Secret scanning updates – June 2026

Source: GitHub Changelog

Since our last pattern update, we’ve expanded secret scanning’s detection coverage with new partners, more patterns blocked by push protection by default, additional validity checks, and richer metadata for leaked secrets.

Detectors added

Secret scanning now automatically detects the following new secret types in your repositories. This release adds two new partners (Cloudsmith and Meraki), significantly expands GitLab token coverage, and adds detectors for Elastic, Slack, Supabase, DataDog, and VolcEngine.

Provider Secret type

Cloudsmith cloudsmith_api_key

Datadog datadog_pat

Datadog datadog_sat

Elastic elastic_stack_api_key

GitLab gitlab_ci_build_token

GitLab gitlab_deploy_token

GitLab gitlab_feature_flag_client_token

GitLab gitlab_feed_token_v2

GitLab gitlab_incoming_email_token

GitLab gitlab_kubernetes_agent_token

GitLab gitlab_oauth_app_secret

GitLab gitlab_pipeline_trigger_token

GitLab gitlab_runner_auth_token

GitLab gitlab_runner_registration_token

GitLab gitlab_scim_oauth_token

Meraki meraki_api_key

Slack slack_workflow_trigger_url

Supabase supabase_oauth_access_token

Supabase supabase_scoped_personal_access_token

VolcEngine volcengine_ark_api_key

Partner secrets are automatically reported to the secret issuer when found in public repositories through the secret scanning partnership program.

User secrets generate secret scanning alerts when found in public or private repositories.

Push protection defaults expanded

The following detectors are now included in push protection by default. Repositories with secret scanning enabled, including free public repositories, will have commits containing these secrets automatically blocked.

Provider Secret type

Cloudflare cloudflare_account_api_token

Cloudflare cloudflare_global_user_api_key

Cloudflare cloudflare_user_api_token

Cockroach Labs ccdb_api_key

Flutterwave flutterwave_test_api_secret_key

Hack Club hackclub_ai_api_key

OpenRouter openrouter_api_key

PostHog posthog_oauth_refresh_token

Supabase supabase_personal_access_token

Patterns that are not yet enabled by default remain configurable in your push protection settings.

Validity checks added

These patterns now support validity checks, so alerts tell you whether a leaked credential is still active and help you prioritize remediation.

Provider Secret type

Alibaba alibaba_cloud_access_key_id

Alibaba alibaba_cloud_access_key_secret

Azure azure_ai_services_key

Azure azure_anomaly_detector_ee_key

Azure azure_anomaly_detector_key

Azure azure_cognitive_services_key

Azure azure_content_moderator_key

Azure azure_cosmosdb_key_identifiable

Azure azure_custom_vision_prediction_key

Azure azure_custom_vision_training_key

Azure azure_event_hub_key_identifiable

Azure azure_function_key

Azure azure_relay_key_identifiable

Azure azure_service_bus_identifiable

Azure azure_storage_account_key

Azure azure_text_translation_key

Coveo coveo_access_token

Coveo coveo_api_key

Databricks databricks_access_token

Salesforce salesforce_access_token

Shopify shopify_access_token

Shopify shopify_custom_app_access_token

Shopify shopify_merchant_token

Shopify shopify_private_app_password

These patterns now include extended metadata when detected, providing richer context about leaked secrets.

Provider Secret type

Airtable airtable_api_key

Airtable airtable_personal_access_token

Grafana grafana_cloud_api_token

npm npm_access_token

xAI xai_api_key

Learn more

Learn more about secret scanning and see the full list of supported secrets in our documentation. Let us know what you think in the community discussion.