8c62486a96
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Hector Alfaro <hectorsector@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Erin Havens <erinhav@github.com> Co-authored-by: Aaron Waggener <73763104+aaronwaggener@users.noreply.github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: Sarah Schneider <sarahs@github.com>
8.0 KiB
title, intro, product, versions, type, topics, redirect_from, layout, shortTitle
| title | intro | product | versions | type | topics | redirect_from | layout | shortTitle | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Supported secret scanning patterns | Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally. | {% data reusables.gated-features.secret-scanning %} |
|
reference |
|
|
inline | Supported patterns |
About {% data variables.product.prodname_secret_scanning %} patterns
{% data reusables.secret-scanning.alert-types %}
For in-depth information about each alert type, see AUTOTITLE.
For details about all the supported patterns, see the Supported secrets section below.
If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the Secret type to report on secrets from specific issuers. For more information, see AUTOTITLE.
If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see AUTOTITLE.
Supported secrets
This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
-
Provider: Name of the token provider.{% ifversion fpt or ghec %}
-
Partner: Token for which leaks are reported to the relevant token partner. Applies to public repositories only.
-
User: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
- Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
- Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
- For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see AUTOTITLE. {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% ifversion ghes %}
-
{% data variables.product.prodname_secret_scanning_caps %} alert: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
- Applies to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
- Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% endif %}
-
Push protection: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.
-
Validity check: Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see {% data variables.product.prodname_AS %} in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %}{% endif %}
Non-provider patterns
{% data reusables.secret-scanning.non-provider-patterns-beta %}
| Provider | Token |
|---|---|
| Generic | password |
| Generic | http_basic_authentication_header |
| Generic | http_bearer_authentication_header |
| Generic | mongodb_connection_string |
| Generic | mysql_connection_string |
| Generic | openssh_private_key |
| Generic | pgp_private_key |
| Generic | postgres_connection_string |
| Generic | rsa_private_key |
[!NOTE] Push protection and validity checks are not supported for non-provider patterns.
{% ifversion secret-scanning-alert-experimental-list %}Default{% else %}High confidence{% endif %} patterns
{% ifversion fpt or ghec %}
Note
Validity checks are only available to users with {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} who enable the feature as part of {% data variables.product.prodname_GH_secret_protection %}.
| Provider | Token | Partner | User | Push protection | Validity check |
|---|---|---|---|---|---|
| {%- for entry in secretScanningData %} | |||||
| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} |
| {%- endfor %} |
{% endif %}
{% ifversion ghes %}
| Provider | Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | Validity check |
|---|---|---|---|---|
| {%- for entry in secretScanningData %} | ||||
| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} | {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} |
| {%- endfor %} |
{% endif %}
Token versions
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.