About secret scanning patterns
There are two types of secret scanning alerts:
- Secret scanning alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
- Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.
For in-depth information about each alert type, see About secret scanning alerts.
For details about all the supported patterns, see the Supported secrets section below.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see REST API endpoints for secret scanning.
If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see Troubleshooting secret scanning.
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
-
Provider: Name of the token provider.
-
Secret scanning alert: Token for which leaks are reported to users on GitHub.
- Applies to private repositories where GitHub Advanced Security and secret scanning are enabled.
- Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.
-
Push protection: Token for which leaks are reported to users on GitHub. Applies to repositories with secret scanning and push protection enabled.
-
Validity check: Token for which a validity check is implemented. Currently only applies to GitHub tokens.
Non-provider patterns
참고 항목
The detection of non-provider patterns is currently in beta and subject to change.
Precision levels are estimated based on the pattern type's typical false positive rates.
| Provider | Token | Description | Precision |
|---|---|---|---|
| Generic | http_basic_authentication_header | HTTP Basic Authentication credentials in request headers | Medium |
| Generic | http_bearer_authentication_header | HTTP Bearer tokens used for API authentication | Medium |
| Generic | mongodb_connection_string | Connection strings for MongoDB databases containing credentials | High |
| Generic | mysql_connection_string | Connection strings for MySQL databases containing credentials | High |
| Generic | openssh_private_key | OpenSSH format private keys used for SSH authentication | High |
| Generic | pgp_private_key | PGP (Pretty Good Privacy) private keys used for encryption and signing | High |
| Generic | postgres_connection_string | Connection strings for PostgreSQL databases containing credentials | High |
| Generic | rsa_private_key | RSA private keys used for cryptographic operations | High |
참고 항목
Validity checks are not supported for non-provider patterns.
High confidence patterns
| Provider | Token | Secret scanning alert | Push protection | Validity check | Base64 |
|---|---|---|---|---|---|
| Adafruit | adafruit_io_key | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_client_secret | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_device_token | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_pac_token | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_refresh_token | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_service_token | ✓ | ✓ | ✗ | ✗ |
| Adobe | adobe_short_lived_access_token | ✓ | ✓ | ✗ | ✗ |
| Aiven | aiven_auth_token | ✓ | ✓ | ✗ | ✗ |
| Aiven | aiven_service_password | ✓ | ✓ | ✗ | ✗ |
| Alibaba | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | ✓ | ✓ | ✗ | ✗ |
