About secret scanning patterns
There are three types of secret scanning alerts:
- User alerts: Reported to users in the Security and quality tab of the repository, when a supported secret is detected in the repository.
- Push protection alerts: Reported to users in the Security and quality tab of the repository, when a contributor bypasses push protection.
- Partner alerts: Reported directly to secret providers that are part of secret scanning's partner program. These alerts are not reported in the Security and quality tab of the repository.
For in-depth information about each alert type, see About secret scanning alerts.
If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see REST API endpoints for secret scanning.
Pattern categories
| Category | Description | Detection approach | Example |
|---|---|---|---|
| Generic | Secrets not tied to a specific provider, such as private keys and database connection strings | Regex-based | rsa_private_key |
| AI-detected | Generic passwords detected by Copilot secret scanning using AI models | AI-based | password |
| Provider | Secrets tied to a specific service provider (such as AWS, Azure, Stripe) | Regex-based | aws_access_key_id |
Capabilities by category
| Capability | Generic patterns | AI-detected | Provider patterns |
|---|---|---|---|
| User alerts | |||
| Partner notifications | (if partner) | ||
| Push protection (default) | (most) | ||
| Push protection (configurable) | Some | ||
| Validity checks | Some | ||
| Extended metadata | Some | ||
| Base64 format support | Some |
[! NOTE] Validity and extended metadata checks are only available to users with GitHub Team or GitHub Enterprise who enable the feature as part of GitHub Secret Protection.
Supported generic patterns
Precision levels are estimated based on the pattern type's typical false positive rates.
| Provider | Token | Description | Precision |
|---|---|---|---|
| Generic | ec_private_key | Elliptic Curve (EC) private keys used for cryptographic operations | High |
| Generic | generic_private_key | Cryptographic private keys with -----BEGIN PRIVATE KEY----- header | High |
| Generic | http_basic_authentication_header | HTTP Basic Authentication credentials in request headers | Medium |
| Generic | http_bearer_authentication_header | HTTP Bearer tokens used for API authentication | Medium |
| Generic | mongodb_connection_string | Connection strings for MongoDB databases containing credentials | High |
| Generic | mysql_connection_url | Connection strings for MySQL databases containing credentials | High |
| Generic | openssh_private_key | OpenSSH format private keys used for SSH authentication | High |
| Generic | pgp_private_key | PGP (Pretty Good Privacy) private keys used for encryption and signing | High |
| Generic | postgres_connection_string | Connection strings for PostgreSQL databases containing credentials | High |
| Generic | rsa_private_key | RSA private keys used for cryptographic operations | High |
Nota:
Validity checks are not supported for generic/ non-provider patterns.
Supported AI-detected patterns
Secret scanning uses Copilot to detect generic passwords. See Responsible detection of generic secrets with Copilot secret scanning.
| Provider | Token |
|---|---|
| Generic | password |
Nota:
Push protection and validity checks are not supported for passwords.
Supported provider patterns
Use the table below to search, filter, and browse all supported patterns. You can filter by provider name, push protection support, validity checks, and more.
Nota:
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.
Showing 517 of 517 patterns
Supported patterns
| Secret | Partner | User alert | Push protection | Validity check | Metadata check | Base64 | |
|---|---|---|---|---|---|---|---|
| 1Password | 1Password Service Account Token
| ✗ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adafruit | Adafruit IO Key
| ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
| Adobe | Adobe Client Secret
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adobe | Adobe Device Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adobe | Adobe PAC Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adobe | Adobe Refresh Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adobe | Adobe Service Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Adobe | Adobe Short-Lived Access Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Aikido | Aikido API Client Secret
| ✗ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Aikido | Aikido CI Scanning Token
| ✗ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Airtable | Airtable API Key
| ✗ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Airtable | Airtable Personal Access Token
| ✗ | ✓ | ✓ | ✓ | ✗ | ✗ |
| Aiven | Aiven Auth Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Aiven | Aiven Service Password
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Alibaba | Alibaba Cloud AccessKey ID
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Amazon AWS | Amazon AWS Access Key ID
| ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |
| Amazon AWS | Amazon AWS API Key ID
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Amazon AWS | Amazon AWS Session Token
| ✗ | ✓ | ✓ | ✓ | ✗ | ✗ |
| Anthropic | Anthropic Admin API Key
| ✓ | ✓ | ✓ | ✓ | ✗ | ✗ |
| Anthropic | Anthropic API Key
| ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Anthropic | Anthropic Session ID
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Apify | Apify Actor Run API Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Apify | Apify Actor Run Proxy Password
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Apify | Apify API Token
| ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
| Apify | Apify Integration API Token
| ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |