Secret scanning detector types renamed for clarity
To make secret scanning easier to understand, we’re updating the names we use for our detector types to better reflect how each one finds secrets. This is a naming change only; detection behavior is exactly the same.
Before
Now
Non-provider patterns
Generic patterns
Copilot secret scanning
AI-detected secrets
All existing product documentation links continue to work. We’ve added redirects and updated the terminology across our documentation. There are no changes to webhook events, audit log events, or the REST API.
There are two kinds of secrets we detect:
- Provider secrets are issued by a specific service (e.g., an AWS key, a Stripe token).
- Generic secrets aren’t tied to any provider (e.g., private keys, connection strings, passwords).
There are two ways we detect them:
- Patterns use deterministic detection (i.e., regular expressions combined with additional checks like entropy analysis). Patterns reliably catch secrets with a recognizable structure and include both provider patterns for provider secrets, as well as generic patterns like private keys and connection strings.
- AI-detected secrets use AI to catch generic secrets that don’t follow a predictable format (e.g., passwords). The model reads the surrounding code to find harder-to-detect unstructured secrets.
Learn more
Learn more about secret scanning and see the full list of supported secrets in our documentation. Let us know what you think in the community discussion.
The post Clearer names for secret scanning detector types appeared first on The GitHub Blog.
Fetched July 11, 2026



