GitHub secret scanning — coverage update
GitHub secret scanning continually updates its detectors, validators, and analyzers. Here’s what’s new.
- Nine new secret detectors from seven providers, including Langchain, Salesforce, and Figma.
- Secrets from Figma, Google, OpenVSX, and PostHog are now push-protected by default.
- Validity checks are now supported for npm secrets (
npm_access_token).
Missed our last update? Catch up on recently added detectors or see the full list of supported secrets in our product documentation.
Detectors added
Secret scanning now automatically detects the following new secret types in your repositories.
| Provider | Secret type | Partner | User | Push protection |
|---|---|---|---|---|
| Fieldguide | fieldguide_api_token | ✓ | ✓ | (configurable) |
| Figma | figma_scim_token | ✓ | ✓ | ✓ (default) |
| Flickr | flickr_api_key | ✓ | (configurable) | |
| Hack Club | hackclub_ai_api_key | ✓ | (configurable) | |
| Langchain | langsmith_license_key | ✓ | ✓ (default) | |
| Langchain | langsmith_scim_bearer_token | ✓ | ✓ (default) | |
| PostHog | posthog_oauth_access_token | ✓ | ✓ | (configurable) |
| PostHog | posthog_oauth_refresh_token | ✓ | ✓ | (configurable) |
| Salesforce | salesforce_marketing_cloud_api_oauth2_token | ✓ | ✓ (default) |
Detectors for Drone CI, Netlify, Pydantic, and Twitch are currently in observation mode and will be promoted to general availability after validation. Keep an eye on the GitHub changelog for updates.
Partner secrets are automatically reported to the secret issuer when found in public repositories through the secret scanning partnership program. Learn more about the technical partnership program for secret scanning.
User secrets generate secret scanning alerts when found in public or private repositories. Learn more in our documentation about secret scanning.
Validators added
The following secret types now support validity checks, which automatically verify whether a detected secret is still active to help prioritize remediation.
| Provider | Secret type |
|---|---|
| npm | npm_access_token |
Push protection defaults
The following existing detectors are now included in push protection by default. When push protection is enabled, these patterns will block commits containing matching secrets.
| Provider | Secret type |
|---|---|
| Figma | figma_scim_token |
google_gcp_api_key_bound_service_account | |
| OpenVSX | openvsx_access_token |
| PostHog | posthog_personal_api_key |
Secret types that are included in push protection by default apply for all repositories with secret scanning enabled, including for free public repositories. Patterns marked as configurable are available for GitHub secret scanning customers to enable in their push protection settings. Learn more in our documentation about push protection.
Push protection configurability
GitHub is constantly improving the user experience for secret scanning features based on your feedback. Starting today, pattern type names in the push protection pattern configurations UI will link back to a filtered alert list view for that type.
Have more feedback? Let us know by joining the discussion in GitHub Community.
Learn more
Learn more about secret scanning and see the full list of supported secrets in our product documentation.