Skip to main content

Поддерживаемые шаблоны сканирования секретов

Списки поддерживаемых секретов и партнеров, с которыми работает GitHub для предотвращения мошеннического использования случайно зафиксированных секретов.

Кто может использовать эту функцию?

Secret scanning доступен для следующих типов репозитория:

  • Репозитории, принадлежащие организации, с GitHub Secret Protection включено
  • Пользовательские репозитории для предприятий с GitHub Secret Protection включены

About secret scanning patterns

There are two types of secret scanning alerts:

  • Secret scanning alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
  • Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.

For in-depth information about each alert type, see About secret scanning alerts.

For details about all the supported patterns, see the Supported secrets section below.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see REST API endpoints for secret scanning.

If you believe that secret scanning should have detected a secret committed to your repository, and it has not, you first need to check that GitHub supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see Troubleshooting secret scanning.

Supported secrets

This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.

  • Provider: Name of the token provider.

  • Secret scanning alert: Token for which leaks are reported to users on GitHub.

    • Applies to private repositories where GitHub Secret Protection and secret scanning are enabled.
    • Includes default tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.
  • Push protection: Token for which leaks are reported to users on GitHub. Applies to repositories with secret scanning and push protection enabled.

  • Validity check: Token for which a validity check is implemented. Currently only applies to GitHub tokens.

Non-provider patterns

ProviderToken
Genericec_private_key
Generichttp_basic_authentication_header
Generichttp_bearer_authentication_header
Genericmongodb_connection_string
Genericmysql_connection_string
Genericopenssh_private_key
Genericpgp_private_key
Genericpostgres_connection_string
Genericrsa_private_key

Примечание.

Validity checks are not supported for non-provider patterns.

