supported-secret-scanning-patterns.md

title	Supported secret scanning patterns
intro	Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.
product	{% data reusables.gated-features.secret-scanning %}
versions	fpt ghes ghec * * *
redirect_from	/code-security/secret-scanning/secret-scanning-partners /code-security/secret-scanning/secret-scanning-patterns /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
shortTitle	Supported patterns
autogenerated	secret-scanning
contentType	reference
category	Protect your secrets

About {% data variables.product.prodname_secret_scanning %} patterns

{% data reusables.secret-scanning.alert-types %}

For in-depth information about each alert type, see AUTOTITLE.

If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the Secret type to report on secrets from specific issuers. For more information, see AUTOTITLE.

Pattern categories

Category	Description	Detection approach	Example
Generic	Secrets not tied to a specific provider, such as private keys and database connection strings	Regex-based	rsa_private_key
AI-detected	Generic passwords detected by {% data variables.secret-scanning.copilot-secret-scanning %} using AI models	AI-based	password
Provider	Secrets tied to a specific service provider (such as AWS, Azure, Stripe)	Regex-based	aws_access_key_id

Capabilities by category

Capability	Generic patterns	AI-detected	Provider patterns
User alerts	{% octicon "check" aria-label="Supported" %}	{% octicon "check" aria-label="Supported" %}	{% octicon "check" aria-label="Supported" %}
Partner notifications	{% octicon "x" aria-label="Not supported" %}	{% octicon "x" aria-label="Not supported" %}	{% octicon "check" aria-label="Supported" %} (if partner)
Push protection (default)	{% octicon "x" aria-label="Not supported" %}	{% octicon "x" aria-label="Not supported" %}	{% octicon "check" aria-label="Supported" %} (most)
Push protection (configurable)	{% octicon "check" aria-label="Supported" %}	{% octicon "x" aria-label="Not supported" %}	Some
Validity checks	{% octicon "x" aria-label="Not supported" %}	{% octicon "x" aria-label="Not supported" %}	Some
Extended metadata	{% octicon "x" aria-label="Not supported" %}	{% octicon "x" aria-label="Not supported" %}	Some
Base64 format support	{% octicon "x" aria-label="Not supported" %}	{% octicon "x" aria-label="Not supported" %}	Some

Note

Validity and extended metadata checks are only available to users with {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} who enable the feature as part of {% data variables.product.prodname_GH_secret_protection %}.

Supported generic patterns

Precision levels are estimated based on the pattern type's typical false positive rates.

{% ifversion fpt or ghec %}

Provider	Token	Description	Precision
Generic	ec_private_key	Elliptic Curve (EC) private keys used for cryptographic operations	High
Generic	generic_private_key	Cryptographic private keys with -----BEGIN PRIVATE KEY----- header	High
Generic	http_basic_authentication_header	HTTP Basic Authentication credentials in request headers	Medium
Generic	http_bearer_authentication_header	HTTP Bearer tokens used for API authentication	Medium
Generic	mongodb_connection_string	Connection strings for MongoDB databases containing credentials	High
Generic	mysql_connection_url	Connection strings for MySQL databases containing credentials	High
Generic	openssh_private_key	OpenSSH format private keys used for SSH authentication	High
Generic	pgp_private_key	PGP (Pretty Good Privacy) private keys used for encryption and signing	High
Generic	postgres_connection_string	Connection strings for PostgreSQL databases containing credentials	High
Generic	rsa_private_key	RSA private keys used for cryptographic operations	High

{% endif %}

{% ifversion ghes %}

Provider	Token	Description	Precision
{% ifversion ghes > 3.18 %}
Generic	ec_private_key	Elliptic Curve (EC) private keys used for cryptographic operations	High
{% endif %}
{% ifversion ghes > 3.19 %}
Generic	generic_private_key	Cryptographic private keys with -----BEGIN PRIVATE KEY----- header	High
{% endif %}
Generic	http_basic_authentication_header	HTTP Basic Authentication credentials in request headers	Medium
Generic	http_bearer_authentication_header	HTTP Bearer tokens used for API authentication	Medium
Generic	mongodb_connection_string	Connection strings for MongoDB databases containing credentials	High
Generic	mysql_connection_url	Connection strings for MySQL databases containing credentials	High
Generic	openssh_private_key	OpenSSH format private keys used for SSH authentication	High
Generic	pgp_private_key	PGP (Pretty Good Privacy) private keys used for encryption and signing	High
Generic	postgres_connection_string	Connection strings for PostgreSQL databases containing credentials	High
Generic	rsa_private_key	RSA private keys used for cryptographic operations	High

{% endif %}

Note

Validity checks are not supported for generic/ non-provider patterns.

{% ifversion secret-scanning-ai-generic-secret-detection %}

Supported AI-detected patterns

{% data variables.product.prodname_secret_scanning_caps %} uses {% data variables.product.prodname_copilot_short %} to detect generic passwords. See AUTOTITLE.

Provider	Token
Generic	password

[!NOTE] Push protection and validity checks are not supported for passwords. {% endif %}

Supported provider patterns

Use the table below to search, filter, and browse all supported patterns. You can filter by provider name, push protection support, validity checks, and more.

[!NOTE] Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.