This version of GitHub Enterprise was discontinued on 2023-03-15. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.
Secret scanning patterns
In this article
Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.
Secret scanning is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security. For more information, see "About secret scanning" and "About GitHub Advanced Security."
Note: Your site administrator must enable secret scanning for your GitHub Enterprise Server instance before you can use this feature. For more information, see "Configuring secret scanning for your appliance."
About secret scanning alerts
When secret scanning is enabled, GitHub scans repositories for secrets issued by a large variety of service providers and generates secret scanning alerts.
You can see these alerts on the Security tab of the repository.
If access to a resource requires paired credentials, then secret scanning will create an alert only when both parts of the pair are detected in the same file. This ensures that the most critical leaks are not hidden behind information about partial leaks. Pair matching also helps reduce false positives since both elements of a pair must be used together to access the provider's resource.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "Secret scanning."
Note: You can also define custom secret scanning patterns for your repository, organization, or enterprise. For more information, see "Defining custom patterns for secret scanning."
Supported secrets
This table lists the secrets supported by secret scanning. You can see the types of alert that get generated for each token.
- Provider—name of the token provider.
- Secret scanning alert—token for which leaks are reported to users on GitHub. Applies to private repositories where GitHub Advanced Security and secret scanning enabled.
| Provider | Token | Secret scanning alert |
|---|---|---|
| Adobe | adobe_device_token | |
| Adobe | adobe_jwt | |
| Adobe | adobe_service_token | |
| Adobe | adobe_short_lived_access_token | |
| Atlassian | atlassian_api_token | |
| Atlassian | atlassian_jwt | |
| Azure | azure_sas_token | |
| Azure | azure_management_certificate | |
| Azure | azure_sql_connection_string | |
| Beamer | beamer_api_key | |
| Checkout.com | checkout_test_secret_key | |
| CloudBees CodeShip | codeship_credential | |
| Contentful | contentful_personal_access_token | |
| Dropbox | dropbox_access_token | |
| Duffel | duffel_test_access_token | |
| Dynatrace | dynatrace_access_token | |
| Dynatrace | dynatrace_internal_token | |
| EasyPost | easypost_test_api_key | |
| Fastly | fastly_api_token | |
| Finicity | finicity_app_key | |
| Flutterwave | flutterwave_test_api_secret_key | |
| Frame.io | frameio_developer_token | |
| Frame.io | frameio_jwt | |
| GitLab | gitlab_access_token | |
| GoCardless | gocardless_live_access_token | |
| GoCardless | gocardless_sandbox_access_token | |
| firebase_cloud_messaging_server_key | ||
| google_oauth_access_token | ||
| google_oauth_refresh_token | ||
| Google Cloud | google_api_key | |
| HashiCorp | hashicorp_vault_batch_token | |
| HashiCorp | hashicorp_vault_service_token | |
| Hashicorp Terraform | terraform_api_token | |
| Lob | lob_live_api_key | |
| Lob | lob_test_api_key | |
| Mailchimp | mailchimp_api_key | |
| Mailgun | mailgun_api_key | |
| Mapbox | mapbox_secret_access_token | |
| MessageBird | messagebird_api_key | |
| Meta | facebook_access_token | |
| Midtrans | midtrans_sandbox_server_key | |
| New Relic | new_relic_license_key | |
| Notion | notion_integration_token | |
| Notion | notion_oauth_client_secret | |
| Octopus Deploy | octopus_deploy_api_key | |
| Onfido | onfido_sandbox_api_token | |
| Palantir | palantir_jwt | |
| Plivo | plivo_auth_id plivo_auth_token | |
| Proctorio | proctorio_consumer_key | |
| Proctorio | proctorio_linkage_key | |
| Proctorio | proctorio_registration_key | |
| Pulumi | pulumi_access_token | |
| PyPI | pypi_api_token | |
| RubyGems | rubygems_api_key | |
| Shippo | shippo_test_api_token | |
| Shopify | shopify_custom_app_access_token | |
| Shopify | shopify_private_app_password | |
| Slack | slack_incoming_webhook_url | |
| Slack | slack_workflow_webhook_url | |
| Square | square_access_token | |
| Square | square_production_application_secret | |
| Square | square_sandbox_application_secret | |
| SSLMate | sslmate_api_key | |
| SSLMate | sslmate_cluster_secret | |
| Stripe | stripe_live_restricted_key | |
| Stripe | stripe_api_key | |
| Stripe | stripe_test_restricted_key | |
| Stripe | stripe_test_secret_key | |
| Stripe | stripe_webhook_signing_secret | |
| Supabase | supabase_service_key | |
| Tableau | tableau_personal_access_token | |
| Telegram | telegram_bot_token | |
| Twilio | twilio_access_token | |
| Twilio | twilio_account_sid | |
| Twilio | twilio_api_key | |
| Yandex | yandex_cloud_api_key | |
| Yandex | yandex_cloud_iam_cookie | |
| Yandex | yandex_cloud_iam_token | |
| Yandex | yandex_dictionary_api_key | |
| Yandex | yandex_predictor_api_key | |
| Yandex | yandex_translate_api_key |
Further reading
- "Securing your repository"
- "Keeping your account and data secure"
- "Secret scanning partner program" in the GitHub Enterprise Cloud documentation