关于 secret scanning 模式
有两种类型的 机密扫描警报:
- 机密扫描警报:在存储库中检测到支持的机密时,在存储库的安全选项卡中向用户报告。
- 推送保护警报:当参与者绕过推送保护时,在存储库的安全选项卡中向用户报告。
有关每种警报类型的深入信息,请参阅“关于机密扫描警报”。
有关所有受支持的模式的详细信息,请参阅下面的“支持的机密”部分。
如果使用 REST API 进行 secret scanning,可以使用 Secret type
报告来自特定颁发者的机密。 有关详细信息,请参阅“适用于机密扫描的 REST API 终结点”。
如果你认为 secret scanning 应检测到提交到存储库的机密,但却尚未检测到,则首先需要检查 GitHub 是否支持你的机密。 有关详细信息,请参阅以下部分。 有关高级故障排除的详细信息,请参阅“排查机密扫描问题”。
支持的机密
下表列出了 secret scanning 支持的机密。 可以查看为每个令牌生成的警报类型,以及是否对令牌执行验证检查。
-
提供商 - 令牌提供商的名称。
-
Secret scanning 警报 - 向 GitHub 上的用户报告泄漏的令牌。
- 适用于启用了 GitHub Advanced Security 和 secret scanning 的专用存储库。
- 包括 高置信度 令牌,这些令牌与支持的模式和指定的自定义模式,以及通常会导致误报的非提供商令牌(如私钥)相关。
-
推送保护 - 向 GitHub 上的用户报告泄漏的令牌。 适用于启用了 secret scanning 和推送保护的存储库。
-
验证检查 - 实现其验证检查的令牌。 当前仅适用于 GitHub 令牌。
非提供商模式
注意: 检测非提供程序模式的功能目前为 beta 版本,可能随时更改。
提供程序 | 令牌 |
---|---|
常规 | http_basic_authentication_header |
常规 | http_bearer_authentication_header |
常规 | mongodb_connection_string |
常规 | mysql_connection_string |
常规 | openssh_private_key |
常规 | pgp_private_key |
常规 | postgres_connection_string |
常规 | rsa_private_key |
Note
非提供商模式不支持推送保护和验证检查。
高置信度 模式
提供程序 | 标记 | Secret scanning 警报 | 推送保护 | 验证检查 |
---|---|---|---|---|
Adafruit | adafruit_io_key | |||
Adobe | adobe_client_secret | |||
Adobe | adobe_device_token | |||
Adobe | adobe_pac_token | |||
Adobe | adobe_refresh_token | |||
Adobe | adobe_service_token | |||
Adobe | adobe_short_lived_access_token | |||
Aiven | aiven_auth_token | |||
Aiven | aiven_service_password | |||
Alibaba | alibaba_cloud_access_key_id alibaba_cloud_access_key_secret | |||
Amazon AWS | aws_access_key_id aws_secret_access_key | |||
Amazon AWS | aws_secret_access_key aws_session_token aws_temporary_access_key_id | |||
Anthropic | anthropic_api_key | |||
Anthropic | anthropic_session_id | |||
Asana | asana_legacy_format_personal_access_token | |||
Asana | asana_personal_access_token | |||
Atlassian | atlassian_api_token Token versions | |||
Atlassian | atlassian_jwt | |||
Authress | authress_service_client_access_key | |||
Azure | azure_active_directory_application_secret Token versions | |||
Azure | azure_active_directory_user_credential | |||
Azure | azure_apim_direct_management_key | |||
Azure | azure_apim_gateway_key | |||
Azure | azure_apim_repository_key | |||
Azure | azure_apim_subscription_key | |||
Azure | azure_app_configuration_connection_string | |||
Azure | azure_batch_key_identifiable | |||
Azure | azure_cache_for_redis_access_key | |||
Azure | azure_communication_services_connection_string | |||
Azure | azure_container_registry_key_identifiable | |||
Azure | azure_cosmosdb_key_identifiable | |||
Azure | azure_devops_personal_access_token | |||
Azure | azure_event_hub_key_identifiable | |||
Azure | azure_function_key | |||
Azure | azure_iot_device_connection_string | |||
Azure | azure_iot_device_key | |||
Azure | azure_iot_device_provisioning_key | |||
Azure | azure_iot_hub_connection_string | |||
Azure | azure_iot_hub_key | |||
Azure | azure_iot_provisioning_connection_string | |||
Azure | azure_management_certificate | |||
Azure | azure_ml_web_service_classic_identifiable_key | |||
Azure | azure_relay_key_identifiable | |||
Azure | azure_sas_token | |||
Azure | azure_search_admin_key | |||
Azure | azure_search_query_key | |||
Azure | azure_service_bus_identifiable | |||
