About secret scanning patterns
GitHub Enterprise Cloud maintains these different sets of default secret scanning patterns:
-
Partner patterns. Used to detect potential secrets in all public repositories as well as public npm packages. To find out about our partner program, see "Secret scanning partner program."
-
User alert patterns. Used to detect potential secrets in repositories with secret scanning alerts for users enabled.
-
Push protection patterns. Used to detect potential secrets in repositories with secret scanning as a push protection enabled.
For details about all the supported patterns, see the "Supported secrets" section below.
If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "Troubleshooting secret scanning."
About partner alerts
Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. GitHub Enterprise Cloud currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about secret scanning alerts for partners, see "About secret scanning."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
About user alerts
User alerts are alerts that are reported to users on GitHub. When secret scanning alerts for users are enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.
User alerts can be of the following types:
- High confidence alerts, which relate to supported patterns and specified custom patterns.
- Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys.
GitHub displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "Managing alerts from non-provider patterns."
Note: The detection of non-provider patterns is currently in beta and subject to change.
You can see these alerts on the Security tab of the repository. For more information about secret scanning alerts for users, see "About secret scanning."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."
Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."
About push protection alerts
Push protection alerts are user alerts that are reported by push protection. Secret scanning as a push protection currently scans repositories for secrets issued by some service providers.
Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "Push protection for users."
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see "Troubleshooting secret scanning."
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
-
Provider—name of the token provider.
-
Partner—token for which leaks are reported to the relevant token partner. Applies to public repositories only.
-
User—token for which leaks are reported to users on GitHub.
- Applies to public repositories, and to private repositories where GitHub Advanced Security, secret scanning.
- Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
- For secret scanning to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "Configuring secret scanning for your repositories."
Note: The detection of non-provider patterns is currently in beta and subject to change.
-
Push protection—token for which leaks are reported to users on GitHub. Applies to repositories with secret scanning and push protection enabled.
Note: Older versions of certain tokens may not be supported by push protection as these tokens may generate a higher number of false positives than their most recent version. Push protection may also not apply to legacy tokens. For tokens such as Azure Storage Keys, GitHub only supports recently created tokens, not tokens that match the legacy patterns. For more information about push protection limitations, see "Troubleshooting secret scanning."
-
Validity check—token for which a validity check is implemented. For partner tokens, GitHub sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "Advanced Security" in the Site Policy documentation.
Non-provider patterns
Note: The detection of non-provider patterns is currently in beta and subject to change.
| Provider | Token |
|---|---|
| Generic | http_basic_authentication_header |
| Generic | http_bearer_authentication_header |
| Generic | mongodb_connection_string |
| Generic | mysql_connection_string |
| Generic | openssh_private_key |
| Generic | pgp_private_key |
| Generic | postgres_connection_string |
| Generic | rsa_private_key |
Push protection and validity checks are not supported for non-provider patterns.
