关于 secret scanning 模式
有两种类型的 机密扫描警报:
- 机密扫描警报:在存储库中检测到支持的机密时,在存储库的安全选项卡中向用户报告。
- 推送保护警报:当参与者绕过推送保护时,在存储库的安全选项卡中向用户报告。
- 合作伙伴警报:直接向属于 secret scanning 合作伙伴计划的机密提供方报告。 这些警报不会在存储库的安全选项卡中报告。
有关每种警报类型的深入信息,请参阅“关于机密扫描警报”。
有关所有受支持的模式的详细信息,请参阅下面的“支持的机密”部分。
如果使用 REST API 进行 secret scanning,可以使用 Secret type
报告来自特定颁发者的机密。 有关详细信息,请参阅“适用于机密扫描的 REST API 终结点”。
如果你认为 secret scanning 应检测到提交到存储库的机密,但却尚未检测到,则首先需要检查 GitHub 是否支持你的机密。 有关详细信息,请参阅以下部分。 有关高级故障排除的详细信息,请参阅“排查机密扫描问题”。
支持的机密
下表列出了 secret scanning 支持的机密。 可以查看为每个令牌生成的警报类型,以及是否对令牌执行验证检查。
-
提供商****:令牌提供商的名称。
-
合作伙伴****:将泄漏报告给相关令牌合作伙伴的令牌。 仅适用于公共存储库。
-
用户****:向 GitHub 上的用户报告泄漏的令牌。
- 适用于公共存储库,以及启用 GitHub Advanced Security 和 secret scanning 的专用存储库。
- 包括与支持的模式和指定的自定义模式相关的 默认 令牌,以及非提供商令牌(例如私钥),这些令牌通常具有较高的误报率。
- 要使 secret scanning 扫描非提供商模式,必须为存储库或组织启用非提供商模式检测。 有关详细信息,请参阅“为存储库启用机密扫描”。
-
推送保护****:向 GitHub 上的用户报告泄漏的令牌。 适用于启用了 secret scanning 和推送保护的存储库。
-
验证检查****:实现其验证检查的令牌。 对于合作伙伴令牌,GitHub 会将令牌发送给相关合作伙伴。 请注意,并非所有合作伙伴都位于美国。 有关详细信息,请参阅站点策略文档中的“Advanced Security”。
非提供商模式
提供程序 | 令牌 |
---|---|
常规 | http_basic_authentication_header |
常规 | http_bearer_authentication_header |
常规 | mongodb_connection_string |
常规 | mysql_connection_string |
常规 | openssh_private_key |
常规 | pgp_private_key |
常规 | postgres_connection_string |
常规 | rsa_private_key |
Note
非提供商模式不支持推送保护和验证检查。
默认的 模式
提供程序 | 标记 | Partner | 用户 | 推送保护 | 验证检查 |
---|---|---|---|---|---|
Adafruit | adafruit_io_key | ||||
Adobe | adobe_client_secret | ||||
Adobe | adobe_device_token | ||||
Adobe | adobe_pac_token | ||||
Adobe | adobe_refresh_token | ||||
Adobe | adobe_service_token | ||||
Adobe | adobe_short_lived_access_token | ||||
Aiven | aiven_auth_token | ||||
Aiven | aiven_service_password | ||||
Alibaba | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | ||||
Amazon AWS | aws_access_key_id aws_secret_access_key | ||||
Amazon AWS | aws_secret_access_key aws_session_token aws_temporary_access_key_id | ||||
Anthropic | anthropic_admin_api_key | ||||
Anthropic | anthropic_api_key | ||||
Anthropic | anthropic_session_id | ||||
Asaas | asaas_api_token | ||||
Asana | asana_legacy_format_personal_access_token | ||||
Asana | asana_personal_access_token | ||||
Atlassian | atlassian_api_token Token versions | ||||
Atlassian | atlassian_jwt | ||||
Authress | authress_service_client_access_key | ||||
Azure | azure_active_directory_application_secret Token versions | ||||
Azure | azure_active_directory_user_credential | ||||
Azure | azure_apim_direct_management_key | ||||
Azure | azure_apim_gateway_key | ||||
Azure | azure_apim_repository_key | ||||
Azure | azure_apim_subscription_key | ||||
Azure | azure_app_configuration_connection_string | ||||
Azure | azure_batch_key_identifiable | ||||
Azure | azure_cache_for_redis_access_key | ||||
Azure | azure_communication_services_connection_string | ||||
Azure | azure_container_registry_key_identifiable | ||||
Azure | azure_cosmosdb_key_identifiable | ||||
Azure | azure_devops_personal_access_token | ||||
Azure | azure_event_hub_key_identifiable | ||||
Azure | azure_function_key | ||||
