关于 secret scanning 模式
有两种类型的 机密扫描警报:
- 机密扫描警报:在存储库中检测到支持的机密时,在存储库的安全选项卡中向用户报告。
- 推送保护警报:当参与者绕过推送保护时,在存储库的安全选项卡中向用户报告。
有关每种警报类型的深入信息,请参阅 关于机密扫描警报。
有关所有受支持的模式的详细信息,请参阅下面的支持的机密部分。
如果使用 REST API 进行 secret scanning,可以使用 Secret type
报告来自特定颁发者的机密。 有关详细信息,请参阅“适用于机密扫描的 REST API 终结点”。
如果你认为 secret scanning 应检测到提交到存储库的机密,但却尚未检测到,则首先需要检查 GitHub 是否支持你的机密。 有关详细信息,请参阅以下部分。 有关高级故障排除的详细信息,请参阅 排查机密扫描问题。
支持的机密
下表列出了 secret scanning 支持的机密。 可以查看为每个令牌生成的警报类型,以及是否对令牌执行验证检查。
-
提供商****:令牌提供商的名称。
-
Secret scanning 警报****:向 GitHub 上的用户报告泄漏的令牌。
- 适用于启用了 GitHub Advanced Security 和 secret scanning 的专用存储库。
- 包括 高置信度 令牌,这些令牌与支持的模式和指定的自定义模式,以及通常会导致误报的非提供商令牌(如私钥)相关。
-
推送保护****:向 GitHub 上的用户报告泄漏的令牌。 适用于启用了 secret scanning 和推送保护的存储库。
-
验证检查****:实现其验证检查的令牌。 当前仅适用于 GitHub 令牌。
非提供商模式
Note
检测非提供程序模式的功能目前为 beta 版本,可能随时更改。
提供程序 | 令牌 |
---|---|
常规 | http_basic_authentication_header |
常规 | http_bearer_authentication_header |
常规 | mongodb_connection_string |
常规 | mysql_connection_string |
常规 | openssh_private_key |
常规 | pgp_private_key |
常规 | postgres_connection_string |
常规 | rsa_private_key |
Note
非提供商模式不支持推送保护和验证检查。
高置信度 模式
提供程序 | 标记 | Secret scanning 警报 | 推送保护 | 验证检查 |
---|---|---|---|---|
Adafruit | adafruit_io_key | |||
Adobe | adobe_client_secret | |||
Adobe | adobe_device_token | |||
Adobe | adobe_pac_token | |||
Adobe | adobe_refresh_token | |||
Adobe | adobe_service_token | |||
Adobe | adobe_short_lived_access_token | |||
Aiven | aiven_auth_token | |||
Aiven | aiven_service_password | |||
Alibaba | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | |||
Amazon AWS | aws_access_key_id aws_secret_access_key | |||
Anthropic | anthropic_api_key | |||
Asana | asana_personal_access_token | |||
Atlassian | atlassian_api_token Token versions | |||
Atlassian | atlassian_jwt | |||
Authress | authress_service_client_access_key | |||
Azure | azure_active_directory_application_secret Token versions | |||
Azure | azure_batch_key_identifiable | |||
Azure | azure_cache_for_redis_access_key | |||
Azure | azure_container_registry_key_identifiable | |||
Azure | azure_cosmosdb_key_identifiable | |||
Azure | azure_devops_personal_access_token | |||
Azure | azure_function_key | |||
Azure | azure_management_certificate | |||
Azure | azure_ml_web_service_classic_identifiable_key | |||
Azure | azure_sas_token | |||
Azure | azure_search_admin_key | |||
Azure | azure_search_query_key | |||
Azure | azure_sql_connection_string | |||
Azure | azure_sql_password | |||
Azure | azure_storage_account_key Token versions | |||
Baidu | baiducloud_api_accesskey | |||
Beamer | beamer_api_key | |||
Bitbucket | bitbucket_server_personal_access_token | |||
Canadian Digital Service | cds_canada_notify_api_key | |||
Canva | canva_connect_api_secret | |||
Cashfree | cashfree_api_key | |||
Checkout.com | checkout_production_secret_key Token versions | |||
Checkout.com | checkout_test_secret_key Token versions | |||
Chief Tools | chief_tools_token | |||
CircleCI | circleci_personal_access_token | |||
Clojars | clojars_deploy_token | |||
CloudBees | codeship_credential | |||
Contentful | contentful_personal_access_token | |||
crates.io | cratesio_api_token | |||
Databricks | databricks_access_token | |||
Defined Networking | defined_networking_nebula_api_key | |||
DevCycle | devcycle_client_api_key | |||
DevCycle | devcycle_mobile_api_key | |||
DevCycle | devcycle_server_api_key | |||
DigitalOcean | digitalocean_oauth_token | |||
DigitalOcean | digitalocean_personal_access_token | |||
DigitalOcean | digitalocean_refresh_token | |||
DigitalOcean | digitalocean_system_token | |||
Discord | discord_bot_token Token versions | |||
Docker | docker_personal_access_token | |||
Doppler | doppler_audit_token | |||
