87d6145775
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: MakeItSoKrystal <82061626+MakeItSoKrystal@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
13 KiB
title, intro, product, versions, type, topics, redirect_from, layout, shortTitle
| title | intro | product | versions | type | topics | redirect_from | layout | shortTitle | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Supported secret scanning patterns | Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally. | {% data reusables.gated-features.secret-scanning %} |
|
reference |
|
|
inline | Supported patterns |
About {% data variables.product.prodname_secret_scanning %} patterns
{% data reusables.secret-scanning.alert-types %}
For in-depth information about each alert type, see AUTOTITLE.
For details about all the supported patterns, see the Supported secrets section below.
If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the Secret type to report on secrets from specific issuers. For more information, see AUTOTITLE.
If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see AUTOTITLE.
Supported secrets
This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.
-
Provider: Name of the token provider.{% ifversion fpt or ghec %}
-
Partner: Token for which leaks are reported to the relevant token partner. Applies to public repositories and all gists, including secret gists. Secret gists are not private and can be accessed by anyone with the URL. See About gists.
-
User: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
- Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
- Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
- For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see AUTOTITLE. {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% ifversion ghes %}
-
{% data variables.product.prodname_secret_scanning_caps %} alert: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
- Applies to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
- Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% endif %}
-
Push protection: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.
-
Validity check: Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see {% data variables.product.prodname_AS %} in the Site Policy documentation.{% else %} Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %}
Non-provider patterns
{% data reusables.secret-scanning.non-provider-patterns-beta %}
Precision levels are estimated based on the pattern type's typical false positive rates.
{% ifversion fpt or ghec %}
| Provider | Token | Description | Precision |
|---|---|---|---|
| Generic | ec_private_key | Elliptic Curve (EC) private keys used for cryptographic operations | High |
| Generic | generic_private_key | Cryptographic private keys with -----BEGIN PRIVATE KEY----- header |
High |
| Generic | http_basic_authentication_header | HTTP Basic Authentication credentials in request headers | Medium |
| Generic | http_bearer_authentication_header | HTTP Bearer tokens used for API authentication | Medium |
| Generic | mongodb_connection_string | Connection strings for MongoDB databases containing credentials | High |
| Generic | mysql_connection_string | Connection strings for MySQL databases containing credentials | High |
| Generic | openssh_private_key | OpenSSH format private keys used for SSH authentication | High |
| Generic | pgp_private_key | PGP (Pretty Good Privacy) private keys used for encryption and signing | High |
| Generic | postgres_connection_string | Connection strings for PostgreSQL databases containing credentials | High |
| Generic | rsa_private_key | RSA private keys used for cryptographic operations | High |
{% endif %}
{% ifversion ghes %}
| Provider | Token | Description | Precision |
|---|---|---|---|
| {% ifversion ghes > 3.18 %} | |||
| Generic | ec_private_key | Elliptic Curve (EC) private keys used for cryptographic operations | High |
| {% endif %} | |||
| {% ifversion ghes > 3.19 %} | |||
| Generic | generic_private_key | Cryptographic private keys with -----BEGIN PRIVATE KEY----- header |
High |
| {% endif %} | |||
| Generic | http_basic_authentication_header | HTTP Basic Authentication credentials in request headers | Medium |
| Generic | http_bearer_authentication_header | HTTP Bearer tokens used for API authentication | Medium |
| Generic | mongodb_connection_string | Connection strings for MongoDB databases containing credentials | High |
| Generic | mysql_connection_string | Connection strings for MySQL databases containing credentials | High |
| Generic | openssh_private_key | OpenSSH format private keys used for SSH authentication | High |
| Generic | pgp_private_key | PGP (Pretty Good Privacy) private keys used for encryption and signing | High |
| Generic | postgres_connection_string | Connection strings for PostgreSQL databases containing credentials | High |
| Generic | rsa_private_key | RSA private keys used for cryptographic operations | High |
{% endif %}
Note
Validity checks are not supported for non-provider patterns.
{% ifversion secret-scanning-ai-generic-secret-detection %}
{% data variables.secret-scanning.copilot-secret-scanning %}
{% data variables.product.prodname_secret_scanning_caps %} uses {% data variables.product.prodname_copilot_short %} to detect generic passwords. See AUTOTITLE.
| Provider | Token |
|---|---|
| Generic | password |
[!NOTE] Push protection and validity checks are not supported for passwords. {% endif %}
{% ifversion secret-scanning-alert-experimental-list %}Default{% else %}High confidence{% endif %} patterns
{% ifversion fpt or ghec %}
Note
Validity checks are only available to users with {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} who enable the feature as part of {% data variables.product.prodname_GH_secret_protection %}.
| Provider | Token | Partner | User | Push protection | Validity check | Base64 |
|---|---|---|---|---|---|---|
| {%- for entry in secretScanningData %} | ||||||
| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPublic %}✓{% else %}✗{% endif %} | {% if entry.isPrivateWithGhas %}✓{% else %}✗{% endif %} | {% if entry.hasPushProtection %}✓{% else %}✗{% endif %} | {% if entry.hasValidityCheck %}✓{% else %}✗{% endif %} | {% if entry.base64Supported %}✓{% else %}✗{% endif %} |
| {%- endfor %} |
{% endif %}
{% ifversion ghes %}
| Provider | Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | Validity check | Base64 |
|---|---|---|---|---|---|
| {%- for entry in secretScanningData %} | |||||
| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}✓{% else %}✗{% endif %} | {% if entry.hasPushProtection %}✓{% else %}✗{% endif %} | {% if entry.hasValidityCheck %}✓{% else %}✗{% endif %} | {% if entry.base64Supported %}✓{% else %}✗{% endif %} |
| {%- endfor %} |
{% endif %}
Token versions
Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.
Multi-part secrets
By default, {% data variables.product.prodname_secret_scanning %} supports validation for pair-matched access keys and key IDs.
{% data variables.product.prodname_secret_scanning_caps %} also supports validation for individual key IDs for Amazon AWS Access Key IDs, in addition to existing pair matching.
A key ID will show as active if {% data variables.product.prodname_secret_scanning %} confirms the key ID exists, regardless of whether or not a corresponding access key is found. The key ID will show as inactive if it's invalid (for example, if it is not a real key ID).
Where a valid pair is found, the {% data variables.product.prodname_secret_scanning %} alerts will be linked.