Release
Secret scanning detects Base64-encoded secrets and more — October 2025
Secret scanning — October 2025
GitHub secret scanning continually adds support for new secret types. The following updates were made during the month of October.
- Base64-encoded secrets: Secret scanning now detects Base64-encoded variants for secret types from third-party cloud providers.
- Extended metadata checks: Secret scanning now supports checks for additional context like owner information, creation dates, and organizational details about a secret.
- Validity checks: secret scanning adds validity check support for Grafana and Notion.
Base64-encoded secret detection
GitHub secret scanning now detects and prevents obfuscated secrets in Base64 format for secret types from third-party providers.
| Provider | Secret type |
|---|---|
| Alibaba | alibaba_cloud_access_key_secret |
| Amazon AWS | aws_access_key_id |
| Amazon AWS | aws_secret_access_key |
| Amazon AWS | aws_temporary_access_key_id |
| Anthropic | anthropic_api_key |
| Azure | azure_cache_for_redis_access_key |
| Azure | azure_cosmosdb_key_identifiable |
| Azure | azure_function_key |
| Azure | azure_openai_key |
| Azure | azure_storage_account_key |
| Brevo | sendinblue_api_key |
| Databricks | databricks_access_token |
| GitHub Secret Scanning | secret_scanning_sample_token |
| GitLab | gitlab_access_token |
google_oauth_client_id |
|
google_oauth_client_secret |
|
google_oauth_refresh_token |
|
| Groq | groq_api_key |
| Hugging Face | hf_user_access_token |
| JFrog | jfrog_platform_reference_token |
| Twilio | twilio_account_sid |
Base64-encoded secrets are push protected by default. GitHub will continue to add support for additional types on a rolling basis.
Extended metadata checks
As announced at GitHub Universe 2025, the following secret types now support extended metadata checks.
| Provider | Secret type |
|---|---|
| Adafruit | adafruit_io_key |
| Anthropic | anthropic_api_key |
| Apify | apify_api_token |
| Contentful | contentful_personal_access_token |
| Discord | discord_bot_token |
| Dropbox | dropbox_access_token |
| Dropbox | dropbox_short_lived_access_token |
| Fastly | fastly_api_token |
| Figma | figma_pat |
| GitLab | gitlab_access_token |
google_oauth_access_token |
|
| Hugging Face | hf_user_access_token |
| Intercom | intercom_access_token |
| Mailchimp | mailchimp_api_key |
| Mailgun | mailgun_api_key |
| Mailgun | mailgun_smtp_credential |
| Mapbox | mapbox_secret_access_token |
| Notion | notion_integration_token |
| OpenAI | openai_api_key |
| Postman | postman_api_key |
| SendGrid | sendgrid_api_key |
| Slack | slack_api_token |
| Slack | slack_incoming_webhook_url |
| Slack | slack_workflow_webhook_url |
| Stripe | stripe_api_key |
| Stripe | stripe_test_secret_key |
| Tailscale | tailscale_api_key |
| Telegram | telegram_bot_token |
| Terraform Cloud | terraform_api_token |
Validity checks
The following secret types now include validity checks to confirm whether detected secrets are active.
| Provider | Secret type |
|---|---|
| Grafana | grafana_cloud_api_token |
| Notion | notion_api_token |
Learn more about secret scanning and see the full list of supported secrets in our product documentation.