Secret scanning detects Base64-encoded GitHub tokens

GitHub continually updates its detectors for secret scanning with new patterns and upgrades of existing patterns, ensuring your repositories have comprehensive detection for different secret types.

GitHub now automatically detects Base64-encoded secrets for the following token types:

  • GitHub personal access tokens
  • GitHub OAuth access tokens
  • GitHub user to server tokens
  • GitHub server to server tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud. See the full list of supported secrets in the documentation.

Learn more about secret scanning or join the discussion on our dedicated GitHub community.

In your homepage activity Feed, you can see activity from other users, content GitHub recommends for you in “Suggested for you” modules, and trending developers/repositories.

The sorting algorithm we’ve had in place in the Feed could lead to these items being placed out of chronological sequence. We’ve heard your feedback, though, that the out-of-sequence ordering of activity can make it difficult to be effective with daily tasks in GitHub.

So now, we’re sorting all activity in the Feed chronologically. The newest activity appears first and older activity appears as you scroll down your Feed.

As part of this change, we also merged the design and UI to be more consistent across individual feeds and organization feeds, by slightly modifying the card layout in organization feeds. These minor template differences should not impact the content that appears for you.

Learn more and give us your feedback

For more information and discussion on these changes, join us in this discussion.

See more

As previously announced, Enterprise Managed Users (EMUs) must now prove ownership of their email addresses to secure their accounts and prevent any accidental data leaks by third party GitHub Apps and OAuth applications. In January 2025, we also updated the /user/emails REST endpoint to return a placeholder email address with the enterprise’s shortcode appended (e.g. email+shortcode@domain.com) until the EMU user has verified their email address.

While unverified emails may not affect most of your actions on GitHub, some GitHub Apps and OAuth apps may not handle this placeholder email properly. This may prevent you from accessing those apps or result in incomplete data being displayed. These apps may also prompt you to verify your email on GitHub before proceeding.

For example, GitHub Desktop might incorrectly prompt users to update their email in their Git config to their placeholder email. However, updating your Git config email could lead to commit misattribution as opposed to fixing it. While this experience is updated in GitHub Desktop v3.4.17-beta3, we recommend users verify their email address in response to such prompts.

Learn more about how to verify your email address.
App developers should also review our best practices for OAuth and GitHub App implementation to avoid disrupting the user experience in your apps.

See more