If your project communicates with an external service, you might use a token or private key for authentication. Tokens and private keys are examples of secrets that a service provider can issue. If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges. We recommend that you store secrets in a dedicated, secure location outside of the repository for your project.
秘密扫描 will scan your entire Git history on all branches present in your GitHub repository for any secrets. Service providers can partner with GitHub to provide their secret formats for scanning. For more information, see "Secret scanning partner program."
If someone checks a secret with a known pattern into a public or private repository on GitHub, 秘密扫描 catches the secret as it's checked in, and helps you mitigate the impact of the leak. Repository administrators are notified about any commit that contains a secret, and they can quickly view all detected secrets in the Security tab for the repository.
About 秘密扫描 for public repositories
秘密扫描 is automatically enabled on public repositories. When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.
When 秘密扫描 detects a set of credentials, we notify the service provider who issued the secret. The service provider validates the credential and then decides whether they should revoke the secret, issue a new secret, or reach out to you directly, which will depend on the associated risks to you or the service provider. For an overview of how we work with token-issuing partners, see "Secret scanning partner program."
List of supported secrets for public repositories
GitHub currently scans public repositories for secrets issued by the following service providers.
| 合作伙伴 | 支持的密钥 |
|---|---|
| Adafruit IO | Adafruit IO 密钥 |
| Adobe | Adobe 设备令牌 |
| Adobe | Adobe 服务令牌 |
| Adobe | Adobe 短暂访问令牌 |
| Adobe | Adobe JSON Web 令牌 |
| Alibaba Cloud | Alibaba 云端访问密钥 ID 和访问密钥对 |
| Amazon Web Services (AWS) | Amazon AWS 访问密钥 ID 和秘密访问密钥对 |
| Atlassian | Atlassian API 令牌 |
| Atlassian | Atlassian JSON Web 令牌 |
| Azure | Azure Active Directory 应用程序密钥 |
| Azure | Azure DevOps 个人访问令牌 |
| Azure | Azure SAS 令牌 |
| Azure | Azure 服务管理证书 |
| Azure | Azure SQL 连接字符串 |
| Azure | Azure 存储账户密钥 |
| Checkout.com | Checkout.com 生产密钥 |
| Checkout.com | Checkout.com 测试密钥 |
| Clojars | Clojars 部署令牌 |
| CloudBees CodeShip | CloudBees CodeShip 凭据 |
| Contributed Systems | Contributed Systems Credentials |
| Databricks | Databricks 访问令牌 |
| Datadog | Datadog API 密钥 |
| Discord | Discord 自动程序令牌 |
| Doppler | Doppler 个人令牌 |
| Doppler | Doppler 服务令牌 |
| Doppler | Doppler CLI 令牌 |
| Doppler | Doppler SCIM 令牌 |
| Doppler | Doppler Audit Token |
| Dropbox | Dropbox 访问令牌 |
| Dropbox | Dropbox 短暂访问令牌 |
| Dynatrace | Dynatrace 访问令牌 |
| Dynatrace | Dynatrace 内部令牌 |
| Finicity | Finicity App 密钥 |
| Frame.io | Frame.io JSON Web 令牌 |
| Frame.io | Frame.io Developer 令牌 |
| FullStory | FullStory API Key |
| GitHub | GitHub 个人访问令牌 |
| GitHub | GitHub OAuth 访问令牌 |
| GitHub | GitHub 刷新令牌 |
| GitHub | GitHub App 安装访问令牌 |
| GitHub | GitHub SSH 私钥 |
| GoCardless | GoCardless 实时访问令牌 |
| GoCardless | GoCardless Sandbox 访问令牌 |
| Google Cloud | Google API 密钥 |
| Google Cloud | Google Cloud 私钥 ID |
