About token scanning

GitHub scans public repositories for known token formats, to prevent fraudulent use of credentials that were committed accidentally.

When you push commits to a public repository, or switch a private repository to public, GitHub scans the contents of the commits or repository for tokens issued by the following service providers:

  • Adafruit
  • Alibaba Cloud
  • Amazon Web Services (AWS)
  • Atlassian
  • Azure
  • CloudBees CodeShip
  • Discord
  • Dropbox
  • GitHub
  • GoCardless
  • Google Cloud
  • Hashicorp Terraform
  • Mailgun
  • npm
  • Postman
  • Proctorio
  • Pulumi
  • Samsara
  • Slack
  • Stripe
  • Tencent Cloud
  • Twilio

When GitHub detects a set of credentials, we notify the service provider who issued the token. The service provider validates the credential and then decides whether they should revoke the token, issue a new token, or reach out to you directly, which will depend on the associated risks to you or the service provider.

Service providers can partner with GitHub to provide their token formats for scanning. For more information, see "Token scanning" in the GitHub Developer documentation.

Ask a human

Can't find what you're looking for?

Contact us