Azure | azure_signalr_connection_string | |||
Azure | azure_sql_connection_string | |||
Azure | azure_sql_password | |||
Azure | azure_storage_account_key Token versions | |||
Azure | azure_web_pub_sub_connection_string | |||
Azure | microsoft_corporate_network_user_credential | |||
Baidu | baiducloud_api_accesskey | |||
Beamer | beamer_api_key | |||
Bitbucket | bitbucket_server_personal_access_token | |||
Canadian Digital Service | cds_canada_notify_api_key | |||
Canva | canva_app_secret | |||
Canva | canva_connect_api_secret | |||
Canva | canva_secret | |||
Cashfree | cashfree_api_key | |||
Checkout.com | checkout_production_secret_key Token versions | |||
Checkout.com | checkout_test_secret_key Token versions | |||
Chief Tools | chief_tools_token | |||
CircleCI | circleci_bot_access_token | |||
CircleCI | circleci_personal_access_token | |||
CircleCI | circleci_project_access_token | |||
CircleCI | circleci_release_integration_token | |||
Clojars | clojars_deploy_token | |||
CloudBees | codeship_credential | |||
Contentful | contentful_personal_access_token | |||
crates.io | cratesio_api_token | |||
Databricks | databricks_access_token | |||
Defined Networking | defined_networking_nebula_api_key | |||
DevCycle | devcycle_client_api_key | |||
DevCycle | devcycle_mobile_api_key | |||
DevCycle | devcycle_server_api_key | |||
DigitalOcean | digitalocean_oauth_token | |||
DigitalOcean | digitalocean_personal_access_token | |||
DigitalOcean | digitalocean_refresh_token | |||
DigitalOcean | digitalocean_system_token | |||
Discord | discord_bot_token Token versions | |||
Docker | docker_personal_access_token | |||
Doppler | doppler_audit_token | |||
Doppler | doppler_cli_token | |||
Doppler | doppler_personal_token | |||
Doppler | doppler_scim_token | |||
Doppler | doppler_service_account_token | |||
Doppler | doppler_service_token | |||
Dropbox | dropbox_access_token | |||
Dropbox | dropbox_short_lived_access_token | |||
Duffel | duffel_live_access_token | |||
Duffel | duffel_test_access_token | |||
Dynatrace | dynatrace_api_token | |||
Dynatrace | dynatrace_internal_token | |||
EasyPost | easypost_production_api_key | |||
EasyPost | easypost_test_api_key | |||
eBay | ebay_production_client_id ebay_production_client_secret | |||
eBay | ebay_sandbox_client_id ebay_sandbox_client_secret | |||
facebook_access_token | ||||
Fastly | fastly_api_token Token versions | |||
Figma | figma_pat | |||
Finicity | finicity_app_key | |||
Firebase | firebase_cloud_messaging_server_key | |||
Flutterwave | flutterwave_live_api_secret_key | |||
Flutterwave | flutterwave_test_api_secret_key | |||
Frame.io | frameio_developer_token | |||
Frame.io | frameio_jwt | |||
FullStory | fullstory_api_key Token versions | |||
GitHub | github_app_installation_access_token Token versions | |||
GitHub | github_oauth_access_token Token versions | |||
GitHub | github_personal_access_token Token versions | |||
GitHub | github_refresh_token | |||
GitHub | github_ssh_private_key | |||
GitHub | github_test_token | |||
GitHub Secret Scanning | secret_scanning_sample_token | |||
GitLab | gitlab_access_token | |||
GoCardless | gocardless_live_access_token | |||
GoCardless | gocardless_sandbox_access_token | |||
google_api_key | ||||
google_cloud_service_account_credentials | ||||