Azure | azure_iot_device_connection_string | ||||
Azure | azure_iot_device_key | ||||
Azure | azure_iot_device_provisioning_key | ||||
Azure | azure_iot_hub_connection_string | ||||
Azure | azure_iot_hub_key | ||||
Azure | azure_iot_provisioning_connection_string | ||||
Azure | azure_management_certificate | ||||
Azure | azure_ml_web_service_classic_identifiable_key | ||||
Azure | azure_openai_key | ||||
Azure | azure_relay_key_identifiable | ||||
Azure | azure_sas_token | ||||
Azure | azure_search_admin_key | ||||
Azure | azure_search_query_key | ||||
Azure | azure_service_bus_identifiable | ||||
Azure | azure_signalr_connection_string | ||||
Azure | azure_sql_connection_string | ||||
Azure | azure_sql_password | ||||
Azure | azure_storage_account_key Token versions | ||||
Azure | azure_web_pub_sub_connection_string | ||||
Azure | microsoft_azure_entra_id_token | ||||
Azure | microsoft_corporate_network_user_credential | ||||
Baidu | baiducloud_api_accesskey | ||||
Beamer | beamer_api_key | ||||
Bitbucket | bitbucket_server_personal_access_token | ||||
Canadian Digital Service | cds_canada_notify_api_key | ||||
Canva | canva_app_secret | ||||
Canva | canva_connect_api_secret | ||||
Canva | canva_secret | ||||
Cashfree | cashfree_api_key | ||||
Cfx.re | cfxre_server_key | ||||
Checkout.com | checkout_production_secret_key Token versions | ||||
Checkout.com | checkout_test_secret_key Token versions | ||||
Chief Tools | chief_tools_token | ||||
CircleCI | circleci_bot_access_token | ||||
CircleCI | circleci_personal_access_token | ||||
CircleCI | circleci_project_access_token | ||||
CircleCI | circleci_release_integration_token | ||||
Clojars | clojars_deploy_token | ||||
CloudBees | codeship_credential | ||||
Contentful | contentful_personal_access_token | ||||
Contributed Systems | contributed_systems_credentials | ||||
Coveo | coveoaccesstoken | ||||
Coveo | coveoapikey | ||||
crates.io | cratesio_api_token | ||||
Databricks | databricks_access_token | ||||
Datadog | datadog_api_key | ||||
Datadog | datadog_app_key | ||||
Defined Networking | defined_networking_nebula_api_key | ||||
DevCycle | devcycle_client_api_key | ||||
DevCycle | devcycle_mobile_api_key | ||||
DevCycle | devcycle_server_api_key | ||||
DigitalOcean | digitalocean_oauth_token | ||||
DigitalOcean | digitalocean_personal_access_token | ||||
DigitalOcean | digitalocean_refresh_token | ||||
DigitalOcean | digitalocean_system_token | ||||
Discord | discord_bot_token Token versions | ||||
Docker | docker_personal_access_token | ||||
Doppler | doppler_audit_token | ||||
Doppler | doppler_cli_token | ||||
Doppler | doppler_personal_token | ||||
Doppler | doppler_scim_token | ||||
Doppler | doppler_service_account_token | ||||
Doppler | doppler_service_token | ||||
Dropbox | dropbox_access_token | ||||
Dropbox | dropbox_short_lived_access_token | ||||
Duffel | duffel_live_access_token | ||||
Duffel | duffel_test_access_token | ||||
Dynatrace | dynatrace_api_token | ||||
Dynatrace | dynatrace_internal_token | ||||