| Hashicorp Terraform | Terraform Cloud / Enterprise API 令牌 |
| Hubspot | Hubspot API 密钥 |
| Ionic | Ionic 个人访问令牌 |
| Ionic | Ionic 刷新令牌 |
| 线性 | 线性 API 密钥 |
| 线性 | 线性 OAuth 访问令牌 |
| Mailchimp | Mailchimp API 密钥 |
| Mailchimp | Mandril API 密钥 |
| Mailgun | Mailgun API 密钥 |
| MessageBird | MessageBird API 密钥 |
| 元数据 | Facebook Access Token |
| npm | npm 访问令牌 |
| NuGet | NuGet API 密钥 |
| OpenAI | OpenAI API 密钥 |
| Palantir | Palantir JSON Web 令牌 |
| PlanetScale | PlanetScale Database Password |
| PlanetScale | PlanetScale OAuth Token |
| PlanetScale | PlanetScale Service Token |
| Plivo | Plivo Auth ID and Token |
| Postman | Postman API 密钥 |
| Proctorio | Proctorio 消费者密钥 |
| Proctorio | Proctorio 链接密钥 |
| Proctorio | Proctorio 注册密钥 |
| Proctorio | Proctorio 密钥 |
| Pulumi | Pulumi 访问令牌 |
| PyPI | PyPI API 令牌 |
| RubyGems | RubyGems API 密钥 |
| Samsara | Samsara API 令牌 |
| Samsara | Samsara OAuth 访问令牌 |
| SendGrid | SendGrid API Key |
| Sendinblue | Sendinblue API Key |
| Sendinblue | Sendinblue SMTP Key |
| Shopify | Shopify App 共享密钥 |
| Shopify | Shopify 访问令牌 |
| Shopify | Shopify 自定义应用访问令牌 |
| Shopify | Shopify 私人应用密码 |
| Slack | Slack API 令牌 |
| Slack | Slack 传入 web 挂钩 URL |
| Slack | Slack 工作流程 web 挂钩 URL |
| SSLMate | SSLMate API 密钥 |
| SSLMate | SSLMate 集群密钥 |
| Stripe | Stripe Live API 密钥 |
| Stripe | Stripe 测试 API 密钥 |
| Stripe | Stripe Live API 限制密钥 |
| Stripe | Stripe 测试 API 限制密钥 |
| Tencent Cloud | 腾讯云密钥 ID |
| Twilio | Twilio 帐户字符串标识符 |
| Twilio | Twilio API 密钥 |
| Typeform | Typeform Personal Access Token |
| Valour | Valour 访问令牌 |
About 秘密扫描 for private repositories
If you're a repository administrator or an organization owner, you can enable 秘密扫描 for private repositories that are owned by organizations. You can enable 秘密扫描 for all your repositories, or for all new repositories within your organization. 秘密扫描 is not available for user-owned private repositories. For more information, see "Managing security and analysis settings for your repository" and "Managing security and analysis settings for your organization."
You can also define custom 秘密扫描 patterns that only apply to your repository or organization. For more information, see "Defining custom patterns for 秘密扫描."
When you push commits to a private repository with 秘密扫描 enabled, GitHub scans the contents of the commits for secrets.
When 秘密扫描 detects a secret in a private repository, GitHub generates an alert.
-
GitHub sends an email alert to the repository administrators and organization owners.
-
GitHub sends an email alert to the contributor who committed the secret to the repository, with a link to the related 秘密扫描 alert. The commit author can then view the alert in the repository, and resolve the alert.
-
GitHub displays an alert in the repository.
For more information about viewing and resolving 秘密扫描 alerts, see "Managing alerts from 秘密扫描."
Repository administrators and organization owners can grant users and teams access to 秘密扫描 alerts. For more information, see "Managing security and analysis settings for your repository."
To monitor results from 秘密扫描 across your private repositories, you can use the 秘密扫描 API. For more information about API endpoints, see "秘密扫描."
