New Detectors and Expanded Coverage

GitHub has significantly expanded its secret scanning capabilities with 28 new secret detectors from 15 different service providers. Notable additions include support for Lark (with multiple secret types), Vercel (6 secret types), Snowflake, Supabase, and others. These detectors automatically identify leaked secrets in repositories and help prevent unauthorized access to third-party services.

Push Protection Enabled by Default

In a major security improvement, 39 existing detectors now have push protection enabled by default. This means commits containing matching secrets will be blocked automatically across providers like Airtable, Databricks, Heroku, PostHog, and Shopify. This protects all repositories with secret scanning enabled, including free public repositories, without requiring additional configuration for these high-risk secret types.

Validity Checks for Active Secret Detection

New validity checking capabilities have been added for Airtable, DeepSeek, npm, Pinecone, and Sentry tokens. This feature automatically verifies whether detected secrets are still active, helping development teams prioritize remediation efforts by distinguishing between current threats and deprecated credentials.

What Developers Need to Know

• Review the full supported secret scanning patterns documentation to understand which secrets are now detected
• Push protection defaults apply automatically—no action required for default-enabled patterns
• Configurable patterns remain available for teams that want to customize their push protection settings
• Validity checks reduce false alarms by confirming whether secrets pose an active threat