Default patterns

ProviderTokenSecret scanning alertPush protectionValidity checkBase64
Adafruitadafruit_io_key
Adobeadobe_client_secret
Adobeadobe_device_token
Adobeadobe_pac_token
Adobeadobe_refresh_token
Adobeadobe_service_token
Adobeadobe_short_lived_access_token
Aivenaiven_auth_token
Aivenaiven_service_password
Alibabaalibaba_cloud_access_key_id,
alibaba_cloud_access_key_secret
Amazon AWSaws_access_key_id,
aws_secret_access_key
Token versions
Amazon AWSaws_secret_access_key,
aws_session_token,
aws_temporary_access_key_id
Anthropicanthropic_admin_api_key
Anthropicanthropic_api_key
Token versions
Anthropicanthropic_session_id
Asaasasaas_api_token
Asanaasana_legacy_format_personal_access_token
Asanaasana_personal_access_token
Token versions
Atlassianatlassian_api_token
Token versions
Atlassianatlassian_jwt
Authressauthress_service_client_access_key
Azureazure_active_directory_application_secret
Token versions
Azureazure_active_directory_user_credential
Azureazure_apim_direct_management_key
Azureazure_apim_gateway_key
Azureazure_apim_repository_key
Azureazure_apim_subscription_key
Azureazure_app_configuration_connection_string
Azureazure_batch_key_identifiable
Azureazure_cache_for_redis_access_key
Token versions
Azureazure_communication_services_connection_string
Azureazure_container_registry_key_identifiable
Azureazure_cosmosdb_key_identifiable
Token versions
Azureazure_devops_personal_access_token
Token versions
Azureazure_event_hub_key_identifiable
Azureazure_function_key
Token versions
Azureazure_iot_device_connection_string
Azureazure_iot_device_key
Azureazure_iot_device_provisioning_key
Azureazure_iot_hub_connection_string
Azureazure_iot_hub_key
Azureazure_iot_provisioning_connection_string
Azureazure_management_certificate
Azureazure_ml_web_service_classic_identifiable_key
Azureazure_openai_key
Token versions
Azureazure_relay_key_identifiable
Azureazure_sas_token
Azureazure_search_admin_key
Azureazure_search_query_key
Azureazure_service_bus_identifiable
Azureazure_signalr_connection_string
Azureazure_sql_connection_string
Azureazure_sql_password
Azureazure_storage_account_key
Token versions
Azureazure_web_pub_sub_connection_string
Azuremicrosoft_azure_entra_id_token
Azuremicrosoft_corporate_network_user_credential
Baidubaiducloud_api_accesskey
Beamerbeamer_api_key
Bitbucketbitbucket_server_personal_access_token
Bitrisebitrise_personal_access_token
Bitrisebitrise_workspace_api_token
Block Protocolblock_protocol_api_key
Brevosendinblue_api_key
Token versions
Brevosendinblue_smtp_key
Buildkitebuildkite_user_access_token
Canadian Digital Servicecds_canada_notify_api_key
Canvacanva_app_secret
Canvacanva_connect_api_secret
Canvacanva_secret
Cashfreecashfree_api_key
Cfx.recfxre_server_key
Checkout.comcheckout_production_secret_key
Token versions
Checkout.comcheckout_test_secret_key
Token versions
Chief Toolschief_tools_token
CircleCIcircleci_bot_access_token
CircleCIcircleci_personal_access_token
CircleCIcircleci_project_access_token
CircleCIcircleci_release_integration_token
Clojarsclojars_deploy_token
CloudBeescodeship_credential
Cockroach Labsccdb_api_key
Contentfulcontentful_personal_access_token
Coveocoveo_access_token
Coveocoveo_api_key
crates.iocratesio_api_token
Databentodatabento_api_key
Databricksdatabricks_access_token
Token versions
Datadogdatadog_rcm
Datastaxdatastax_astracs_token
Defined Networkingdefined_networking_nebula_api_key
DevCycledevcycle_client_api_key
DevCycledevcycle_mobile_api_key
DevCycledevcycle_server_api_key
DigitalOceandigitalocean_oauth_token
DigitalOceandigitalocean_personal_access_token
DigitalOceandigitalocean_refresh_token
DigitalOceandigitalocean_system_token
Discorddiscord_bot_token
Token versions
Dockerdocker_organization_access_token
Dockerdocker_personal_access_token
Dockerdocker_swarm_join_token
Dockerdocker_swarm_unlock_key
Dopplerdoppler_audit_token
Dopplerdoppler_cli_token
Dopplerdoppler_personal_token
Dopplerdoppler_scim_token
Dopplerdoppler_service_account_token
Dopplerdoppler_service_token
Dropboxdropbox_access_token
Dropboxdropbox_short_lived_access_token
Duffelduffel_live_access_token
Duffelduffel_test_access_token
Dynatracedynatrace_api_token
Dynatracedynatrace_internal_token
EasyPosteasypost_production_api_key
EasyPosteasypost_test_api_key
eBayebay_production_client_id,
ebay_production_client_secret
