

























Since our last pattern update, we’ve expanded secret scanning’s detection coverage with new partners, more patterns blocked by push protection by default, additional validity checks, and richer metadata for leaked secrets.
Secret scanning now automatically detects the following new secret types in your repositories. This release adds two new partners (Cloudsmith and Meraki), significantly expands GitLab token coverage, and adds detectors for Elastic, Slack, Supabase, DataDog, and VolcEngine.
| Provider | Secret type |
|---|---|
| Cloudsmith | cloudsmith_api_key |
| Datadog | datadog_pat |
| Datadog | datadog_sat |
| Elastic | elastic_stack_api_key |
| GitLab | gitlab_ci_build_token |
| GitLab | gitlab_deploy_token |
| GitLab | gitlab_feature_flag_client_token |
| GitLab | gitlab_feed_token_v2 |
| GitLab | gitlab_incoming_email_token |
| GitLab | gitlab_kubernetes_agent_token |
| GitLab | gitlab_oauth_app_secret |
| GitLab | gitlab_pipeline_trigger_token |
| GitLab | gitlab_runner_auth_token |
| GitLab | gitlab_runner_registration_token |
| GitLab | gitlab_scim_oauth_token |
| Meraki | meraki_api_key |
| Slack | slack_workflow_trigger_url |
| Supabase | supabase_oauth_access_token |
| Supabase | supabase_scoped_personal_access_token |
| VolcEngine | volcengine_ark_api_key |
Partner secrets are automatically reported to the secret issuer when found in public repositories through the secret scanning partnership program.
User secrets generate secret scanning alerts when found in public or private repositories.
The following detectors are now included in push protection by default. Repositories with secret scanning enabled, including free public repositories, will have commits containing these secrets automatically blocked.
| Provider | Secret type |
|---|---|
| Cloudflare | cloudflare_account_api_token |
| Cloudflare | cloudflare_global_user_api_key |
| Cloudflare | cloudflare_user_api_token |
| Cockroach Labs | ccdb_api_key |
| Flutterwave | flutterwave_test_api_secret_key |
| Hack Club | hackclub_ai_api_key |
| OpenRouter | openrouter_api_key |
| PostHog | posthog_oauth_refresh_token |
| Supabase | supabase_personal_access_token |
Patterns that are not yet enabled by default remain configurable in your push protection settings.
These patterns now support validity checks, so alerts tell you whether a leaked credential is still active and help you prioritize remediation.
| Provider | Secret type |
|---|---|
| Alibaba | alibaba_cloud_access_key_id |
| Alibaba | alibaba_cloud_access_key_secret |
| Azure | azure_ai_services_key |
| Azure | azure_anomaly_detector_ee_key |
| Azure | azure_anomaly_detector_key |
| Azure | azure_cognitive_services_key |
| Azure | azure_content_moderator_key |
| Azure | azure_cosmosdb_key_identifiable |
| Azure | azure_custom_vision_prediction_key |
| Azure | azure_custom_vision_training_key |
| Azure | azure_event_hub_key_identifiable |
| Azure | azure_function_key |
| Azure | azure_relay_key_identifiable |
| Azure | azure_service_bus_identifiable |
| Azure | azure_storage_account_key |
| Azure | azure_text_translation_key |
| Coveo | coveo_access_token |
| Coveo | coveo_api_key |
| Databricks | databricks_access_token |
| Salesforce | salesforce_access_token |
| Shopify | shopify_access_token |
| Shopify | shopify_custom_app_access_token |
| Shopify | shopify_merchant_token |
| Shopify | shopify_private_app_password |
These patterns now include extended metadata when detected, providing richer context about leaked secrets.
| Provider | Secret type |
|---|---|
| Airtable | airtable_api_key |
| Airtable | airtable_personal_access_token |
| Grafana | grafana_cloud_api_token |
| npm | npm_access_token |
| xAI | xai_api_key |
Learn more about secret scanning and see the full list of supported secrets in our documentation. Let us know what you think in the community discussion.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。