GitHub scans public repositories for known token formats, to prevent fraudulent use of credentials that were committed accidentally.

Note: Token Scanning is currently in beta and subject to change.

Token Scanning for public repositories

When you push commits to a public repository, or switch a private repository to public, GitHub scans the contents of the commits or repository for tokens issued by the following service providers:

  • Amazon Web Services (AWS)
  • Azure
  • GitHub
  • Google Cloud
  • Slack
  • Stripe

When GitHub detects a set of credentials, we notify the service provider who issued the token. The service provider may revoke the token, issue a new token, or reach out to you directly.