eBayebay_sandbox_client_id,
ebay_sandbox_client_secret
Facebookfacebook_access_token
Fastlyfastly_api_token
Token versions
Figmafigma_pat
Finicityfinicity_app_key
Firebasefirebase_cloud_messaging_server_key
Flutterwaveflutterwave_live_api_secret_key
Flutterwaveflutterwave_test_api_secret_key
Frame.ioframeio_developer_token
Frame.ioframeio_jwt
FullStoryfullstory_api_key
Token versions
GitHubgithub_app_installation_access_token
Token versions
GitHubgithub_oauth_access_token
Token versions
GitHubgithub_personal_access_token
Token versions
GitHubgithub_refresh_token
Token versions
GitHubgithub_ssh_private_key
GitHubgithub_test_token
GitHub Secret Scanningsecret_scanning_sample_token
Token versions
GitLabgitlab_access_token
Token versions
GoCardlessgocardless_live_access_token
GoCardlessgocardless_sandbox_access_token
Googlegoogle_api_key
Googlegoogle_cloud_service_account_credentials
Googlegoogle_cloud_storage_access_key_secret,
google_cloud_storage_service_account_access_key_id
Googlegoogle_cloud_storage_access_key_secret,
google_cloud_storage_user_access_key_id
Googlegoogle_gcp_api_key_bound_service_account
Googlegoogle_oauth_access_token
Googlegoogle_oauth_client_id,
google_oauth_client_secret
Token versions
Googlegoogle_oauth_refresh_token
Token versions
Grafanagrafana_cloud_api_key
Grafanagrafana_cloud_api_token
Grafanagrafana_project_api_key
Grafanagrafana_project_service_account_token
Groqgroq_api_key
Token versions
HashiCorphashicorp_vault_batch_token
Token versions
HashiCorphashicorp_vault_root_service_token
HashiCorphashicorp_vault_service_token
Token versions
HashiCorpterraform_api_token
Herokuheroku_platform_api_oauth2_token
Herokuheroku_postgres_connection_url
Highnotehighnote_rk_live_key
Highnotehighnote_rk_test_key
Highnotehighnote_sk_live_key
Highnotehighnote_sk_test_key
HOPhop_bearer
HOPhop_pat
HOPhop_ptk
Hubspothubspot_api_key
Token versions
Hubspothubspot_personal_access_key
Hubspothubspot_private_apps_user_token
Hubspothubspot_smtp_credential
Token versions
Hugging Facehf_org_api_key
Hugging Facehf_user_access_token
Token versions
IBMibm_cloud_iam_key
Intercomintercom_access_token
Ionicionic_personal_access_token
Token versions
Ionicionic_refresh_token
Token versions
JFrogjfrog_platform_access_token
JFrogjfrog_platform_api_key
JFrogjfrog_platform_reference_token
Token versions
Lichesslichess_oauth_access_token
Lichesslichess_personal_access_token
Lightspeedlightspeed_xs_pat
Linearlinear_api_key
Linearlinear_oauth_access_token
LinkedInlinkedin_client_secret
Loblob_live_api_key
Loblob_test_api_key
Localstacklocalstack_api_key
LogicMonitorlogicmonitor_bearer_token
LogicMonitorlogicmonitor_lmv1_access_key
Login with Amazonamazon_oauth_client_id,
amazon_oauth_client_secret
Mailchimpmailchimp_api_key
Mailgunmailgun_api_key
Token versions
Mapboxmapbox_secret_access_token
MaxMindmaxmind_license_key
Mercurymercury_non_production_api_token
Mercurymercury_production_api_token
Mergifymergify_application_key
MessageBirdmessagebird_api_key
Midtransmidtrans_production_server_key
Midtransmidtrans_sandbox_server_key
MongoDBmongodb_atlas_db_uri_with_credentials
MongoDBmongodb_atlas_service_account_secret
Naver Cloudnavercloud_gov_access_key
Naver Cloudnavercloud_gov_access_key_secret
Naver Cloudnavercloud_gov_sts
Naver Cloudnavercloud_gov_sts_secret
Naver Cloudnavercloud_pub_access_key
Naver Cloudnavercloud_pub_access_key_secret
Naver Cloudnavercloud_pub_sts
Naver Cloudnavercloud_pub_sts_secret
Netflixnetflix_netkey
New Relicnew_relic_insights_query_key
New Relicnew_relic_license_key
New Relicnew_relic_personal_api_key
New Relicnew_relic_rest_api_key
Notionnotion_integration_token
Notionnotion_oauth_client_secret
npmnpm_access_token
Token versions
NuGetnuget_api_key
Token versions
Octopus Deployoctopus_deploy_api_key
Oculusoculus_access_token
OneChronosonechronos_api_key
OneChronosonechronos_eb_api_key
OneChronosonechronos_eb_encryption_key
OneChronosonechronos_oauth_token
OneChronosonechronos_refresh_token
Onfidoonfido_live_api_token
Onfidoonfido_sandbox_api_token
OpenAIopenai_api_key
Token versions
OpenRouteropenrouter_api_key
Orbitorbit_api_token
PagerDutypagerduty_oauth_secret
PagerDutypagerduty_oauth_token
Palantirpalantir_jwt
Pangeapangea_token
Persona Identitiespersona_production_api_key
Persona Identitiespersona_sandbox_api_key
Pinterestpinterest_access_token