EasyPost | easypost_production_api_key | ||||
EasyPost | easypost_test_api_key | ||||
eBay | ebay_production_client_id ebay_production_client_secret | ||||
eBay | ebay_sandbox_client_id ebay_sandbox_client_secret | ||||
facebook_access_token | |||||
Fastly | fastly_api_token Token versions | ||||
Figma | figma_pat | ||||
Finicity | finicity_app_key | ||||
Firebase | firebase_cloud_messaging_server_key | ||||
Flutterwave | flutterwave_live_api_secret_key | ||||
Flutterwave | flutterwave_test_api_secret_key | ||||
Frame.io | frameio_developer_token | ||||
Frame.io | frameio_jwt | ||||
FullStory | fullstory_api_key Token versions | ||||
GitHub | github_app_installation_access_token Token versions | ||||
GitHub | github_oauth_access_token Token versions | ||||
GitHub | github_personal_access_token Token versions | ||||
GitHub | github_refresh_token | ||||
GitHub | github_ssh_private_key | ||||
GitHub | github_test_token | ||||
GitHub Secret Scanning | secret_scanning_sample_token | ||||
GitLab | gitlab_access_token | ||||
GoCardless | gocardless_live_access_token | ||||
GoCardless | gocardless_sandbox_access_token | ||||
google_api_key | |||||
google_cloud_service_account_credentials | |||||
google_cloud_storage_access_key_secret google_cloud_storage_service_account_access_key_id | |||||
google_cloud_storage_access_key_secret google_cloud_storage_user_access_key_id | |||||
google_oauth_access_token | |||||
google_oauth_client_id google_oauth_client_secret | |||||
google_oauth_refresh_token | |||||
Grafana | grafana_cloud_api_key | ||||
Grafana | grafana_cloud_api_token | ||||
Grafana | grafana_project_api_key | ||||
Grafana | grafana_project_service_account_token | ||||
HashiCorp | hashicorp_vault_batch_token Token versions | ||||
HashiCorp | hashicorp_vault_root_service_token | ||||
HashiCorp | hashicorp_vault_service_token Token versions | ||||
HashiCorp | terraform_api_token | ||||
Highnote | highnote_rk_live_key | ||||
Highnote | highnote_rk_test_key | ||||
Highnote | highnote_sk_live_key | ||||
Highnote | highnote_sk_test_key | ||||
HOP | hop_bearer | ||||
HOP | hop_pat | ||||
HOP | hop_ptk | ||||
Hubspot | hubspot_api_key Token versions | ||||
Hubspot | hubspot_personal_access_key | ||||
Hubspot | hubspot_smtp_credential Token versions | ||||
Hugging Face | hf_org_api_key | ||||
Hugging Face | hf_user_access_token | ||||
IBM | ibm_cloud_iam_key | ||||
IBM | ibm_softlayer_api_key | ||||
Intercom | intercom_access_token | ||||
Ionic | ionic_personal_access_token Token versions | ||||
Ionic | ionic_refresh_token Token versions | ||||
Iterative | iterative_dvc_studio_access_token | ||||
JFrog | jfrog_platform_access_token | ||||
JFrog | jfrog_platform_api_key | ||||
JFrog | jfrog_platform_reference_token | ||||
LaunchDarkly | launchdarkly_access_token | ||||
Lightspeed | lightspeed_xs_pat | ||||
Linear | linear_api_key | ||||
Linear | linear_oauth_access_token | ||||
Lob | lob_live_api_key | ||||
Lob | lob_test_api_key | ||||
Localstack | localstack_api_key | ||||
