Secret scanning adds validity checks for Stripe, Telegram, SendGrid, and more
Secret scanning is extending validity check support to several additional token types.
Validity checks indicate if the leaked credentials are active and could still be exploited. If you’ve previously enabled validation checks for a given repository, GitHub will now automatically verify validity for alerts on supported token types. In addition to token types announced in our previous changelogs, you will now see validity checks for the following token types:
| Provider | Token |
|---|---|
| Dropbox | dropbox_short_lived_access_token |
| Notion | notion_integration_token |
| OpenAI | openai_api_key |
| OpenAI | openai_api_key_v2 |
| SendGrid | sendgrid_api_key |
| Stripe | stripe_api_key |
| Stripe | stripe_test_secret_key |
| Telegram | telegram_bot_token |
Validity checks are available for repositories with GitHub Advanced Security on Enterprise Cloud. You can enable the feature at both organization and repository levels from the “Code security and analysis” settings page by checking the option to “automatically verify if a secret is valid by sending to the relevant partner.”
Learn more about secret scanning or our supported patterns for validity checks.