Improvement
Secret scanning adds validity checks for over 40 secret detectors
Secret scanning is adding validity check support for 45 additional token types across over 30 providers.
What’s changing?
In addition to previously announced token types, you will now see validity checks for the following secret types:
| Provider | Pattern | Validity |
|---|---|---|
| Block Protocol | block_protocol_api_key | ✅ |
| Brevo | sendinblue_api_key | ✅ |
| Canadian Digital Services | cds_canada_notify_api_key | ✅ |
| Checkout.com | checkout_production_secret_key | ✅ |
| Checkout.com | checkout_test_secret_key | ✅ |
| CircleCI | circleci_personal_access_token | ✅ |
| DataBento | databento_api_key | ✅ |
| Doppler | doppler_audit_token | ✅ |
| Doppler | doppler_cli_token | ✅ |
| Doppler | doppler_scim_token | ✅ |
| Doppler | doppler_service_token | ✅ |
| Fastly | fastly_api_token | ✅ |
| Figma | figma_pat | ✅ |
| FlutterWave | flutterwave_live_api_secret_key | ✅ |
| FlutterWave | flutterwave_test_api_secret_key | ✅ |
| Frame.io | frameio_developer_token | ✅ |
| Frame.io | frameio_jwt | ✅ |
| GoCardless | gocardless_live_access_token | ✅ |
| GoCardless | gocardless_sandbox_access_token | ✅ |
| Heroku | heroku_platform_api_oauth2_token | ✅ |
| Highnote | highnote_sk_live_key | ✅ |
| Highnote | highnote_sk_test_key | ✅ |
| Intercom | intercom_access_token | ✅ |
| Lichess | lichess_oauth_access_token | ✅ |
| Lichess | lichess_personal_access_token | ✅ |
| Lob | lob_live_api_key | ✅ |
| Lob | lob_test_api_key | ✅ |
| MapBox | mapbox_secret_access_token | ✅ |
| MaxMind | maxmind_license_key | ✅ |
| Mercury | mercury_non_production_api_token | ✅ |
| Mercury | mercury_production_api_token | ✅ |
| OpenRouter | openrouter_api_key | ✅ |
| Persona Identities | persona_production_api_key | ✅ |
| Persona Identities | persona_sandbox_api_key | ✅ |
| Planning Center | planning_center_oauth_access_token | ✅ |
| Pulumi | pulumi_access_token | ✅ |
| redirect.pizza | redirect_pizza_api_token | ✅ |
| Replicate | replicate_api_token | ✅ |
| Rootly | rootly_api_key | ✅ |
| RubyGems | rubygems_api_key | ✅ |
| Scalr | scalr_api_token | ✅ |
| SendGrid | sendgrid_api_key | ✅ |
| Sindri | sindri_api_key | ✅ |
| Unkey | unkey_root_key | ✅ |
| xAI | xai_api_key | ✅ |
| Zuplo | zuplo_consumer_api_key | ✅ |
What are validity checks?
Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically verify validity for alerts on supported token types. View the full list of supported secret types in our product documentation.