LogicMonitor | logicmonitor_bearer_token | ||||
LogicMonitor | logicmonitor_lmv1_access_key | ||||
Login with Amazon | amazon_oauth_client_id amazon_oauth_client_secret amazon_oauth_client_secret | ||||
Mailchimp | mailchimp_api_key | ||||
Mailchimp | mandrill_api_key | ||||
Mailgun | mailgun_api_key Token versions | ||||
Mailgun | mailgun_smtp_credential | ||||
Mapbox | mapbox_secret_access_token | ||||
MaxMind | maxmind_license_key | ||||
Mercury | mercury_non_production_api_token | ||||
Mercury | mercury_production_api_token | ||||
Mergify | mergify_application_key | ||||
MessageBird | messagebird_api_key | ||||
Midtrans | midtrans_production_server_key | ||||
Midtrans | midtrans_sandbox_server_key | ||||
MongoDB | mongodb_atlas_db_uri_with_credentials | ||||
Netflix | netflix_netkey | ||||
New Relic | new_relic_insights_query_key | ||||
New Relic | new_relic_license_key | ||||
New Relic | new_relic_personal_api_key | ||||
New Relic | new_relic_rest_api_key | ||||
Notion | notion_integration_token | ||||
Notion | notion_oauth_client_secret | ||||
npm | npm_access_token Token versions | ||||
NuGet | nuget_api_key | ||||
Octopus Deploy | octopus_deploy_api_key | ||||
Oculus | oculus_access_token | ||||
OneChronos | onechronos_api_key | ||||
OneChronos | onechronos_eb_api_key | ||||
OneChronos | onechronos_eb_encryption_key | ||||
OneChronos | onechronos_oauth_token | ||||
OneChronos | onechronos_refresh_token | ||||
Onfido | onfido_live_api_token | ||||
Onfido | onfido_sandbox_api_token | ||||
OpenAI | openai_api_key Token versions | ||||
Orbit | orbit_api_token | ||||
PagerDuty | pagerduty_oauth_secret | ||||
PagerDuty | pagerduty_oauth_token | ||||
Palantir | palantir_jwt | ||||
Persona Identities | persona_production_api_key | ||||
Persona Identities | persona_sandbox_api_key | ||||
pinterest_access_token | |||||
pinterest_refresh_token | |||||
PlanetScale | planetscale_database_password | ||||
PlanetScale | planetscale_oauth_token | ||||
PlanetScale | planetscale_service_token | ||||
Plivo | plivo_auth_id plivo_auth_token | ||||
Polar | polar_access_token | ||||
Polar | polar_authorization_code | ||||
Polar | polar_client_registration_token | ||||
Polar | polar_client_secret | ||||
Polar | polar_personal_access_token | ||||
Polar | polar_refresh_token | ||||
Postman | postman_api_key | ||||
Postman | postman_collection_key | ||||
Prefect | prefect_server_api_key | ||||
Prefect | prefect_user_api_key | ||||
Proctorio | proctorio_consumer_key | ||||
Proctorio | proctorio_linkage_key | ||||
Proctorio | proctorio_registration_key | ||||
Proctorio | proctorio_secret_key Token versions | ||||
Pulumi | pulumi_access_token | ||||
PyPI | pypi_api_token | ||||
ReadMe | readmeio_api_access_token | ||||
redirect.pizza | redirect_pizza_api_token | ||||
Replicate | replicate_api_token | ||||
Rootly | rootly_api_key | ||||
RubyGems | rubygems_api_key | ||||
Samsara | samsara_api_token | ||||
Samsara | samsara_oauth_access_token | ||||
Scalr | scalr_api_token | ||||
Segment | segment_public_api_token | ||||