| Amazon AWS | aws_access_key_id aws_secret_access_key | ✓ | ✓ | ✗ | ✗ |
| Amazon AWS | aws_secret_access_key aws_session_token aws_temporary_access_key_id | ✓ | ✓ | ✗ | ✗ |
| Anthropic | anthropic_api_key | ✓ | ✓ | ✗ | ✗ |
| Anthropic | anthropic_session_id | ✓ | ✓ | ✗ | ✗ |
| Asana | asana_legacy_format_personal_access_token | ✓ | ✗ | ✗ | ✗ |
| Asana | asana_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Atlassian | atlassian_api_token | ✓ | ✗ | ✗ | ✗ |
| Atlassian | atlassian_api_token | ✓ | ✓ | ✗ | ✗ |
| Atlassian | atlassian_jwt | ✓ | ✗ | ✗ | ✗ |
| Authress | authress_service_client_access_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_active_directory_application_secret | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_active_directory_application_secret | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_active_directory_application_secret | ✗ | ✗ | ✗ | ✗ |
| Azure | azure_active_directory_user_credential | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_apim_direct_management_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_apim_gateway_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_apim_repository_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_apim_subscription_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_app_configuration_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_batch_key_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_cache_for_redis_access_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_communication_services_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_container_registry_key_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_cosmosdb_key_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_devops_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_event_hub_key_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_function_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_iot_device_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_iot_device_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_iot_device_provisioning_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_iot_hub_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_iot_hub_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_iot_provisioning_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_management_certificate | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_ml_web_service_classic_identifiable_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_relay_key_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_sas_token | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_search_admin_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_search_query_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_service_bus_identifiable | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_signalr_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_sql_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_sql_password | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_storage_account_key | ✓ | ✗ | ✗ | ✗ |
