docs/content/code-security/secret-scanning/secret-scanning-patterns.md

title, intro, product, versions, type, topics, redirect_from, layout

title	intro	product	versions	type	topics	redirect_from	layout
Secret scanning patterns	Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.	{% data reusables.gated-features.secret-scanning %}	fpt ghes ghae ghec * * * *	reference	Secret scanning Advanced Security	/code-security/secret-scanning/secret-scanning-partners	inline

{% data reusables.secret-scanning.beta %} {% data reusables.secret-scanning.enterprise-enable-secret-scanning %}

{% ifversion fpt or ghec %}

About {% data variables.product.prodname_secret_scanning %} patterns

{% data variables.product.product_name %} maintains these different sets of default {% data variables.product.prodname_secret_scanning %} patterns:

1. Partner patterns. Used to detect potential secrets in all public repositories as well as public npm packages.{% data reusables.secret-scanning.partner-program-link %}
2. User alert patterns. Used to detect potential secrets in {% ifversion fpt %}public{% endif %} repositories with {% data variables.secret-scanning.user_alerts %} enabled. {% ifversion secret-scanning-push-protection %}
3. Push protection patterns. Used to detect potential secrets in repositories with {% data variables.product.prodname_secret_scanning %} as a push protection enabled.{% endif %}

{% ifversion fpt %} Owners of public repositories, as well as organizations using {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_GH_advanced_security %}, can enable {% data variables.secret-scanning.user_alerts %} on their repositories. {% endif %}

For details about all the supported patterns, see the "Supported secrets" section below.

If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the sections below. For more advanced troubleshooting information, see "AUTOTITLE."

About partner alerts

Partner alerts are alerts that are sent to the secret providers whenever a secret leak is reported for one of their secrets. {% data variables.product.product_name %} currently scans public repositories and public npm packages for secrets issued by specific service providers and alerts the relevant service provider whenever a secret is detected in a commit. For more information about {% data variables.secret-scanning.partner_alerts %}, see "AUTOTITLE."

{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}

{% endif %}

About {% ifversion fpt or ghec %}user {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts

{% ifversion fpt or ghec %}User alerts are alerts that are reported to users on {% data variables.product.prodname_dotcom %}. {% endif %}When {% data variables.secret-scanning.user_alerts %} {% ifversion fpt or ghec %}are{% else %}is{% endif %} enabled, {% data variables.product.prodname_dotcom %} scans repositories for secrets issued by a large variety of service providers and generates {% data variables.secret-scanning.alerts %}.

{% ifversion secret-scanning-non-provider-patterns %}{% ifversion fpt or ghec %}User {% else %}{% data variables.product.prodname_secret_scanning %}{% endif %} alerts can be of the following types:

• High confidence alerts, which relate to supported patterns and specified custom patterns.
• Non-provider alerts, which have a higher ratio of false positives, and correspond to secrets such as private keys.

{% data variables.product.prodname_dotcom %} displays non-provider alerts in a different list to high confidence alerts, making triaging a better experience for users. For more information, see "Managing alerts from non-provider patterns."

{% data reusables.secret-scanning.non-provider-patterns-beta %}

{% endif %}

You can see these alerts on the Security tab of the repository. {% ifversion fpt or ghec %}For more information about {% data variables.secret-scanning.user_alerts %}, see "AUTOTITLE."{% endif %}

{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}

If you use the REST API for secret scanning, you can use the Secret type to report on secrets from specific issuers. For more information, see "AUTOTITLE."

{% ifversion ghes or ghae or ghec %} {% note %}

Note: You can also define custom {% data variables.product.prodname_secret_scanning %} patterns for your repository, organization, or enterprise. For more information, see "AUTOTITLE."

{% endnote %} {% endif %}

{% ifversion secret-scanning-push-protection %}

About push protection alerts

Push protection alerts are user alerts that are reported by push protection. {% data variables.product.prodname_secret_scanning_caps %} as a push protection currently scans repositories for secrets issued by some service providers.

{% ifversion secret-scanning-push-protection-for-users %}Push protection alerts are not created for secrets that are bypassed with user-based push protection only. For more information, see "AUTOTITLE."{% endif %}

{% data reusables.secret-scanning.secret-scanning-pattern-pair-matches %}

{% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "AUTOTITLE."

{% endif %}

Supported secrets

This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token{% ifversion secret-scanning-validity-check %}, as well as whether a validity check is performed on the token{% endif %}.

• Provider—name of the token provider.{% ifversion fpt or ghec %}

• Partner—token for which leaks are reported to the relevant token partner. Applies to public repositories only.

• User—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}

  • Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %}, {% data variables.product.prodname_secret_scanning %}.
  • Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
  • For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "AUTOTITLE." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %}

• {% data variables.product.prodname_secret_scanning_caps %} alert—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}

  • Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
  • Includes high confidence tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% else %} Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% endif %} {% ifversion secret-scanning-push-protection %}

• Push protection—token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled. {% note %}

  Note: {% data reusables.secret-scanning.push-protection-older-tokens %} For more information about push protection limitations, see "AUTOTITLE."

  {% endnote %}{% endif %}{% ifversion secret-scanning-validity-check %}

• Validity check—token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "{% data variables.product.prodname_advanced_security %}" in the Site Policy documentation.{% else %} {% ifversion ghes > 3.8 %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "AUTOTITLE" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}{% endif %}

{% ifversion secret-scanning-non-provider-patterns %}

Non-provider patterns

{% data reusables.secret-scanning.non-provider-patterns-beta %}

Provider	Token
Generic	http_basic_authentication_header
Generic	http_bearer_authentication_header
Generic	mongodb_connection_string
Generic	mysql_connection_string
Generic	openssh_private_key
Generic	pgp_private_key
Generic	postgres_connection_string
Generic	rsa_private_key

Push protection and validity checks are not supported for non-provider patterns.

High confidence patterns

{% endif %}

{% ifversion fpt %}

Provider	Token	Partner	User	Push protection
{%- for entry in secretScanningData %}
{{ entry.provider }}	{{ entry.secretType }}	{% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

{% ifversion ghec %}

Provider	Token	Partner	User	Push protection	Validity check
{%- for entry in secretScanningData %}
{{ entry.provider }}	{{ entry.secretType }}	{% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}
{% endif %}

{% ifversion ghes = 3.8 %}

Provider	Token	{% data variables.product.prodname_secret_scanning_caps %} alert	Push protection
{%- for entry in secretScanningData %}
{{ entry.provider }}	{{ entry.secretType }}	{% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

{% ifversion ghes > 3.8 %}

Provider	Token	{% data variables.product.prodname_secret_scanning_caps %} alert	Push protection	Validity check
{%- for entry in secretScanningData %}
{{ entry.provider }}	{{ entry.secretType }}	{% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}	{% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

Further reading

• "AUTOTITLE"
• "AUTOTITLE" {%- ifversion fpt or ghec %}
• "AUTOTITLE" {%- else %}
• "AUTOTITLE" in the {% data variables.product.prodname_ghe_cloud %} documentation {% endif %}