Skip to content

Latest commit

 

History

History
119 lines (88 loc) · 9.09 KB

supported-secret-scanning-patterns.md

File metadata and controls

119 lines (88 loc) · 9.09 KB
Raw
title intro product versions type topics redirect_from layout shortTitle
Supported secret scanning patterns
Lists of supported secrets and the partners that {% data variables.product.company_short %} works with to prevent fraudulent use of secrets that were committed accidentally.
{% data reusables.gated-features.secret-scanning %}
fpt ghes ghec
*
*
*
reference
Secret scanning
Advanced Security
/code-security/secret-scanning/secret-scanning-partners
/code-security/secret-scanning/secret-scanning-patterns
inline
Supported patterns

About {% data variables.product.prodname_secret_scanning %} patterns

{% data reusables.secret-scanning.alert-types %}

For in-depth information about each alert type, see "AUTOTITLE."

For details about all the supported patterns, see the "Supported secrets" section below.

If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the Secret type to report on secrets from specific issuers. For more information, see "AUTOTITLE."

If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see "AUTOTITLE."

Supported secrets

This table lists the secrets supported by {% data variables.product.prodname_secret_scanning %}. You can see the types of alert that get generated for each token, as well as whether a validity check is performed on the token.

  • Provider: Name of the token provider.{% ifversion fpt or ghec %}

  • Partner: Token for which leaks are reported to the relevant token partner. Applies to public repositories only.

  • User: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}

    • Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
    • Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
    • For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see "AUTOTITLE." {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% endif %}{% ifversion ghes %}

  • {% data variables.product.prodname_secret_scanning_caps %} alert: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.{% ifversion secret-scanning-non-provider-patterns %}

    • Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} are enabled.
    • Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% else %} Applies to private repositories where {% data variables.product.prodname_GH_advanced_security %} and {% data variables.product.prodname_secret_scanning %} enabled.{% endif %}{% endif %}

  • Push protection: Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.

  • Validity check: Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see "{% data variables.product.prodname_advanced_security %}" in the Site Policy documentation.{% else %} {% ifversion ghes %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %} {% ifversion fpt %}Currently only applies to {% data variables.product.prodname_dotcom %} tokens, and not shown in the table. For more information about validity check support see "AUTOTITLE" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %}{% endif %}

{% ifversion secret-scanning-non-provider-patterns %}

Non-provider patterns

{% data reusables.secret-scanning.non-provider-patterns-beta %}

Provider Token
Generic http_basic_authentication_header
Generic http_bearer_authentication_header
Generic mongodb_connection_string
Generic mysql_connection_string
Generic openssh_private_key
Generic pgp_private_key
Generic postgres_connection_string
Generic rsa_private_key

[!NOTE] Push protection and validity checks are not supported for non-provider patterns.

{% ifversion secret-scanning-alert-experimental-list %}Default{% else %}High confidence{% endif %} patterns

{% endif %}

{% ifversion fpt %}

Provider Token Partner User Push protection
{%- for entry in secretScanningData %}
{{ entry.provider }} {{ entry.secretType }} {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

{% ifversion ghec %}

Provider Token Partner User Push protection Validity check
{%- for entry in secretScanningData %}
{{ entry.provider }} {{ entry.secretType }} {% if entry.isPublic %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

{% ifversion ghes %}

Provider Token {% data variables.product.prodname_secret_scanning_caps %} alert Push protection Validity check
{%- for entry in secretScanningData %}
{{ entry.provider }} {{ entry.secretType }} {% if entry.isPrivateWithGhas %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.hasPushProtection %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %} {% if entry.hasValidityCheck %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Unsupported" %}{% endif %}
{%- endfor %}

{% endif %}

Token versions

Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.

Further reading