google_cloud_storage_access_key_secret google_cloud_storage_service_account_access_key_id | ||||
google_cloud_storage_access_key_secret google_cloud_storage_user_access_key_id | ||||
google_oauth_access_token | ||||
google_oauth_client_id google_oauth_client_secret | ||||
google_oauth_refresh_token | ||||
Grafana | grafana_cloud_api_key | |||
Grafana | grafana_cloud_api_token | |||
Grafana | grafana_project_api_key | |||
Grafana | grafana_project_service_account_token | |||
HashiCorp | hashicorp_vault_batch_token Token versions | |||
HashiCorp | hashicorp_vault_root_service_token | |||
HashiCorp | hashicorp_vault_service_token Token versions | |||
HashiCorp | terraform_api_token | |||
Highnote | highnote_rk_live_key | |||
Highnote | highnote_rk_test_key | |||
Highnote | highnote_sk_live_key | |||
Highnote | highnote_sk_test_key | |||
HOP | hop_bearer | |||
HOP | hop_pat | |||
HOP | hop_ptk | |||
Hubspot | hubspot_api_key Token versions | |||
Hubspot | hubspot_personal_access_key | |||
IBM | ibm_cloud_iam_key | |||
IBM | ibm_softlayer_api_key | |||
Intercom | intercom_access_token | |||
Ionic | ionic_personal_access_token Token versions | |||
Ionic | ionic_refresh_token Token versions | |||
JFrog | jfrog_platform_access_token | |||
JFrog | jfrog_platform_api_key | |||
JFrog | jfrog_platform_reference_token | |||
Lightspeed | lightspeed_xs_pat | |||
Linear | linear_api_key | |||
Linear | linear_oauth_access_token | |||
Lob | lob_live_api_key | |||
Lob | lob_test_api_key | |||
Localstack | localstack_api_key | |||
LogicMonitor | logicmonitor_bearer_token | |||
LogicMonitor | logicmonitor_lmv1_access_key | |||
Login with Amazon | amazon_oauth_client_id amazon_oauth_client_secret amazon_oauth_client_secret | |||
Mailchimp | mailchimp_api_key | |||
Mailgun | mailgun_api_key Token versions | |||
Mapbox | mapbox_secret_access_token | |||
MaxMind | maxmind_license_key | |||
Mercury | mercury_non_production_api_token | |||
Mercury | mercury_production_api_token | |||
Mergify | mergify_application_key | |||
MessageBird | messagebird_api_key | |||
Midtrans | midtrans_production_server_key | |||
Midtrans | midtrans_sandbox_server_key | |||
New Relic | new_relic_insights_query_key | |||
New Relic | new_relic_license_key | |||
New Relic | new_relic_personal_api_key | |||
New Relic | new_relic_rest_api_key | |||
Notion | notion_integration_token | |||
Notion | notion_oauth_client_secret | |||
npm | npm_access_token Token versions | |||
NuGet | nuget_api_key | |||
Octopus Deploy | octopus_deploy_api_key | |||
Oculus | oculus_access_token | |||
OneChronos | onechronos_api_key | |||
OneChronos | onechronos_eb_api_key | |||
OneChronos | onechronos_eb_encryption_key | |||
OneChronos | onechronos_oauth_token | |||
OneChronos | onechronos_refresh_token | |||
Onfido | onfido_live_api_token | |||
Onfido | onfido_sandbox_api_token | |||
OpenAI | openai_api_key Token versions | |||
Orbit | orbit_api_token | |||
PagerDuty | pagerduty_oauth_secret | |||
PagerDuty | pagerduty_oauth_token | |||
Palantir | palantir_jwt | |||
Persona Identities | persona_production_api_key | |||
Persona Identities | persona_sandbox_api_key | |||
pinterest_access_token | ||||
pinterest_refresh_token | ||||
PlanetScale | planetscale_database_password | |||