High confidence patterns
| Provider | Token | Partner | User | Push protection | Validity check |
|---|---|---|---|---|---|
| Adafruit IO | adafruit_io_key | ||||
| Adobe | adobe_client_secret | ||||
| Adobe | adobe_device_token | ||||
| Adobe | adobe_pac_token | ||||
| Adobe | adobe_refresh_token | ||||
| Adobe | adobe_service_token | ||||
| Adobe | adobe_short_lived_access_token | ||||
| Aiven | aiven_auth_token | ||||
| Aiven | aiven_service_password | ||||
| Alibaba Cloud | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | ||||
| Login with Amazon | amazon_oauth_client_id amazon_oauth_client_secret | ||||
| Amazon Web Services (AWS) | aws_access_key_id aws_secret_access_key | ||||
| Amazon Web Services (AWS) | aws_session_token aws_temporary_access_key_id aws_secret_access_key | ||||
| Asana | asana_personal_access_token | ||||
| Atlassian | atlassian_api_token | ||||
| Atlassian | atlassian_jwt | ||||
| Atlassian | bitbucket_server_personal_access_token | ||||
| Authress | authress_service_client_access_key | ||||
| Azure | azure_active_directory_application_secret | ||||
| Azure | azure_batch_key_identifiable | ||||
| Azure | azure_cache_for_redis_access_key | ||||
| Azure | azure_container_registry_key_identifiable | ||||
| Azure | azure_cosmosdb_key_identifiable | ||||
| Azure | azure_devops_personal_access_token | ||||
| Azure | azure_function_key | ||||
| Azure | azure_ml_web_service_classic_identifiable_key | ||||
| Azure | azure_sas_token | ||||
| Azure | azure_search_admin_key | ||||
| Azure | azure_search_query_key | ||||
| Azure | azure_management_certificate | ||||
| Azure | azure_sql_connection_string | ||||
| Azure | azure_sql_password | ||||
| Azure | azure_storage_account_key | ||||
| Baidu | baiducloud_api_accesskey | ||||
| Beamer | beamer_api_key | ||||
| Canadian Digital Service | cds_canada_notify_api_key | ||||
| Checkout.com | checkout_production_secret_key | ||||
| Checkout.com | checkout_test_secret_key | ||||
| Chief Tools | chief_tools_token | ||||
| Clojars | clojars_deploy_token | ||||
| CloudBees CodeShip | codeship_credential | ||||
| Contentful | contentful_personal_access_token | ||||
| Contributed Systems | CONTRIBUTED_SYSTEMS_CREDENTIALS | ||||
| crates.io (Rust Foundation) | cratesio_api_token | ||||
| Databricks | databricks_access_token | ||||
| Datadog | DATADOG_API_KEY | ||||
| Defined | defined_networking_nebula_api_key | ||||
| DevCycle | devcycle_client_api_key | ||||
| DevCycle | devcycle_mobile_api_key | ||||
| DevCycle | devcycle_server_api_key | ||||
| DigitalOcean | digitalocean_oauth_token | ||||
| DigitalOcean | digitalocean_personal_access_token | ||||
| DigitalOcean | digitalocean_refresh_token | ||||
| DigitalOcean | digitalocean_system_token | ||||
| Discord | discord_api_token_v2 | ||||
| Discord | discord_bot_token | ||||
| Doppler | doppler_audit_token | ||||
| Doppler | doppler_cli_token | ||||
| Doppler | doppler_personal_token | ||||
| Doppler | doppler_scim_token | ||||
| Doppler | doppler_service_token | ||||
| Doppler | doppler_service_account_token | ||||
| Dropbox | dropbox_access_token | ||||
| Dropbox | dropbox_short_lived_access_token | ||||
| Duffel | duffel_live_access_token | ||||
| Duffel | duffel_test_access_token | ||||
| Dynatrace | dynatrace_access_token | ||||
| Dynatrace | dynatrace_internal_token | ||||
| EasyPost | easypost_production_api_key | ||||
| EasyPost | easypost_test_api_key | ||||
| eBay | ebay_production_client_id ebay_production_client_secret | ||||
| eBay | ebay_sandbox_client_id ebay_sandbox_client_secret | ||||
| Fastly | fastly_api_token | ||||
