Supported secret scanning patterns

Lists of supported secrets and the partners that GitHub works with to prevent fraudulent use of secrets that were committed accidentally.

Who can use this feature?

Secret scanning is available for the following repository types:

Public repositories: Secret scanning runs automatically for free.
Organization-owned private and internal repositories: Available with GitHub Secret Protection enabled on GitHub Team or GitHub Enterprise Cloud.
User-owned repositories: Available on GitHub Enterprise Cloud with Enterprise Managed Users. Available on GitHub Enterprise Server when the enterprise has GitHub Secret Protection enabled.

About secret scanning patterns

There are two types of secret scanning alerts:

Secret scanning alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.

For in-depth information about each alert type, see About secret scanning alerts.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see REST API endpoints for secret scanning.

Pattern categories

Category	Description	Detection approach	Example
Generic	Secrets not tied to a specific provider, such as private keys and database connection strings	Regex-based	`rsa_private_key`
AI-detected	Generic passwords detected by Copilot secret scanning using AI models	AI-based	`password`
Provider	Secrets tied to a specific service provider (such as AWS, Azure, Stripe)	Regex-based	`aws_access_key_id`

Capabilities by category

Capability	Generic patterns	AI-detected	Provider patterns
User alerts
Partner notifications			(if partner)
Push protection (default)			(most)
Push protection (configurable)			Some
Validity checks			Some
Extended metadata			Some
Base64 format support			Some

[! NOTE] Validity and extended metadata checks are only available to users with GitHub Team or GitHub Enterprise who enable the feature as part of GitHub Secret Protection.

Supported generic patterns

Precision levels are estimated based on the pattern type's typical false positive rates.

Provider	Token	Description	Precision
Generic	ec_private_key	Elliptic Curve (EC) private keys used for cryptographic operations	High
Generic	http_basic_authentication_header	HTTP Basic Authentication credentials in request headers	Medium
Generic	http_bearer_authentication_header	HTTP Bearer tokens used for API authentication	Medium
Generic	mongodb_connection_string	Connection strings for MongoDB databases containing credentials	High
Generic	mysql_connection_url	Connection strings for MySQL databases containing credentials	High
Generic	openssh_private_key	OpenSSH format private keys used for SSH authentication	High
Generic	pgp_private_key	PGP (Pretty Good Privacy) private keys used for encryption and signing	High
Generic	postgres_connection_string	Connection strings for PostgreSQL databases containing credentials	High
Generic	rsa_private_key	RSA private keys used for cryptographic operations	High

Note

Validity checks are not supported for generic/ non-provider patterns.

Supported provider patterns

Use the table below to search, filter, and browse all supported patterns. You can filter by provider name, push protection support, validity checks, and more.

Note

Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.

Showing 448 of 448 patterns

Supported patterns

	Secret	Partner	User alert	Push protection	Validity check	Metadata check	Base64
1Password	1Password Service Account Token `1password_service_account_token`	✗	✓	✓	✗	✗	✗
Adafruit	Adafruit IO Key `adafruit_io_key`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Client Secret `adobe_client_secret`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Device Token `adobe_device_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe PAC Token `adobe_pac_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Refresh Token `adobe_refresh_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Service Token `adobe_service_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Short-Lived Access Token `adobe_short_lived_access_token`	✓	✓	✓	✗	✗	✗
Aikido	Aikido API Client Secret `aikido_api_client_secret`	✗	✓	✓	✗	✗	✗
Aikido	Aikido CI Scanning Token `aikido_ci_scanning_token`	✗	✓	✓	✗	✗	✗
Airtable	Airtable API Key `airtable_api_key`	✗	✓	✓	✗	✗	✗
Airtable	Airtable Personal Access Token `airtable_personal_access_token`	✗	✓	✓	✗	✗	✗
Aiven	Aiven Auth Token `aiven_auth_token`	✓	✓	✓	✗	✗	✗
Aiven	Aiven Service Password `aiven_service_password`	✓	✓	✓	✗	✗	✗
Alibaba	Alibaba Cloud AccessKey ID `alibaba_cloud_access_key_id , alibaba_cloud_access_key_secret`	✓	✓	✓	✗	✗	✗
Amazon AWS	Amazon AWS Access Key ID `aws_access_key_id , aws_secret_access_key`	✓	✓	✓	✗	✗	✗
Amazon AWS	Amazon AWS API Key ID `aws_api_key`	✓	✓	✗	✗	✗	✗
Amazon AWS	Amazon AWS Session Token `aws_secret_access_key , aws_session_token , aws_temporary_access_key_id`	✗	✓	✓	✗	✗	✗
Anthropic	Anthropic Admin API Key `anthropic_admin_api_key`	✓	✓	✓	✗	✗	✗
Anthropic	Anthropic API Key `anthropic_api_key`	✓	✓	✓	✗	✗	✗
Anthropic	Anthropic Session ID `anthropic_session_id`	✓	✓	✓	✗	✗	✗
Apify	Apify Actor Run API Token `apify_actor_run_api_token`	✓	✓	✓	✗	✗	✗
Apify	Apify Actor Run Proxy Password `apify_actor_run_proxy_password`	✓	✓	✓	✗	✗	✗
Apify	Apify API Token `apify_api_token`	✓	✓	✓	✗	✗	✗
Apify	Apify Integration API Token `apify_integration_api_token`	✓	✓	✓	✗	✗	✗