Secret scanning improves private key detection, updates Sentry pattern names
To reduce the risk of cryptographic credentials being exposed in your repositories, secret scanning now detects additional private key formats and has upgraded existing private key detectors.
In addition, Sentry token names have been updated to match Sentry’s change to token naming conventions.
New patterns added
Secret scanning now detects the following additional private key formats.
| Secret type | Format detected |
|---|---|
ec_private_key | Elliptic Curve private keys |
generic_private_key | Generic PKCS#8 private keys |
The generic private key pattern detects RSA keys in PKCS#8 format and other private keys using the standard BEGIN PRIVATE KEY header. This pattern automatically filters out GitHub private keys to avoid duplicate alerts.
Detector improvements
Starting this week, the following private key patterns will also detect keys that contain escaped newlines (\n), a common format in configuration files and environment variables.
| Secret type |
|---|
ec_private_key |
github_ssh_private_key |
openssh_private_key |
rsa_private_key |
Secret types renamed
Sentry recently rolled out changes to naming conventions across their token types. To align with these changes, the following secret types are being renamed.
| Secret type (new) | Slug (new) | Secret type (prev) | Slug (prev) |
|---|---|---|---|
| Sentry Organization Token | sentry_organization_token | Sentry Org Auth Token | sentry_org_auth_token |
| Sentry Personal Token | sentry_personal_token | Sentry User Auth Token | sentry_user_auth_token |
Learn more about non-provider secret patterns and secret scanning.