List of supported secrets for private repositories
GitHub currently scans private repositories for secrets issued by the following service providers.
| Provider | 支持的密钥 | API slug |
|---|---|---|
| Adafruit IO | Adafruit IO 密钥 | adafruit_io_key |
| Adobe | Adobe Device Token | adobe_device_token |
| Adobe | Adobe Service Token | adobe_service_token |
| Adobe | Adobe Short-Lived Access Token | adobe_short_lived_access_token |
| Adobe | Adobe JSON Web Token | adobe_jwt Alibaba Cloud |
| Amazon | Amazon OAuth Client ID | amazon_oauth_client_id |
| Amazon | Amazon OAuth Client Secret | amazon_oauth_client_secret Amazon Web Services (AWS) |
| Amazon Web Services (AWS) | Amazon AWS Session Token | aws_session_token |
| Amazon Web Services (AWS) | Amazon AWS Temporary Access Key ID | aws_temporary_access_key_id |
| Asana | Asana Personal Access Token | asana_personal_access_token Atlassian |
| Atlassian | Bitbucket Server Personal Access Token | bitbucket_server_personal_access_token |
| Azure | Azure Active Directory Application Secret | azure_active_directory_application_secret |
| Azure | Azure Cache for Redis Access Key | azure_cache_for_redis_access_key Azure |
| Beamer | Beamer API Key | beamer_api_key |
| Checkout.com | Checkout.com Production Secret Key | checkout_production_secret_key |
| Checkout.com | Checkout.com Test Secret Key | checkout_test_secret_key Clojars |
| CloudBees CodeShip | CloudBees CodeShip Credential | codeship_credential |
| Contentful | Contentful Personal Access Token | contentful_personal_access_token Databricks |
| Doppler | Doppler Personal Token | doppler_personal_token |
| Doppler | Doppler Service Token | doppler_service_token |
| Doppler | Doppler CLI Token | doppler_cli_token |
| Doppler | Doppler SCIM Token | doppler_scim_token |
| Doppler | Doppler Audit Token | doppler_audit_token Dropbox |
| Duffel | Duffel Live Access Token | duffel_live_access_token |
| Duffel | Duffel Test Access Token | duffel_test_access_token |
| Dynatrace | Dynatrace Access Token | dynatrace_access_token Dynatrace |
| EasyPost | EasyPost Production API Key | easypost_production_api_key |
| EasyPost | EasyPost Test API Key | easypost_test_api_key |
| Fastly | Fastly API Token | fastly_api_token Finicity |
| Flutterwave | Flutterwave Live API Secret Key | flutterwave_live_api_secret_key |
| Flutterwave | Flutterwave Test API Secret Key | flutterwave_test_api_secret_key Frame.io |
| FullStory | FullStory API Key | fullstory_api_key |
| GitHub | GitHub Personal Access Token | github_personal_access_token |
| GitHub | GitHub OAuth Access Token | github_oauth_access_token |
| GitHub | GitHub Refresh Token | github_refresh_token |
| GitHub | GitHub App Installation Access Token | github_app_installation_access_token GitHub |
| GitLab | GitLab Access Token | gitlab_access_token GoCardless |
| Firebase Cloud Messaging Server Key | firebase_cloud_messaging_server_key Google | |
| Google Cloud Storage Access Key Secret | google_cloud_storage_access_key_secret | |
| Google Cloud Storage Service Account Access Key ID | google_cloud_storage_service_account_access_key_id | |
| Google Cloud Storage User Access Key ID | google_cloud_storage_user_access_key_id | |
| Google OAuth Access Token | google_oauth_access_token | |
| Google OAuth Client ID | google_oauth_client_id | |
| Google OAuth Client Secret | google_oauth_client_secret | |
| Google OAuth Refresh Token | google_oauth_refresh_token | |
| Grafana | Grafana API Key | grafana_api_key HashiCorp |
| Intercom | Intercom Access Token | intercom_access_token |