SendGrid | sendgrid_api_key | ||||
Sendinblue | sendinblue_api_key | ||||
Sendinblue | sendinblue_smtp_key | ||||
Sentry | sentry_integration_token | ||||
Sentry | sentry_org_auth_token | ||||
Sentry | sentry_user_app_auth_token | ||||
Sentry | sentry_user_auth_token | ||||
Shippo | shippo_live_api_token | ||||
Shippo | shippo_test_api_token | ||||
Shopee | shopee_open_platform_partner_key | ||||
Shopify | shopify_access_token | ||||
Shopify | shopify_app_client_credentials | ||||
Shopify | shopify_app_client_secret | ||||
Shopify | shopify_app_shared_secret | ||||
Shopify | shopify_custom_app_access_token | ||||
Shopify | shopify_marketplace_token | ||||
Shopify | shopify_merchant_token | ||||
Shopify | shopify_partner_api_token | ||||
Shopify | shopify_private_app_password | ||||
Siemens | siemens_api_token | ||||
Siemens | siemens_code_token | ||||
Sindri | sindri_api_key Token versions | ||||
Slack | slack_api_token Token versions | ||||
Slack | slack_incoming_webhook_url | ||||
Slack | slack_workflow_webhook_url | ||||
Square | square_access_token Token versions | ||||
Square | square_production_application_secret | ||||
Square | square_sandbox_application_secret | ||||
SSLMate | sslmate_api_key Token versions | ||||
SSLMate | sslmate_cluster_secret | ||||
Stripe | stripe_api_key | ||||
Stripe | stripe_legacy_api_key | ||||
Stripe | stripe_live_restricted_key | ||||
Stripe | stripe_test_restricted_key | ||||
Stripe | stripe_test_secret_key | ||||
Stripe | stripe_webhook_signing_secret | ||||
Supabase | supabase_service_key Token versions | ||||
Tableau | tableau_personal_access_token | ||||
Telegram | telegram_bot_token | ||||
Telnyx | telnyx_api_v2_key | ||||
Tencent | tencent_cloud_secret_id | ||||
Tencent | tencent_wechat_api_app_id | ||||
Thunderstore | thunderstore_io_api_token | ||||
Twilio | twilio_access_token | ||||
Twilio | twilio_account_sid | ||||
Twilio | twilio_api_key | ||||
Typeform | typeform_personal_access_token | ||||
Uniwise | wiseflow_api_key | ||||
Unkey | unkey_root_key | ||||
VolcEngine | volcengine_access_key_id | ||||
Wakatime | wakatime_api_key | ||||
Wakatime | wakatime_app_secret | ||||
Wakatime | wakatime_oauth_access_token | ||||
Wakatime | wakatime_oauth_refresh_token | ||||
Workato | workato_developer_api_token Token versions | ||||
WorkOS | workos_production_api_key Token versions | ||||
WorkOS | workos_staging_api_key Token versions | ||||
Yandex | yandex_cloud_api_key | ||||
Yandex | yandex_cloud_iam_access_secret | ||||
Yandex | yandex_cloud_iam_cookie | ||||
Yandex | yandex_cloud_iam_token | ||||
Yandex | yandex_cloud_smartcaptcha_server_key | ||||
Yandex | yandex_dictionary_api_key | ||||
Yandex | yandex_passport_oauth_token | ||||
Yandex | yandex_predictor_api_key | ||||
Yandex | yandex_translate_api_key | ||||
Zuplo | zuplo_consumer_api_key |
令牌版本
服务提供方会更新用于定期生成令牌的模式,并且可能支持多个版本的令牌。 推送保护仅支持 secret scanning 可放心识别的最新令牌版本。 这样可以避免在结果可能是误报时,不必要地阻止提交推送保护,这种情况在使用旧令牌时更有可能发生。
其他阅读材料
- “关于机密扫描警报”
- “密码扫描合作伙伴计划”
- “保护存储库快速入门”
- "保护帐户和数据安全"