collection_key
prefect_server_api_key
prefect_user_api_key
PREFECT_USER_API_TOKEN
proctorio_consumer_key
proctorio_linkage_key
proctorio_registration_key
proctorio_secret_key
pulumi_access_token
pypi_api_token
readmeio_api_access_token
redirect_pizza_api_token
rubygems_api_key
samsara_api_token
samsara_oauth_access_token
segment_public_api_token
sendgrid_api_key
sendinblue_api_key
sendinblue_smtp_key
shippo_live_api_token
shippo_test_api_token
shopify_access_token
shopify_app_client_credentials
shopify_app_client_secret
shopify_app_shared_secret
shopify_custom_app_access_token
shopify_marketplace_token
shopify_merchant_token
shopify_partner_api_token
shopify_private_app_password
slack_api_token
slack_incoming_webhook_url
slack_workflow_webhook_url
square_access_token
square_production_application_secret
square_sandbox_application_secret
sslmate_api_key
sslmate_cluster_secret
stripe_api_key
stripe_live_restricted_key
stripe_live_secret_key
stripe_api_key
stripe_test_restricted_key
stripe_test_secret_key
stripe_webhook_signing_secret
supabase_service_key
tableau_personal_access_token
telegram_bot_token
telnyx_api_v2_key
tencent_cloud_secret_id
tencent_wechat_api_app_id
twilio_access_token
twilio_account_sid
twilio_api_key
typeform_personal_access_token
wiseflow_api_key
wakatime_pp_secret
wakatime_oauth_access_token
wakatime_oauth_refresh_token
workos_production_api_key
workos_staging_api_key
yandex_iam_access_secret
yandex_cloud_api_key
yandex_cloud_iam_cookie
yandex_cloud_iam_token
yandex_dictionary_api_key
YANDEX_PASSPORT_OAUTH_TOKEN
yandex_predictor_api_key
yandex_translate_api_key
zuplo_consumer_api_key

Further reading