| Figma | figma_pat | ||||
| Finicity | finicity_app_key | ||||
| Flutterwave | flutterwave_live_api_secret_key | ||||
| Flutterwave | flutterwave_test_api_secret_key | ||||
| Frame.io | frameio_developer_token | ||||
| Frame.io | frameio_jwt | ||||
| FullStory | fullstory_api_key | ||||
| GitHub | github_app_installation_access_token | ||||
| GitHub | github_oauth_access_token | ||||
| GitHub | github_personal_access_token | ||||
| GitHub | github_refresh_token | ||||
| GitHub | github_ssh_private_key | ||||
| GitLab | gitlab_access_token | ||||
| GoCardless | gocardless_live_access_token | ||||
| GoCardless | gocardless_sandbox_access_token | ||||
| firebase_cloud_messaging_server_key | |||||
| google_cloud_storage_service_account_access_key_id google_cloud_storage_access_key_secret | |||||
| google_cloud_storage_user_access_key_id google_cloud_storage_access_key_secret | |||||
| google_oauth_access_token | |||||
| google_oauth_client_id google_oauth_client_secret | |||||
| google_oauth_refresh_token | |||||
| Google Cloud | google_api_key | ||||
| Google Cloud | google_cloud_private_key_id | ||||
| Grafana | grafana_cloud_api_key | ||||
| Grafana | grafana_cloud_api_token | ||||
| Grafana | grafana_project_api_key | ||||
| Grafana | grafana_project_service_account_token | ||||
| HashiCorp | hashicorp_vault_batch_token | ||||
| HashiCorp | hashicorp_vault_root_service_token | ||||
| HashiCorp | hashicorp_vault_service_token | ||||
| Hashicorp Terraform | terraform_api_token | ||||
| Highnote | highnote_rk_live_key | ||||
| Highnote | highnote_rk_test_key | ||||
| Highnote | highnote_sk_live_key | ||||
| Highnote | highnote_sk_test_key | ||||
| Hop | hop_bearer | ||||
| Hop | hop_pat | ||||
| Hop | hop_ptk | ||||
| Hubspot | hubspot_api_key | ||||
| Hubspot | hubspot_api_personal_access_key | ||||
| Intercom | intercom_access_token | ||||
| Ionic | ionic_personal_access_token | ||||
| Ionic | ionic_refresh_token | ||||
| JD Cloud | jd_cloud_access_key | ||||
| JFrog | jfrog_platform_access_token | ||||
| JFrog | jfrog_platform_api_key | ||||
| JFrog | jfrog_platform_reference_token | ||||
| Linear | linear_api_key | ||||
| Linear | linear_oauth_access_token | ||||
| Lob | lob_live_api_key | ||||
| Lob | lob_test_api_key | ||||
| LocalStack | localstack_api_key | ||||
| LogicMonitor | logicmonitor_bearer_token | ||||
| LogicMonitor | logicmonitor_lmv1_access_key | ||||
| Mailchimp | mailchimp_api_key | ||||
| Mailchimp | MANDRILL_API | ||||
| Mailgun | mailgun_api_key | ||||
| Mapbox | mapbox_secret_access_token | ||||
| Maxmind | maxmind_license_key | ||||
| Mercury | mercury_non_production_api_token | ||||
| Mercury | mercury_production_api_token | ||||
| MessageBird | messagebird_api_key | ||||
| Meta | facebook_access_token | ||||
| Midtrans | midtrans_production_server_key | ||||
| Midtrans | midtrans_sandbox_server_key | ||||
| New Relic | new_relic_insights_query_key | ||||
| New Relic | new_relic_license_key | ||||
| New Relic | new_relic_personal_api_key | ||||
| New Relic | new_relic_rest_api_key | ||||
| Notion | notion_integration_token | ||||
| Notion | notion_oauth_client_secret | ||||
| npm | npm_access_token | ||||
| NuGet | nuget_api_key | ||||
| Octopus Deploy | octopus_deploy_api_key | ||||
| Oculus | oculus_very_tiny_encrypted_session | ||||
| OneChronos | onechronos_api_key | ||||
| OneChronos | onechronos_eb_api_key | ||||
| OneChronos | onechronos_eb_encryption_key | ||||
| OneChronos | onechronos_oauth_token | ||||
| OneChronos | onechronos_refresh_token | ||||
| Onfido | onfido_live_api_token | ||||