Doppler | doppler_cli_token | |||
Doppler | doppler_personal_token | |||
Doppler | doppler_scim_token | |||
Doppler | doppler_service_account_token | |||
Doppler | doppler_service_token | |||
Dropbox | dropbox_access_token | |||
Dropbox | dropbox_short_lived_access_token | |||
Duffel | duffel_live_access_token | |||
Duffel | duffel_test_access_token | |||
Dynatrace | dynatrace_internal_token | |||
EasyPost | easypost_production_api_key | |||
EasyPost | easypost_test_api_key | |||
eBay | ebay_production_client_id ebay_production_client_secret | |||
eBay | ebay_sandbox_client_id ebay_sandbox_client_secret | |||
facebook_access_token | ||||
Fastly | fastly_api_token Token versions | |||
Figma | figma_pat | |||
Finicity | finicity_app_key | |||
Firebase | firebase_cloud_messaging_server_key | |||
Flutterwave | flutterwave_live_api_secret_key | |||
Flutterwave | flutterwave_test_api_secret_key | |||
Frame.io | frameio_developer_token | |||
Frame.io | frameio_jwt | |||
FullStory | fullstory_api_key Token versions | |||
GitHub | github_app_installation_access_token Token versions | |||
GitHub | github_oauth_access_token Token versions | |||
GitHub | github_personal_access_token Token versions | |||
GitHub | github_refresh_token | |||
GitHub | github_ssh_private_key | |||
GitLab | gitlab_access_token | |||
GoCardless | gocardless_live_access_token | |||
GoCardless | gocardless_sandbox_access_token | |||
google_api_key | ||||
google_cloud_service_account_credentials | ||||
google_oauth_access_token | ||||
google_oauth_client_id google_oauth_client_secret | ||||
google_oauth_refresh_token | ||||
Grafana | grafana_cloud_api_key | |||
Grafana | grafana_cloud_api_token | |||
Grafana | grafana_project_api_key | |||
Grafana | grafana_project_service_account_token | |||
HashiCorp | hashicorp_vault_batch_token Token versions | |||
HashiCorp | hashicorp_vault_root_service_token | |||
HashiCorp | hashicorp_vault_service_token Token versions | |||
HashiCorp | terraform_api_token | |||
Highnote | highnote_rk_live_key | |||
Highnote | highnote_rk_test_key | |||
Highnote | highnote_sk_live_key | |||
Highnote | highnote_sk_test_key | |||
HOP | hop_bearer | |||
HOP | hop_pat | |||
HOP | hop_ptk | |||
Hubspot | hubspot_api_key Token versions | |||
Intercom | intercom_access_token | |||
Ionic | ionic_personal_access_token Token versions | |||
Ionic | ionic_refresh_token Token versions | |||
JFrog | jfrog_platform_access_token | |||
JFrog | jfrog_platform_api_key | |||
JFrog | jfrog_platform_reference_token | |||
Lightspeed | lightspeed_xs_pat | |||
Linear | linear_api_key | |||
Linear | linear_oauth_access_token | |||
Lob | lob_live_api_key | |||
Lob | lob_test_api_key | |||
Localstack | localstack_api_key | |||
LogicMonitor | logicmonitor_bearer_token | |||
LogicMonitor | logicmonitor_lmv1_access_key | |||
Mailchimp | mailchimp_api_key | |||
Mailgun | mailgun_api_key Token versions | |||
Mapbox | mapbox_secret_access_token | |||
MaxMind | maxmind_license_key | |||
Mercury | mercury_non_production_api_token | |||
Mercury | mercury_production_api_token | |||
Mergify | mergify_application_key | |||
MessageBird | messagebird_api_key | |||
Midtrans | midtrans_production_server_key | |||
Midtrans | midtrans_sandbox_server_key | |||
New Relic | new_relic_insights_query_key | |||
New Relic | new_relic_license_key | |||
New Relic | new_relic_personal_api_key | |||
New Relic | new_relic_rest_api_key | |||
Notion | notion_integration_token | |||
Notion | notion_oauth_client_secret | |||
npm | npm_access_token Token versions | |||
NuGet | nuget_api_key | |||
Octopus Deploy | octopus_deploy_api_key | |||
OneChronos | onechronos_api_key | |||
OneChronos | onechronos_eb_api_key | |||