| Azure | azure_storage_account_key | ✓ | ✓ | ✗ | ✗ |
| Azure | azure_web_pub_sub_connection_string | ✓ | ✗ | ✗ | ✗ |
| Azure | microsoft_corporate_network_user_credential | ✓ | ✗ | ✗ | ✗ |
| Baidu | baiducloud_api_accesskey | ✓ | ✓ | ✗ | ✗ |
| Beamer | beamer_api_key | ✓ | ✗ | ✗ | ✗ |
| Bitbucket | bitbucket_server_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Canadian Digital Service | cds_canada_notify_api_key | ✓ | ✓ | ✗ | ✗ |
| Canva | canva_app_secret | ✓ | ✓ | ✗ | ✗ |
| Canva | canva_connect_api_secret | ✓ | ✓ | ✗ | ✗ |
| Canva | canva_secret | ✓ | ✓ | ✗ | ✗ |
| Cashfree | cashfree_api_key | ✓ | ✓ | ✗ | ✗ |
| Checkout.com | checkout_production_secret_key | ✓ | ✗ | ✗ | ✗ |
| Checkout.com | checkout_production_secret_key | ✓ | ✓ | ✗ | ✗ |
| Checkout.com | checkout_test_secret_key | ✓ | ✗ | ✗ | ✗ |
| Checkout.com | checkout_test_secret_key | ✓ | ✗ | ✗ | ✗ |
| Chief Tools | chief_tools_token | ✓ | ✓ | ✗ | ✗ |
| CircleCI | circleci_bot_access_token | ✓ | ✓ | ✗ | ✗ |
| CircleCI | circleci_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| CircleCI | circleci_project_access_token | ✓ | ✓ | ✗ | ✗ |
| CircleCI | circleci_release_integration_token | ✓ | ✓ | ✗ | ✗ |
| Clojars | clojars_deploy_token | ✓ | ✓ | ✗ | ✗ |
| CloudBees | codeship_credential | ✗ | ✗ | ✗ | ✗ |
| Contentful | contentful_personal_access_token | ✓ | ✗ | ✗ | ✗ |
| Contributed Systems | contributed_systems_credentials | ✗ | ✗ | ✗ | ✗ |
| crates.io | cratesio_api_token | ✓ | ✓ | ✗ | ✗ |
| Databricks | databricks_access_token | ✓ | ✓ | ✗ | ✗ |
| Datadog | datadog_api_key | ✗ | ✗ | ✗ | ✗ |
| Datadog | datadog_app_key | ✗ | ✗ | ✗ | ✗ |
| Defined Networking | defined_networking_nebula_api_key | ✓ | ✓ | ✗ | ✗ |
| DevCycle | devcycle_client_api_key | ✓ | ✓ | ✗ | ✗ |
| DevCycle | devcycle_mobile_api_key | ✓ | ✓ | ✗ | ✗ |
| DevCycle | devcycle_server_api_key | ✓ | ✓ | ✗ | ✗ |
| DigitalOcean | digitalocean_oauth_token | ✓ | ✓ | ✗ | ✗ |
| DigitalOcean | digitalocean_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| DigitalOcean | digitalocean_refresh_token | ✓ | ✓ | ✗ | ✗ |
| DigitalOcean | digitalocean_system_token | ✓ | ✓ | ✗ | ✗ |
| Discord | discord_bot_token | ✓ | ✓ | ✗ | ✗ |
| Discord | discord_bot_token | ✓ | ✓ | ✗ | ✗ |
| Docker | docker_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_audit_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_cli_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_personal_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_scim_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_service_account_token | ✓ | ✓ | ✗ | ✗ |
| Doppler | doppler_service_token | ✓ | ✓ | ✗ | ✗ |
| Dropbox | dropbox_access_token | ✓ | ✗ | ✗ | ✗ |
| Dropbox | dropbox_short_lived_access_token | ✓ | ✓ | ✗ | ✗ |
| Duffel | duffel_live_access_token | ✓ | ✓ | ✗ | ✗ |
| Duffel | duffel_test_access_token | ✓ | ✗ | ✗ | ✗ |
| Dynatrace | dynatrace_api_token | ✓ | ✗ | ✗ | ✗ |
| Dynatrace | dynatrace_internal_token | ✓ | ✗ | ✗ | ✗ |
| EasyPost | easypost_production_api_key | ✓ | ✓ | ✗ | ✗ |
| EasyPost | easypost_test_api_key | ✓ | ✗ | ✗ | ✗ |
| eBay | ebay_production_client_id ebay_production_client_secret | ✓ | ✗ | ✗ | ✗ |
| eBay | ebay_sandbox_client_id ebay_sandbox_client_secret | ✓ | ✗ | ✗ | ✗ |
| facebook_access_token | ✓ | ✗ | ✗ | ✗ | |
| Fastly | fastly_api_token | ✓ | ✗ | ✗ | ✗ |
| Fastly | fastly_api_token | ✓ | ✗ | ✗ | ✗ |
| Figma | figma_pat | ✓ | ✓ | ✗ | ✗ |
| Finicity | finicity_app_key | ✓ | ✗ | ✗ | ✗ |
| Firebase | firebase_cloud_messaging_server_key | ✓ | ✗ | ✗ | ✗ |
| Flutterwave | flutterwave_live_api_secret_key | ✓ | ✓ | ✗ | ✗ |
| Flutterwave | flutterwave_test_api_secret_key | ✓ | ✗ | ✗ | ✗ |
| Frame.io | frameio_developer_token | ✓ | ✗ | ✗ | ✗ |
| Frame.io | frameio_jwt | ✓ | ✗ | ✗ | ✗ |
| FullStory | fullstory_api_key | ✓ | ✓ | ✗ | ✗ |
| FullStory | fullstory_api_key | ✓ | ✗ | ✗ | ✗ |
| GitHub | github_app_installation_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_app_installation_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_oauth_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_oauth_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_personal_access_token | ✓ | ✗ | ✓ | ✗ |
| GitHub | github_personal_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_personal_access_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_refresh_token | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_ssh_private_key | ✓ | ✓ | ✓ | ✗ |
| GitHub | github_test_token | ✓ | ✗ | ✗ | ✗ |
| GitHub Secret Scanning | secret_scanning_sample_token | ✓ | ✓ | ✗ | ✗ |
| GitLab | gitlab_access_token | ✓ | ✗ | ✗ | ✗ |
| GoCardless | gocardless_live_access_token | ✓ | ✗ | ✗ | ✗ |
| GoCardless | gocardless_sandbox_access_token | ✓ | ✗ | ✗ | ✗ |
| google_api_key | ✓ | ✗ | ✗ | ✗ | |
| google_cloud_private_key_id | ✗ | ✗ | ✗ | ✗ | |
| google_cloud_service_account_credentials | ✓ | ✓ | ✗ | ✗ | |
| google_cloud_storage_access_key_secret google_cloud_storage_service_account_access_key_id | ✓ | ✓ | ✗ | ✗ | |
| google_cloud_storage_access_key_secret google_cloud_storage_user_access_key_id | ✓ | ✓ | ✗ | ✗ | |
| google_oauth_access_token | ✓ | ✗ | ✗ | ✗ | |
| google_oauth_client_id google_oauth_client_secret | ✓ | ✓ | ✗ | ✗ | |
| google_oauth_refresh_token | ✓ | ✗ | ✗ | ✗ | |
| Grafana | grafana_cloud_api_key | ✓ | ✓ | ✗ | ✗ |
| Grafana | grafana_cloud_api_token | ✓ | ✓ | ✗ | ✗ |
| Grafana | grafana_project_api_key | ✓ | ✓ | ✗ | ✗ |
| Grafana | grafana_project_service_account_token | ✓ | ✓ | ✗ | ✗ |
| HashiCorp | hashicorp_vault_batch_token | ✓ | ✗ | ✗ | ✗ |
| HashiCorp | hashicorp_vault_batch_token | ✓ | ✓ | ✗ | ✗ |
| HashiCorp | hashicorp_vault_root_service_token | ✓ | ✓ | ✗ | ✗ |
| HashiCorp | hashicorp_vault_service_token | ✓ | ✓ | ✗ | ✗ |
| HashiCorp | hashicorp_vault_service_token | ✓ | ✗ | ✗ | ✗ |
| HashiCorp | terraform_api_token | ✓ | ✓ | ✗ | ✗ |
| Highnote | highnote_rk_live_key | ✓ | ✓ | ✗ | ✗ |
| Highnote | highnote_rk_test_key | ✓ | ✓ | ✗ | ✗ |
| Highnote | highnote_sk_live_key | ✓ | ✓ | ✗ | ✗ |
| Highnote | highnote_sk_test_key | ✓ | ✓ | ✗ | ✗ |
| HOP | hop_bearer | ✓ | ✓ | ✗ | ✗ |
| HOP | hop_pat | ✓ | ✓ | ✗ | ✗ |
| HOP | hop_ptk | ✓ | ✓ | ✗ | ✗ |