PlanetScale | planetscale_oauth_token | |||
PlanetScale | planetscale_service_token | |||
Plivo | plivo_auth_id plivo_auth_token | |||
Postman | postman_api_key | |||
Postman | postman_collection_key | |||
Prefect | prefect_server_api_key | |||
Prefect | prefect_user_api_key | |||
Proctorio | proctorio_consumer_key | |||
Proctorio | proctorio_linkage_key | |||
Proctorio | proctorio_registration_key | |||
Proctorio | proctorio_secret_key Token versions | |||
Pulumi | pulumi_access_token | |||
PyPI | pypi_api_token | |||
ReadMe | readmeio_api_access_token | |||
redirect.pizza | redirect_pizza_api_token | |||
Rootly | rootly_api_key | |||
RubyGems | rubygems_api_key | |||
Samsara | samsara_api_token | |||
Samsara | samsara_oauth_access_token | |||
Segment | segment_public_api_token | |||
SendGrid | sendgrid_api_key | |||
Sendinblue | sendinblue_api_key | |||
Sendinblue | sendinblue_smtp_key | |||
Shippo | shippo_live_api_token | |||
Shippo | shippo_test_api_token | |||
Shopify | shopify_access_token | |||
Shopify | shopify_app_client_credentials | |||
Shopify | shopify_app_client_secret | |||
Shopify | shopify_app_shared_secret | |||
Shopify | shopify_custom_app_access_token | |||
Shopify | shopify_marketplace_token | |||
Shopify | shopify_merchant_token | |||
Shopify | shopify_partner_api_token | |||
Shopify | shopify_private_app_password | |||
Slack | slack_api_token Token versions | |||
Slack | slack_incoming_webhook_url | |||
Slack | slack_workflow_webhook_url | |||
Square | square_access_token Token versions | |||
Square | square_production_application_secret | |||
Square | square_sandbox_application_secret | |||
SSLMate | sslmate_api_key Token versions | |||
SSLMate | sslmate_cluster_secret | |||
Stripe | stripe_api_key | |||
Stripe | stripe_legacy_api_key | |||
Stripe | stripe_live_restricted_key | |||
Stripe | stripe_test_restricted_key | |||
Stripe | stripe_test_secret_key | |||
Stripe | stripe_webhook_signing_secret | |||
Supabase | supabase_service_key Token versions | |||
Tableau | tableau_personal_access_token | |||
Telegram | telegram_bot_token | |||
Telnyx | telnyx_api_v2_key | |||
Tencent | tencent_cloud_secret_id | |||
Tencent | tencent_wechat_api_app_id | |||
Twilio | twilio_access_token | |||
Twilio | twilio_account_sid | |||
Twilio | twilio_api_key | |||
Typeform | typeform_personal_access_token | |||
Uniwise | wiseflow_api_key | |||
Unkey | unkey_root_key | |||
VolcEngine | volcengine_access_key_id | |||
Wakatime | wakatime_api_key | |||
Wakatime | wakatime_app_secret | |||
Wakatime | wakatime_oauth_access_token | |||
Wakatime | wakatime_oauth_refresh_token | |||
Workato | workato_developer_api_token Token versions | |||
WorkOS | workos_production_api_key Token versions | |||
WorkOS | workos_staging_api_key Token versions | |||
Yandex | yandex_cloud_api_key | |||
Yandex | yandex_cloud_iam_access_secret | |||
Yandex | yandex_cloud_iam_cookie | |||
Yandex | yandex_cloud_iam_token | |||
Yandex | yandex_cloud_smartcaptcha_server_key | |||
Yandex | yandex_dictionary_api_key | |||
Yandex | yandex_predictor_api_key | |||
Yandex | yandex_translate_api_key | |||
Zuplo | zuplo_consumer_api_key |
令牌版本
服务提供方会更新用于定期生成令牌的模式,并且可能支持多个版本的令牌。 推送保护仅支持 secret scanning 可放心识别的最新令牌版本。 这样可以避免在结果可能是误报时,不必要地阻止提交推送保护,这种情况在使用旧令牌时更有可能发生。