Secret scanning expands default pattern support
Summary
GitHub continually updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types. The following…
GitHub continually updates the default pattern set for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.
The following new patterns were added over the last few months. Secret scanning automatically detects any secrets matching these patterns in your repositories. See the full list of supported secrets in the documentation.
| Provider | Token | Partner | User | Push protection |
|---|---|---|---|---|
| Anthropic | anthropic_admin_api_key | ✓ | ✓ | ✓ |
| Asaas | asaas_api_token | ✓ | ✓ | |
| Asana | asana_legacy_format_personal_access_token | ✓ | ✓ | |
| Azure | azure_openai_key | ✓ | ✓ | ✓ |
| Azure | microsoft_azure_common_annotated_security_key | ✓ | ||
| Azure | microsoft_azure_entra_id_token | ✓ | ✓ | ✓ |
| Cfx.re | cfxre_server_key | ✓ | ✓ | |
| Cockroach Labs | ccdb_api_key | ✓ | ✓ | |
| Coveo | coveo_access_token | ✓ | ✓ | |
| Databento | databento_api_key | ✓ | ✓ | |
| Datastax | datastax_astracs_token | ✓ | ✓ | ✓ |
| google_cloud_service_account_credentials | ✓ | ✓ | ✓ | |
| google_gcp_api_key_bound_service_account | ✓ | ✓ | ||
| Hubspot | hubspot_private_apps_user_token | ✓ | ✓ | |
| Hubspot | hubspot_smtp_credential | ✓ | ✓ | |
| Hugging Face | hf_user_access_token | ✓ | ✓ | ✓ |
| Iterative | iterative_dvc_studio_access_token | ✓ | ✓ | |
| Lichess | lichess_personal_access_token | ✓ | ✓ | |
| Lichess | lichess_oauth_access_token | ✓ | ✓ | |
| MongoDB | mongodb_atlas_db_uri_with_credentials | ✓ | ✓ | |
| Netflix | netflix_netkey | ✓ | ✓ | |
| OpenRouter | openrouter_api_key | ✓ | ✓ | |
| Oracle | oracle_api_key | ✓ | ||
| Polar | polar_access_token | ✓ | ✓ | |
| Polar | polar_authorization_code | ✓ | ✓ | |
| Polar | polar_client_registration_token | ✓ | ✓ | |
| Polar | polar_client_secret | ✓ | ✓ | |
| Polar | polar_personal_access_token | ✓ | ✓ | |
| Polar | polar_refresh_token | ✓ | ✓ | |
| Replicate | replicate_api_token | ✓ | ✓ | ✓ |
| Scalr | scalr_api_token | ✓ | ✓ | ✓ |
| Sentry | sentry_org_auth_token | ✓ | ||
| Sentry | sentry_user_auth_token | ✓ | ||
| Sentry | sentry_user_app_auth_token | ✓ | ||
| Sentry | sentry_integration_token | ✓ | ||
| Shopee | shopee_open_platform_partner_key | ✓ | ✓ | |
| Siemens | siemens_api_token | ✓ | ✓ | ✓ |
| Sindri | sindri_api_key | ✓ | ✓ | |
| Tailscale | tailscale_api_key | ✓ | ✓ |
The following existing patterns were upgraded to be included in push protection. When push protection is enabled, secret scanning automatically blocks any pushes that contain a secret matching these patterns.
| Provider | Token |
|---|---|
| Contentful | contentful_personal_access_token |
| GitLab | gitlab_access_token |
| Ionic | ionic_refresh_token |
| Orbit | orbit_api_token |
| PyPI | pypi_api_token |
| Thunderstore | thunderstore_io_api_token |
| Yandex | yandex_cloud_iam_access_secret |
Learn more about securing your repositories with secret scanning.
New Releases 
Improvements 
Deprecations