Patrones de análisis de secretos admitidos

Listas de los secretos admitidos y los asociados con los que trabaja GitHub para evitar el uso fraudulento de secretos que se confirmaron por accidente.

¿Quién puede utilizar esta característica?

Secret scanning está disponible para los tipos de repositorio siguientes:

Repositorios públicos: Secret scanning se ejecuta automáticamente y sin coste.
Repositorios privados e internos de la organización: disponibles con GitHub Advanced Security habilitados en GitHub Team o GitHub Enterprise Cloud.
Repositorios propiedad del usuario: disponibles en GitHub Enterprise Cloud con Enterprise Managed Users. Disponible en GitHub Enterprise Server cuando la empresa tiene GitHub Advanced Security habilitado.

En este artículo

About secret scanning patterns

There are two types of secret scanning alerts:

Secret scanning alerts: Reported to users in the Security tab of the repository, when a supported secret is detected in the repository.
Push protection alerts: Reported to users in the Security tab of the repository, when a contributor bypasses push protection.

For in-depth information about each alert type, see About secret scanning alerts.

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see REST API endpoints for secret scanning.

Pattern categories

Category	Description	Detection approach	Example
Generic	Secrets not tied to a specific provider, such as private keys and database connection strings	Regex-based	`rsa_private_key`
AI-detected	Generic passwords detected by Copilot secret scanning using AI models	AI-based	`password`
Provider	Secrets tied to a specific service provider (such as AWS, Azure, Stripe)	Regex-based	`aws_access_key_id`

Capabilities by category

Capability	Generic patterns	AI-detected	Provider patterns
User alerts
Partner notifications			(if partner)
Push protection (default)			(most)
Push protection (configurable)			Some
Validity checks			Some
Extended metadata			Some
Base64 format support			Some

[! NOTE] Validity and extended metadata checks are only available to users with GitHub Team or GitHub Enterprise who enable the feature as part of GitHub Advanced Security.

Supported generic patterns

Precision levels are estimated based on the pattern type's typical false positive rates.

Provider	Token	Description	Precision
Generic	http_basic_authentication_header	HTTP Basic Authentication credentials in request headers	Medium
Generic	http_bearer_authentication_header	HTTP Bearer tokens used for API authentication	Medium
Generic	mongodb_connection_string	Connection strings for MongoDB databases containing credentials	High
Generic	mysql_connection_url	Connection strings for MySQL databases containing credentials	High
Generic	openssh_private_key	OpenSSH format private keys used for SSH authentication	High
Generic	pgp_private_key	PGP (Pretty Good Privacy) private keys used for encryption and signing	High
Generic	postgres_connection_string	Connection strings for PostgreSQL databases containing credentials	High
Generic	rsa_private_key	RSA private keys used for cryptographic operations	High

Nota:

Validity checks are not supported for generic/ non-provider patterns.

Supported provider patterns

Use the table below to search, filter, and browse all supported patterns. You can filter by provider name, push protection support, validity checks, and more.

Nota:

Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that secret scanning can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.

Showing 311 of 311 patterns

Supported patterns

	Secret	Partner	User alert	Push protection	Validity check	Metadata check	Base64
Adafruit	Adafruit IO Key `adafruit_io_key`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Client Secret `adobe_client_secret`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Device Token `adobe_device_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe PAC Token `adobe_pac_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Refresh Token `adobe_refresh_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Service Token `adobe_service_token`	✓	✓	✓	✗	✗	✗
Adobe	Adobe Short-Lived Access Token `adobe_short_lived_access_token`	✓	✓	✓	✗	✗	✗
Aiven	Aiven Auth Token `aiven_auth_token`	✓	✓	✓	✗	✗	✗
Aiven	Aiven Service Password `aiven_service_password`	✓	✓	✓	✗	✗	✗
Alibaba	Alibaba Cloud AccessKey ID `alibaba_cloud_access_key_id , alibaba_cloud_access_key_secret`	✓	✓	✓	✗	✗	✗
Amazon AWS	Amazon AWS Access Key ID `aws_access_key_id , aws_secret_access_key`	✓	✓	✓	✗	✗	✗
Amazon AWS	Amazon AWS Session Token `aws_secret_access_key , aws_session_token , aws_temporary_access_key_id`	✗	✓	✓	✗	✗	✗
Anthropic	Anthropic Admin API Key `anthropic_admin_api_key`	✓	✓	✓	✗	✗	✗
Anthropic	Anthropic API Key `anthropic_api_key`	✓	✓	✓	✗	✗	✗
Anthropic	Anthropic Session ID `anthropic_session_id`	✓	✓	✓	✗	✗	✗
Asaas	Asaas API Token `asaas_api_token`	✓	✗	✗	✗	✗	✗
Asana	Asana Legacy Format Personal Access Token `asana_legacy_format_personal_access_token`	✗	✓	✗	✗	✗	✗
Asana	Asana Personal Access Token `asana_personal_access_token`	✗	✓	✓	✗	✗	✗
Atlassian	Atlassian API Token `atlassian_api_token`, Token versions	✓	✓	✓	✗	✗	✗
Atlassian	Atlassian JSON Web Token `atlassian_jwt`	✓	✓	✗	✗	✗	✗
Authress	Authress Service Client Access Key `authress_service_client_access_key`	✓	✓	✓	✗	✗	✗
Azure	Azure Active Directory Application Secret `azure_active_directory_application_secret`, Token versions	✓	✓	✓	✗	✗	✗
Azure	Azure Active Directory User Credential `azure_active_directory_user_credential`	✓	✓	✗	✗	✗	✗
Azure	Azure Apim Direct Management Key `azure_apim_direct_management_key`	✓	✓	✓	✗	✗	✗
Azure	Azure Apim Gateway Key `azure_apim_gateway_key`	✓	✓	✓	✗	✗	✗