Pinterestpinterest_refresh_token
PlanetScaleplanetscale_database_password
PlanetScaleplanetscale_oauth_token
PlanetScaleplanetscale_service_token
Planning Centerplanning_center_oauth_access_token
Planning Centerplanning_center_oauth_app_secret
Planning Centerplanning_center_personal_access_token
Plivoplivo_auth_id,
plivo_auth_token
Polarpolar_access_token
Token versions
Polarpolar_authorization_code
Token versions
Polarpolar_client_registration_token
Token versions
Polarpolar_client_secret
Token versions
Polarpolar_personal_access_token
Token versions
Polarpolar_refresh_token
Token versions
Postmanpostman_api_key
Postmanpostman_collection_key
Prefectprefect_server_api_key
Prefectprefect_user_api_key
Proctorioproctorio_consumer_key
Proctorioproctorio_linkage_key
Proctorioproctorio_registration_key
Proctorioproctorio_secret_key
Token versions
Pulumipulumi_access_token
PyPIpypi_api_token
Rampramp_client_id
Rampramp_client_secret
Rampramp_oauth_token
ReadMereadmeio_api_access_token
redirect.pizzaredirect_pizza_api_token
Replicatereplicate_api_token
Rootlyrootly_api_key
RubyGemsrubygems_api_key
RunPodrunpod_api_key
Salesforcesalesforce_oauth2_consumer_key,
salesforce_oauth2_consumer_secret
Salesforcesalesforce_refresh_token
Samsarasamsara_api_token
Samsarasamsara_oauth_access_token
Scalrscalr_api_token
Segmentsegment_public_api_token
SendGridsendgrid_api_key
Sentrysentry_integration_token
Sentrysentry_org_auth_token
Sentrysentry_user_app_auth_token
Sentrysentry_user_auth_token
Shipposhippo_live_api_token
Shipposhippo_test_api_token
Shopeeshopee_open_platform_partner_key
Shopifyshopify_access_token
Shopifyshopify_app_client_credentials
Shopifyshopify_app_client_secret
Shopifyshopify_app_shared_secret
Shopifyshopify_custom_app_access_token
Shopifyshopify_marketplace_token
Shopifyshopify_merchant_token
Shopifyshopify_partner_api_token
Shopifyshopify_private_app_password
Siemenssiemens_api_token
Sindrisindri_api_key
Token versions
Slackslack_api_token
Token versions
Slackslack_incoming_webhook_url
Slackslack_workflow_webhook_url
Sourcegraphsourcegraph_access_token
Sourcegraphsourcegraph_dotcom_user_gateway
Sourcegraphsourcegraph_instance_identifier_access_token
Sourcegraphsourcegraph_license_key_token
Sourcegraphsourcegraph_product_subscription_token
Squaresquare_access_token
Token versions
Squaresquare_production_application_secret
Squaresquare_sandbox_application_secret
SSLMatesslmate_api_key
Token versions
SSLMatesslmate_cluster_secret
Stripestripe_api_key
Stripestripe_legacy_api_key
Stripestripe_live_restricted_key
Stripestripe_test_restricted_key
Stripestripe_test_secret_key
Stripestripe_webhook_signing_secret
Supabasesupabase_service_key
Token versions
Tableautableau_personal_access_token
Tailscaletailscale_api_key
Telegramtelegram_bot_token
Telnyxtelnyx_api_v2_key
Tencenttencent_cloud_secret_id
Tencenttencent_wechat_api_app_id
Thunderstorethunderstore_io_api_token
Twiliotwilio_access_token
Twiliotwilio_account_sid
Token versions
Twiliotwilio_api_key
Typeformtypeform_personal_access_token
Uniwisewiseflow_api_key
Unkeyunkey_root_key
VolcEnginevolcengine_access_key_id
Wakatimewakatime_api_key
Wakatimewakatime_app_secret
Wakatimewakatime_oauth_access_token
Wakatimewakatime_oauth_refresh_token
Workatoworkato_developer_api_token
Token versions
WorkOSworkos_production_api_key
Token versions
WorkOSworkos_staging_api_key
Token versions
xAIxai_api_key
Yandexyandex_cloud_api_key
Yandexyandex_cloud_iam_access_secret
Yandexyandex_cloud_iam_cookie
Yandexyandex_cloud_iam_token
Yandexyandex_cloud_smartcaptcha_server_key
Yandexyandex_dictionary_api_key
Yandexyandex_predictor_api_key
Yandexyandex_translate_api_key
Zuplozuplo_consumer_api_key

Token versions

Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.

Multi-part secrets

By default, secret scanning supports validation for pair-matched access keys and key IDs.

Secret scanning also supports validation for individual key IDs for Amazon AWS Access Key IDs, in addition to existing pair matching.

A key ID will show as active if secret scanning confirms the key ID exists, regardless of whether or not a corresponding access key is found. The key ID will show as inactive if it's invalid (for example, if it is not a real key ID).

Where a valid pair is found, the secret scanning alerts will be linked.

Further reading