| Hubspot | hubspot_api_key | ✗ | ✗ | ✗ | ✗ |
| Hubspot | hubspot_api_key | ✓ | ✗ | ✗ | ✗ |
| Hubspot | hubspot_api_key | ✓ | ✓ | ✗ | ✗ |
| Hubspot | hubspot_personal_access_key | ✓ | ✓ | ✗ | ✗ |
| Hubspot | hubspot_smtp_credential | ✗ | ✗ | ✗ | ✗ |
| IBM | ibm_cloud_iam_key | ✓ | ✗ | ✗ | ✗ |
| IBM | ibm_softlayer_api_key | ✓ | ✗ | ✗ | ✗ |
| Intercom | intercom_access_token | ✓ | ✓ | ✗ | ✗ |
| Ionic | ionic_personal_access_token | ✓ | ✗ | ✗ | ✗ |
| Ionic | ionic_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Ionic | ionic_refresh_token | ✓ | ✓ | ✗ | ✗ |
| Ionic | ionic_refresh_token | ✓ | ✗ | ✗ | ✗ |
| JFrog | jfrog_platform_access_token | ✓ | ✓ | ✗ | ✗ |
| JFrog | jfrog_platform_api_key | ✓ | ✓ | ✗ | ✗ |
| JFrog | jfrog_platform_reference_token | ✓ | ✓ | ✗ | ✗ |
| Lightspeed | lightspeed_xs_pat | ✓ | ✓ | ✗ | ✗ |
| Linear | linear_api_key | ✓ | ✓ | ✗ | ✗ |
| Linear | linear_oauth_access_token | ✓ | ✓ | ✗ | ✗ |
| Lob | lob_live_api_key | ✓ | ✗ | ✗ | ✗ |
| Lob | lob_test_api_key | ✓ | ✗ | ✗ | ✗ |
| Localstack | localstack_api_key | ✓ | ✓ | ✗ | ✗ |
| LogicMonitor | logicmonitor_bearer_token | ✓ | ✓ | ✗ | ✗ |
| LogicMonitor | logicmonitor_lmv1_access_key | ✓ | ✓ | ✗ | ✗ |
| Login with Amazon | amazon_oauth_client_id amazon_oauth_client_secret amazon_oauth_client_secret | ✓ | ✓ | ✗ | ✗ |
| Mailchimp | mailchimp_api_key | ✓ | ✗ | ✗ | ✗ |
| Mailchimp | mandrill_api_key | ✗ | ✗ | ✗ | ✗ |
| Mailgun | mailgun_api_key | ✓ | ✗ | ✗ | ✗ |
| Mailgun | mailgun_api_key | ✓ | ✗ | ✗ | ✗ |
| Mailgun | mailgun_smtp_credential | ✗ | ✗ | ✗ | ✗ |
| Mapbox | mapbox_secret_access_token | ✓ | ✗ | ✗ | ✗ |
| MaxMind | maxmind_license_key | ✓ | ✓ | ✗ | ✗ |
| Mercury | mercury_non_production_api_token | ✓ | ✓ | ✗ | ✗ |
| Mercury | mercury_production_api_token | ✓ | ✓ | ✗ | ✗ |
| Mergify | mergify_application_key | ✓ | ✓ | ✗ | ✗ |
| MessageBird | messagebird_api_key | ✓ | ✗ | ✗ | ✗ |
| Midtrans | midtrans_production_server_key | ✓ | ✓ | ✗ | ✗ |
| Midtrans | midtrans_sandbox_server_key | ✓ | ✗ | ✗ | ✗ |
| New Relic | new_relic_insights_query_key | ✓ | ✓ | ✗ | ✗ |
| New Relic | new_relic_license_key | ✓ | ✗ | ✗ | ✗ |
| New Relic | new_relic_personal_api_key | ✓ | ✓ | ✗ | ✗ |
| New Relic | new_relic_rest_api_key | ✓ | ✓ | ✗ | ✗ |
| Notion | notion_integration_token | ✓ | ✗ | ✗ | ✗ |
| Notion | notion_oauth_client_secret | ✓ | ✗ | ✗ | ✗ |
| npm | npm_access_token | ✓ | ✓ | ✗ | ✗ |
| npm | npm_access_token | ✓ | ✗ | ✗ | ✗ |
| npm | npm_access_token | ✗ | ✗ | ✗ | ✗ |
| NuGet | nuget_api_key | ✓ | ✓ | ✗ | ✗ |
| Octopus Deploy | octopus_deploy_api_key | ✓ | ✗ | ✗ | ✗ |
| Oculus | oculus_access_token | ✓ | ✗ | ✗ | ✗ |
| OneChronos | onechronos_api_key | ✓ | ✓ | ✗ | ✗ |
| OneChronos | onechronos_eb_api_key | ✓ | ✓ | ✗ | ✗ |
| OneChronos | onechronos_eb_encryption_key | ✓ | ✓ | ✗ | ✗ |
| OneChronos | onechronos_oauth_token | ✓ | ✓ | ✗ | ✗ |
| OneChronos | onechronos_refresh_token | ✓ | ✓ | ✗ | ✗ |
| Onfido | onfido_live_api_token | ✓ | ✓ | ✗ | ✗ |
| Onfido | onfido_sandbox_api_token | ✓ | ✗ | ✗ | ✗ |
| OpenAI | openai_api_key | ✓ | ✓ | ✗ | ✗ |
| OpenAI | openai_api_key | ✓ | ✗ | ✗ | ✗ |