| Onfido | onfido_sandbox_api_token | ||||
| OpenAI | openai_api_key | ||||
| OpenAI | openai_api_key_v2 | ||||
| Palantir | palantir_jwt | ||||
| Persona | persona_production_api_key | ||||
| Persona | persona_sandbox_api_key | ||||
| pinterest_access_token | |||||
| pinterest_refresh_token | |||||
| PlanetScale | planetscale_database_password | ||||
| PlanetScale | planetscale_oauth_token | ||||
| PlanetScale | planetscale_service_token | ||||
| Plivo | plivo_auth_id plivo_auth_token | ||||
| Postman | postman_api_key | ||||
| Postman | postman_collection_key | ||||
| Prefect | prefect_server_api_key | ||||
| Prefect | prefect_user_api_key | ||||
| Prefect | PREFECT_USER_API_TOKEN | ||||
| Proctorio | proctorio_consumer_key | ||||
| Proctorio | proctorio_linkage_key | ||||
| Proctorio | proctorio_registration_key | ||||
| Proctorio | proctorio_secret_key | ||||
| Pulumi | pulumi_access_token | ||||
| PyPI | pypi_api_token | ||||
| ReadMe | readmeio_api_access_token | ||||
| redirect.pizza | redirect_pizza_api_token | ||||
| Rootly | rootly_api_key | ||||
| RubyGems | rubygems_api_key | ||||
| Samsara | samsara_api_token | ||||
| Samsara | samsara_oauth_access_token | ||||
| Segment | segment_public_api_token | ||||
| SendGrid | sendgrid_api_key | ||||
| Sendinblue | sendinblue_api_key | ||||
| Sendinblue | sendinblue_smtp_key | ||||
| Shippo | shippo_live_api_token | ||||
| Shippo | shippo_test_api_token | ||||
| Shopify | shopify_access_token | ||||
| Shopify | shopify_app_client_credentials | ||||
| Shopify | shopify_app_client_secret | ||||
| Shopify | shopify_app_shared_secret | ||||
| Shopify | shopify_custom_app_access_token | ||||
| Shopify | shopify_marketplace_token | ||||
| Shopify | shopify_merchant_token | ||||
| Shopify | shopify_partner_api_token | ||||
| Shopify | shopify_private_app_password | ||||
| Slack | slack_api_token | ||||
| Slack | slack_incoming_webhook_url | ||||
| Slack | slack_workflow_webhook_url | ||||
| Square | square_access_token | ||||
| Square | square_production_application_secret | ||||
| Square | square_sandbox_application_secret | ||||
| SSLMate | sslmate_api_key | ||||
| SSLMate | sslmate_cluster_secret | ||||
| Stripe | stripe_live_restricted_key | ||||
| Stripe | stripe_api_key | ||||
| Stripe | stripe_legacy_api_key | ||||
| Stripe | stripe_test_restricted_key | ||||
| Stripe | stripe_test_secret_key | ||||
| Stripe | stripe_webhook_signing_secret | ||||
| Supabase | supabase_service_key | ||||
| Tableau | tableau_personal_access_token | ||||
| Telegram | telegram_bot_token | ||||
| Telnyx | telnyx_api_v2_key | ||||
| Tencent Cloud | tencent_cloud_secret_id | ||||
| Tencent WeChat | tencent_wechat_api_app_id | ||||
| Twilio | twilio_access_token | ||||
| Twilio | twilio_account_sid | ||||
| Twilio | twilio_api_key | ||||
| Typeform | typeform_personal_access_token | ||||
| Uniwise | wiseflow_api_key | ||||
| WakaTime | wakatime_pp_secret | ||||
| WakaTime | wakatime_oauth_access_token | ||||
| WakaTime | wakatime_oauth_refresh_token | ||||
| Workato | workato_developer_api_token | ||||
| WorkOS | workos_production_api_key | ||||
| WorkOS | workos_staging_api_key | ||||
| Yandex | yandex_iam_access_secret | ||||
| Yandex | yandex_cloud_api_key | ||||
| Yandex | yandex_cloud_iam_cookie | ||||
| Yandex | yandex_cloud_iam_token | ||||
| Yandex | yandex_cloud_smartcaptcha_server_key | ||||
| Yandex | yandex_dictionary_api_key | ||||
| Yandex | YANDEX_PASSPORT_OAUTH_TOKEN | ||||
| Yandex | yandex_predictor_api_key | ||||
| Yandex | yandex_translate_api_key | ||||
| Zuplo | zuplo_consumer_api_key |