Secret scanning pattern updates — March 2026
Source: GitHub Changelog
GitHub secret scanning continually updates its detectors, validators, and analyzers. Here’s what’s new for March 2026.
- 28 new secret detectors from 15 providers, including Lark, Vercel, Snowflake, and Supabase.
- 39 detectors now have push protection enabled by default, including Airtable, Databricks, Heroku, PostHog, and Shopify.
- Validity checks added for Airtable, DeepSeek, npm, Pinecone, and Sentry tokens.
Detectors added
Secret scanning now automatically detects the following new secret types in your repositories.
| Provider | Secret type | Partner | User | Push protection (default) |
|---|---|---|---|---|
| Azure | azure_active_directory_application_id, azure_active_directory_application_secret | ✓ | (configurable) | |
| Baidu | baiduai_api_key | ✓ | ✓ | (configurable) |
| Fieldguide | fieldguide_api_token | ✓ | (configurable) | |
| Figma | figma_scim_token | ✓ | ✓ | (configurable) |
| Flickr | flickr_api_key | ✓ | (configurable) | |
| Langchain | langsmith_license_key | ✓ | (configurable) | |
| Langchain | langsmith_scim_bearer_token | ✓ | (configurable) | |
| Lark | lark_apaas_client_id, lark_apaas_client_secret | ✓ | ✓ | ✓ |
| Lark | lark_app_id, lark_app_secret | ✓ | ✓ | (configurable) |
| Lark | lark_mcp_grant_token | ✓ | (configurable) | |
| Lark | lark_meego_plugin_id, lark_meego_plugin_secret | ✓ | ✓ | ✓ |
| Lark | lark_user_session | ✓ | ✓ | ✓ |
| Limbar | limbar_token | ✓ | ✓ | ✓ |
| PostHog | posthog_oauth_access_token | ✓ | (configurable) | |
| PostHog | posthog_oauth_refresh_token | ✓ | (configurable) | |
| Proof | proof_full_access_api_key | ✓ | ✓ | ✓ |
| Snowflake | snowflake_postgres_connection_string | ✓ | ✓ | ✓ |
| Snowflake | snowflake_postgres_host, snowflake_postgres_password | ✓ | ✓ | ✓ |
| Supabase | supabase_personal_access_token | ✓ | ✓ | (configurable) |
| Supabase | supabase_secret_key | ✓ | ✓ | ✓ |
| Vercel | vercel_api_key | ✓ | ✓ | ✓ |
| Vercel | vercel_app_refresh_token | ✓ | ✓ | (configurable) |
| Vercel | vercel_app_user_access_token | ✓ | ✓ | (configurable) |
| Vercel | vercel_integration_access_token | ✓ | ✓ | ✓ |
| Vercel | vercel_personal_access_token | ✓ | ✓ | ✓ |
| Vercel | vercel_support_access_token | ✓ | ✓ | ✓ |
| Weatherstack | weatherstack_api_key | ✓ | (configurable) | |
| WSO2 | wso2_choreo_personal_access_token | ✓ | ✓ | ✓ |
Partner secrets are automatically reported to the secret issuer when found in public repositories through the secret scanning partnership program. Learn more about the technical partnership program for secret scanning.
User secrets generate secret scanning alerts when found in public or private repositories. Learn more in our documentation about secret scanning.
Secret types that are included in push protection by default apply to all repositories with secret scanning enabled, including free public repositories. Patterns marked as configurable are available for GitHub secret scanning customers to enable in their push protection settings. Learn more in our documentation about push protection.
Push protection defaults
The following existing detectors are now included in push protection by default. When push protection is enabled, these patterns will block commits containing matching secrets.
| Provider | Secret type |
|---|---|
| Airtable | airtable_api_key |
| AWS | aws_api_key |
| Block Protocol | block_protocol_api_key |
| Cohere | cohere_api_key |
| Databricks | databricks_oauth_code |
| Databricks | databricks_oauth_refresh_token |
| Databricks | databricks_oauth_single_use_refresh_token_child |
| Databricks | databricks_oauth_single_use_refresh_token_parent |
| Databricks | databricks_scoped_internal_token |
| Databricks | databricks_token |
| Databricks | databricks_workspace_session_token |
| Datadog | datadog_rcm |
| Fastly | fastly_api_token |
| Finicity | finicity_app_key |
| Heroku | heroku_postgres_connection_url |
| Hubspot | hubspot_private_apps_user_token |
| Langchain | langchain_api_server_key |
| LaunchDarkly | launchdarkly_access_token |
| Lob | lob_live_api_key |
| Mapbox | mapbox_secret_access_token |
| Netflix | netflix_netkey |
| Octopus Deploy | octopus_deploy_api_key |
| Onfido | onfido_sandbox_api_token |
| Openweather | openweather_api_key |
| Paddle | paddle_api_key |
| Paddle | paddle_sandbox_api_key |
| Pineapple Technologies | pineapple_technologies_incident_api_key |
| Pinecone | pinecone_api_key, pinecone_environment |
| PostHog | posthog_feature_flags_secure_api_key |
| Proctorio | proctorio_consumer_key |
| Proctorio | proctorio_linkage_key |
| Rainforest Pay | rainforest_api_key |
| Rainforest Pay | rainforest_sandbox_api_key |
| Ramp | ramp_oauth_token |
| Raycast | raycast_access_token |
| Shopify | shopify_app_client_secret |
| Sindri | sindri_api_key |
| Sourcegraph | sourcegraph_product_subscription_token |
| Weights & Biases | wandb_api_key |
Validators added
The following secret types now support validity checks, which automatically verify whether a detected secret is still active to help prioritize remediation.
| Provider | Secret type |
|---|---|
| Airtable | airtable_personal_access_token |
| DeepSeek | deepseek_api_key |
| npm | npm_access_token |
| Pinecone | pinecone_api_key, pinecone_environment |
| Sentry | sentry_personal_token |
Learn more about secret scanning and see the full list of supported secrets in our product documentation.