Secret scanning updates — November 2025
Source: GitHub Changelog
GitHub Secret Scanning added support for numerous new secret types and made several detection and validation improvements during November.
- New provider patterns – 24 new secret types from providers such as Azure, Databricks, Microsoft, Paddle, PostHog, and more.
- Improved private key detection – Added patterns for Elliptic Curve and generic PKCS#8 private keys, plus better handling of escaped newlines.
- Extended metadata – Discord
discord_bot_tokennow includes extended metadata checks. - Validity checks – AWS Access Key ID validation has been refined.
- Unlisted gists – Secrets in unlisted GitHub gists are now reported to Secret Scanning partners.
New patterns added
Secret scanning automatically detects any secrets matching these patterns in your repositories.
| Provider | Secret type | Partner | User | Push protection |
|---|---|---|---|---|
| Azure | azure_immersive_reader_key | ✓ | ✓ | ✓ (configurable) |
| Azure | azure_logic_apps_url | ✓ | ✓ | ✓ (configurable) |
| crates.io | cratesio_api_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_account_session_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_federated_account_session_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_oauth_code | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_oauth_refresh_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_oauth_secret_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_oauth_single_use_refresh_token_child | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_oauth_single_use_refresh_token_parent | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_scoped_api_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_scoped_internal_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_token | ✓ | ✓ | ✓ (configurable) |
| Databricks | databricks_workspace_session_token | ✓ | ✓ | ✓ (configurable) |
| Microsoft | power_automate_webhook_sas | ✓ | ✓ | ✓ (configurable) |
| OneSignal | onesignal_rich_authentication_token | ✓ | ✓ | ✓ (configurable) |
| Paddle | paddle_api_key | ✓ | ✓ | ✓ (configurable) |
| Paddle | paddle_sandbox_api_key | ✓ | ✓ | ✓ (configurable) |
| Pineapple Technologies Limited | pineapple_technologies_incident_api_key | ✓ | ✓ | ✓ (configurable) |
| PostHog | posthog_feature_flags_secure_api_key | ✓ | ✓ (configurable) | |
| PostHog | posthog_personal_api_key | ✓ | ✓ (configurable) | |
| Rainforest Pay | rainforest_api_key | ✓ | ✓ | ✓ (configurable) |
| Rainforest Pay | rainforest_sandbox_api_key | ✓ | ✓ | ✓ (configurable) |
| Raycast | raycast_access_token | ✓ | ✓ | ✓ (configurable) |
Private key patterns added
As announced on November 12, Secret Scanning now detects additional private‑key formats:
| Provider | Secret type | Description |
|---|---|---|
| Generic | ec_private_key | Elliptic Curve private keys |
| Generic | generic_private_key | Generic PKCS#8 private keys |
Both types can be enabled for push protection but are not included by default.
Detector upgrades and improvements
-
The following private‑key patterns now also detect keys containing escaped newlines (
\n), a common format in configuration files and environment variables:ec_private_key,github_ssh_private_key,openssh_private_key,rsa_private_key. -
Sentry token rename – token types were renamed to match Sentry’s updated naming conventions:
Previous name New name sentry_organization_tokensentry_org_auth_tokensentry_personal_tokensentry_user_auth_token -
Extended metadata checks – the Discord
discord_bot_tokensecret type now supports extended metadata checks, providing additional context such as owner information, creation dates, and organizational details. -
Validity checks upgrade – improvements to AWS Access Key ID validation mean most customers will see alerts previously labeled “unknown” switch to “valid” or “invalid”.
Provider Pattern Validity Amazon Web Services (AWS) aws_access_key_id✓
Partner notification updates
As announced on November 25, secrets found in unlisted GitHub gists are now reported to Secret Scanning partners. Since unlisted gists are accessible to anyone with the URL, leaked secrets in gists should be treated like any other publicly exposed credential.
Learn more about secret scanning and see the full list of supported secrets in the product documentation.