| Orbit | orbit_api_token | ✓ | ✗ | ✗ | ✗ |
| PagerDuty | pagerduty_oauth_secret | ✓ | ✓ | ✗ | ✗ |
| PagerDuty | pagerduty_oauth_token | ✓ | ✓ | ✗ | ✗ |
| Palantir | palantir_jwt | ✓ | ✓ | ✗ | ✗ |
| Persona Identities | persona_production_api_key | ✓ | ✓ | ✗ | ✗ |
| Persona Identities | persona_sandbox_api_key | ✓ | ✓ | ✗ | ✗ |
| pinterest_access_token | ✓ | ✓ | ✗ | ✗ | |
| pinterest_refresh_token | ✓ | ✓ | ✗ | ✗ | |
| PlanetScale | planetscale_database_password | ✓ | ✓ | ✗ | ✗ |
| PlanetScale | planetscale_oauth_token | ✓ | ✓ | ✗ | ✗ |
| PlanetScale | planetscale_service_token | ✓ | ✓ | ✗ | ✗ |
| Plivo | plivo_auth_id plivo_auth_token | ✓ | ✓ | ✗ | ✗ |
| Postman | postman_api_key | ✓ | ✓ | ✗ | ✗ |
| Postman | postman_collection_key | ✓ | ✓ | ✗ | ✗ |
| Prefect | prefect_server_api_key | ✓ | ✓ | ✗ | ✗ |
| Prefect | prefect_user_api_key | ✓ | ✓ | ✗ | ✗ |
| Proctorio | proctorio_consumer_key | ✓ | ✗ | ✗ | ✗ |
| Proctorio | proctorio_linkage_key | ✓ | ✗ | ✗ | ✗ |
| Proctorio | proctorio_registration_key | ✓ | ✗ | ✗ | ✗ |
| Proctorio | proctorio_secret_key | ✓ | ✓ | ✗ | ✗ |
| Proctorio | proctorio_secret_key | ✓ | ✗ | ✗ | ✗ |
| Pulumi | pulumi_access_token | ✓ | ✗ | ✗ | ✗ |
| PyPI | pypi_api_token | ✓ | ✗ | ✗ | ✗ |
| ReadMe | readmeio_api_access_token | ✓ | ✓ | ✗ | ✗ |
| redirect.pizza | redirect_pizza_api_token | ✓ | ✓ | ✗ | ✗ |
| Replicate | replicate_api_token | ✗ | ✗ | ✗ | ✗ |
| Rootly | rootly_api_key | ✓ | ✓ | ✗ | ✗ |
| RubyGems | rubygems_api_key | ✓ | ✗ | ✗ | ✗ |
| Samsara | samsara_api_token | ✓ | ✓ | ✗ | ✗ |
| Samsara | samsara_oauth_access_token | ✓ | ✓ | ✗ | ✗ |
| Segment | segment_public_api_token | ✓ | ✓ | ✗ | ✗ |
| SendGrid | sendgrid_api_key | ✓ | ✓ | ✗ | ✗ |
| Sendinblue | sendinblue_api_key | ✓ | ✓ | ✗ | ✗ |
| Sendinblue | sendinblue_smtp_key | ✓ | ✓ | ✗ | ✗ |
| Shippo | shippo_live_api_token | ✓ | ✓ | ✗ | ✗ |
| Shippo | shippo_test_api_token | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_access_token | ✓ | ✓ | ✗ | ✗ |
| Shopify | shopify_app_client_credentials | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_app_client_secret | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_app_shared_secret | ✓ | ✓ | ✗ | ✗ |
| Shopify | shopify_custom_app_access_token | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_marketplace_token | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_merchant_token | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_partner_api_token | ✓ | ✗ | ✗ | ✗ |
| Shopify | shopify_private_app_password | ✓ | ✗ | ✗ | ✗ |
| Slack | slack_api_token | ✓ | ✓ | ✗ | ✗ |
| Slack | slack_api_token | ✓ | ✗ | ✗ | ✗ |
| Slack | slack_api_token | ✓ | ✓ | ✗ | ✗ |
| Slack | slack_incoming_webhook_url | ✓ | ✗ | ✗ | ✗ |
| Slack | slack_workflow_webhook_url | ✓ | ✗ | ✗ | ✗ |
| Square | square_access_token | ✓ | ✗ | ✗ | ✗ |
| Square | square_access_token | ✓ | ✗ | ✗ | ✗ |
| Square | square_access_token | ✓ | ✗ | ✗ | ✗ |
| Square | square_production_application_secret | ✓ | ✗ | ✗ | ✗ |
| Square | square_sandbox_application_secret | ✓ | ✗ | ✗ | ✗ |
| SSLMate | sslmate_api_key | ✓ | ✗ | ✗ | ✗ |