OneChronos | onechronos_eb_encryption_key | |||
OneChronos | onechronos_oauth_token | |||
OneChronos | onechronos_refresh_token | |||
Onfido | onfido_live_api_token | |||
Onfido | onfido_sandbox_api_token | |||
OpenAI | openai_api_key Token versions | |||
Palantir | palantir_jwt | |||
Persona Identities | persona_production_api_key | |||
Persona Identities | persona_sandbox_api_key | |||
pinterest_access_token | ||||
pinterest_refresh_token | ||||
PlanetScale | planetscale_database_password | |||
PlanetScale | planetscale_oauth_token | |||
PlanetScale | planetscale_service_token | |||
Plivo | plivo_auth_id plivo_auth_token | |||
Postman | postman_api_key | |||
Postman | postman_collection_key | |||
Prefect | prefect_server_api_key | |||
Prefect | prefect_user_api_key | |||
Proctorio | proctorio_consumer_key | |||
Proctorio | proctorio_linkage_key | |||
Proctorio | proctorio_registration_key | |||
Proctorio | proctorio_secret_key Token versions | |||
Pulumi | pulumi_access_token | |||
PyPI | pypi_api_token | |||
ReadMe | readmeio_api_access_token | |||
redirect.pizza | redirect_pizza_api_token | |||
Rootly | rootly_api_key | |||
RubyGems | rubygems_api_key | |||
Samsara | samsara_api_token | |||
Samsara | samsara_oauth_access_token | |||
Segment | segment_public_api_token | |||
SendGrid | sendgrid_api_key | |||
Sendinblue | sendinblue_api_key | |||
Sendinblue | sendinblue_smtp_key | |||
Shippo | shippo_live_api_token | |||
Shippo | shippo_test_api_token | |||
Shopify | shopify_access_token | |||
Shopify | shopify_app_client_credentials | |||
Shopify | shopify_app_client_secret | |||
Shopify | shopify_app_shared_secret | |||
Shopify | shopify_custom_app_access_token | |||
Shopify | shopify_marketplace_token | |||
Shopify | shopify_merchant_token | |||
Shopify | shopify_partner_api_token | |||
Shopify | shopify_private_app_password | |||
Slack | slack_api_token Token versions | |||
Slack | slack_incoming_webhook_url | |||
Slack | slack_workflow_webhook_url | |||
Square | square_access_token Token versions | |||
Square | square_production_application_secret | |||
Square | square_sandbox_application_secret | |||
SSLMate | sslmate_api_key Token versions | |||
SSLMate | sslmate_cluster_secret | |||
Stripe | stripe_api_key | |||
Stripe | stripe_legacy_api_key | |||
Stripe | stripe_live_restricted_key | |||
Stripe | stripe_test_restricted_key | |||
Stripe | stripe_test_secret_key | |||
Stripe | stripe_webhook_signing_secret | |||
Supabase | supabase_service_key Token versions | |||
Tableau | tableau_personal_access_token | |||
Telegram | telegram_bot_token | |||
Telnyx | telnyx_api_v2_key | |||
Tencent | tencent_cloud_secret_id | |||
Tencent | tencent_wechat_api_app_id | |||
Twilio | twilio_access_token | |||
Twilio | twilio_account_sid | |||
Twilio | twilio_api_key | |||
Typeform | typeform_personal_access_token | |||
Uniwise | wiseflow_api_key | |||
VolcEngine | volcengine_access_key_id | |||
Wakatime | wakatime_app_secret | |||
Wakatime | wakatime_oauth_access_token | |||
Wakatime | wakatime_oauth_refresh_token | |||
Workato | workato_developer_api_token Token versions | |||
WorkOS | workos_production_api_key Token versions | |||
WorkOS | workos_staging_api_key Token versions | |||
Yandex | yandex_cloud_api_key | |||
Yandex | yandex_cloud_iam_cookie | |||
Yandex | yandex_cloud_iam_token | |||
Yandex | yandex_cloud_smartcaptcha_server_key | |||
Yandex | yandex_dictionary_api_key | |||
Yandex | yandex_predictor_api_key | |||
Yandex | yandex_translate_api_key | |||
Zuplo | zuplo_consumer_api_key |
令牌版本
服务提供方会更新用于定期生成令牌的模式,并且可能支持多个版本的令牌。 推送保护仅支持 secret scanning 可放心识别的最新令牌版本。 这样可以避免在结果可能是误报时,不必要地阻止提交推送保护,这种情况在使用旧令牌时更有可能发生。