| Ionic | Ionic Personal Access Token | ionic_personal_access_token |
| Ionic | Ionic Refresh Token | ionic_refresh_token |
| JFrog | JFrog Platform Access Token | jfrog_platform_access_token |
| JFrog | JFrog Platform API Key | jfrog_platform_api_key |
| Linear | Linear API Key | linear_api_key |
| Linear | Linear OAuth Access Token | linear_oauth_access_token |
| Lob | Lob Live API Key | lob_live_api_key |
| Lob | Lob Test API Key | lob_test_api_key Mailchimp |
| Mapbox | Mapbox Secret Access Token | mapbox_secret_access_token |
| MessageBird | MessageBird API Key | messagebird_api_key |
| Meta | Facebook Access Token | facebook_access_token |
| Midtrans | Midtrans Production Server Key | midtrans_production_server_key |
| Midtrans | Midtrans Sandbox Server Key | midtrans_sandbox_server_key |
| New Relic | New Relic Personal API Key | new_relic_personal_api_key |
| New Relic | New Relic REST API Key | new_relic_rest_api_key |
| New Relic | New Relic Insights Query Key | new_relic_insights_query_key |
| New Relic | New Relic License Key | new_relic_license_key |
| Notion | Notion Integration Token | notion_integration_token |
| Notion | Notion OAuth Client Secret | notion_oauth_client_secret npm |
| Octopus Deploy | Octopus Deploy API Key | octopus_deploy_api_key |
| Onfido | Onfido Live API Token | onfido_live_api_token |
| Onfido | Onfido Sandbox API Token | onfido_sandbox_api_token |
| OpenAI | OpenAI API Key | openai_api_key Palantir |
| PlanetScale | PlanetScale Database Password | planetscale_database_password |
| PlanetScale | PlanetScale OAuth Token | planetscale_oauth_token |
| PlanetScale | PlanetScale Service Token | planetscale_service_token |
| Plivo | Plivo Auth ID | plivo_auth_id |
| Plivo | Plivo Auth Token | plivo_auth_token Postman |
| PyPI | PyPI API Token | pypi_api_token |
| RubyGems | RubyGems API Key | rubygems_api_key Samsara |
| SendGrid | SendGrid API Key | sendgrid_api_key |
| Sendinblue | Sendinblue API Key | sendinblue_api_key |
| Sendinblue | Sendinblue SMTP Key | sendinblue_smtp_key |
| Shippo | Shippo Live API Token | shippo_live_api_token |
| Shippo | Shippo Test API Token | shippo_test_api_token Shopify |
| Square | Square Access Token | square_access_token |
| Square | Square Production Application Secret | square_production_application_secret |
| Square | Square Sandbox Application Secret | square_sandbox_application_secret SSLMate |
| Stripe | Stripe Live API Secret Key | stripe_live_secret_key |
| Stripe | Stripe Test API Secret Key | stripe_test_secret_key |
| Stripe | Stripe Live API Restricted Key | stripe_live_restricted_key |
| Stripe | Stripe Test API Restricted Key | stripe_test_restricted_key |
| Stripe | Stripe Webhook Signing Secret | stripe_webhook_signing_secret |
| Supabase | Supabase Service Key | supabase_service_key Tableau |
| Telegram | Telegram Bot Token | telegram_bot_token Tencent Cloud |
| Twilio | Twilio Access Token | twilio_access_token Twilio |
| Typeform | Typeform Personal Access Token | typeform_personal_access_token |
| WorkOS | WorkOS Production API Key | workos_production_api_key |
| WorkOS | WorkOS Staging API Key | workos_staging_api_key |
| Yandex | Yandex.Cloud API Key | yandex_cloud_api_key |
| Yandex | Yandex.Cloud IAM Cookie | yandex_cloud_iam_cookie |
| Yandex | Yandex.Cloud IAM Token | yandex_cloud_iam_token |
| Yandex | Yandex.Dictionary API Key | yandex_dictionary_api_key |
| Yandex | Yandex.Predictor API Key | yandex_predictor_api_key |
| Yandex | Yandex.Translate API Key | yandex_translate_api_key |