| SSLMate | sslmate_api_key | ✓ | ✗ | ✗ | ✗ |
| SSLMate | sslmate_cluster_secret | ✓ | ✗ | ✗ | ✗ |
| Stripe | stripe_api_key | ✓ | ✓ | ✗ | ✗ |
| Stripe | stripe_legacy_api_key | ✓ | ✗ | ✗ | ✗ |
| Stripe | stripe_live_restricted_key | ✓ | ✗ | ✗ | ✗ |
| Stripe | stripe_test_restricted_key | ✓ | ✗ | ✗ | ✗ |
| Stripe | stripe_test_secret_key | ✓ | ✗ | ✗ | ✗ |
| Stripe | stripe_webhook_signing_secret | ✓ | ✗ | ✗ | ✗ |
| Supabase | supabase_service_key | ✓ | ✗ | ✗ | ✗ |
| Supabase | supabase_service_key | ✓ | ✗ | ✗ | ✗ |
| Tableau | tableau_personal_access_token | ✓ | ✗ | ✗ | ✗ |
| Telegram | telegram_bot_token | ✓ | ✗ | ✗ | ✗ |
| Telnyx | telnyx_api_v2_key | ✓ | ✓ | ✗ | ✗ |
| Tencent | tencent_cloud_secret_id | ✓ | ✓ | ✗ | ✗ |
| Tencent | tencent_wechat_api_app_id | ✓ | ✗ | ✗ | ✗ |
| Twilio | twilio_access_token | ✓ | ✓ | ✗ | ✗ |
| Twilio | twilio_account_sid | ✓ | ✓ | ✗ | ✗ |
| Twilio | twilio_api_key | ✓ | ✓ | ✗ | ✗ |
| Typeform | typeform_personal_access_token | ✓ | ✓ | ✗ | ✗ |
| Uniwise | wiseflow_api_key | ✓ | ✓ | ✗ | ✗ |
| Unkey | unkey_root_key | ✓ | ✗ | ✗ | ✗ |
| VolcEngine | volcengine_access_key_id | ✓ | ✓ | ✗ | ✗ |
| Wakatime | wakatime_api_key | ✓ | ✓ | ✗ | ✗ |
| Wakatime | wakatime_app_secret | ✓ | ✓ | ✗ | ✗ |
| Wakatime | wakatime_oauth_access_token | ✓ | ✓ | ✗ | ✗ |
| Wakatime | wakatime_oauth_refresh_token | ✓ | ✓ | ✗ | ✗ |
| Workato | workato_developer_api_token | ✓ | ✓ | ✗ | ✗ |
| Workato | workato_developer_api_token | ✓ | ✓ | ✗ | ✗ |
| Workato | workato_developer_api_token | ✓ | ✓ | ✗ | ✗ |
| Workato | workato_developer_api_token | ✓ | ✓ | ✗ | ✗ |
| WorkOS | workos_production_api_key | ✓ | ✓ | ✗ | ✗ |
| WorkOS | workos_production_api_key | ✗ | ✗ | ✗ | ✗ |
| WorkOS | workos_staging_api_key | ✓ | ✗ | ✗ | ✗ |
| WorkOS | workos_staging_api_key | ✗ | ✗ | ✗ | ✗ |
| Yandex | yandex_cloud_api_key | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_cloud_iam_access_secret | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_cloud_iam_cookie | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_cloud_iam_token | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_cloud_smartcaptcha_server_key | ✓ | ✓ | ✗ | ✗ |
| Yandex | yandex_dictionary_api_key | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_passport_oauth_token | ✓ | ✓ | ✗ | ✗ |
| Yandex | yandex_predictor_api_key | ✓ | ✗ | ✗ | ✗ |
| Yandex | yandex_translate_api_key | ✓ | ✗ | ✗ | ✗ |
| Zuplo | zuplo_consumer_api_key | ✓ | ✓ | ✗ | ✗ |
Token versions
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.
Multi-part secrets
By default, secret scanning supports validation for pair-matched access keys and key IDs.
Secret scanning also supports validation for individual key IDs for Amazon AWS Access Key IDs, in addition to existing pair matching.
A key ID will show as active if secret scanning confirms the key ID exists, regardless of whether or not a corresponding access key is found. The key ID will show as inactive if it's invalid (for example, if it is not a real key ID).
Where a valid pair is found, the secret scanning alerts will be linked.