Detected secrets
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
This table lists the secrets detected by:
- Pipeline secret detection
- Client-side secret detection
- Secret push protection
Secret detection rules are updated in the default ruleset. Detected secrets with patterns that have been removed or updated remain open so you can triage them.
If you want to add a new secret detection rule, you can propose new detection rules for all GitLab users, or customize rulesets for your specific project.
| Description | ID | Pipeline secret detection | Client-side secret detection | Secret push protection |
|---|---|---|---|---|
| Adafruit IO Key | AdafruitIOKey | No | ||
| Adobe Client ID (OAuth Web) | Adobe Client ID (Oauth Web) | No | No | |
| Adobe client secret | Adobe Client Secret | No | ||
| Age secret key | Age secret key | No | No | |
| Aiven Service Password | AivenServicePassword | No | ||
| Alibaba AccessKey ID | Alibaba AccessKey ID | No | No | |
| Alibaba Secret Key | Alibaba Secret Key | No | No | |
| Amazon OAuth Client ID | AmazonOAuthClientID | No | ||
| Anthropic API key | anthropic_key | |||
| Artifactory API Key | ArtifactoryApiKey | No | ||
| Artifactory Identity Token | ArtifactoryIdentityToken | No | ||
| Asana client ID | Asana Client ID | No | No | |
| Asana client secret | Asana Client Secret | No | No | |
| Asana Personal Access Token V1 | AsanaPersonalAccessTokenV1 | No | ||
| Asana Personal Access Token V2 | AsanaPersonalAccessTokenV2 | No | ||
| Atlassian API Key | AtlassianApiKey | No | ||
| Atlassian API token | Atlassian API token | No | No | |
| Atlassian User API Token | AtlassianUserApiToken | No | ||
| Auth0 Client Secret | Auth0ClientSecret | No | No | |
| AWS Access Key ID | AWS | No | ||
| AWS Access Secret Key | AWSSecretAccessKey | No | No | |
| AWS Session Token | AWSSessionToken | No | ||
| AWS Cognito Identity Pool ID | AWSCognitoIdentityPoolID | No | No | |
| AWS Bedrock Key | AWSBedrockKey | No | No | |
| AWS Bedrock Short-lived Key | AWSBedrockShortLivedKey | No | ||
| Azure API Management Gateway Key | AzureAPIManagementGatewayKey | No | ||
| Azure API Management Direct Key | AzureAPIManagementDirectKey | No | No | |
| Azure App Config | AzureAppConfigConnectionString | No | ||
| Azure Communication Services | AzureCommServicesConnectionString | No | ||
| Azure Cosmos DB Credentials | AzureCosmosDBCredentials | No | No | |
| Azure Entra Client Secret | AzureEntraClientSecret | No | ||
| Azure Entra Client ID Token | AzureEntraIDToken | No | ||
| Azure EventGrid Access Key | AzureEventGridAccessKey | No | No | |
| Azure Functions API Key | AzureFunctionsAPIKey | No | ||
| Azure Logic App SAS | AzureLogicAppSAS | No | ||
| Azure OpenAI API Key | AzureOpenAIAPIKey | No | No | |
| Azure Personal Access Token | AzurePersonalAccessToken | No | No | |
| Azure SignalR Access Key | AzureSignalRAccessKey | No | ||
| Beamer API token | Beamer API token | No | No | |
| Bitbucket client ID | Bitbucket client ID | No | No | |
| Bitbucket client secret | Bitbucket client secret | No | No | |
| Brevo API token | Sendinblue API token | No | ||
| Brevo SMTP token | Sendinblue SMTP token | No | ||
| Canada Digital Service Notify API Key | CDSCanadaNotifyAPIKey | No | ||
| CircleCI access token | CircleCI access tokens | No | No | |
| CircleCI Personal Access Token | CircleCIPersonalAccessToken | No | ||
| Clojars deploy token | Clojars API token | No | No | |
| Contentful delivery API token | Contentful delivery API token | No | No | |
| Contentful personal access token | ContentfulPersonalAccessToken | No | ||
| Contentful preview API token | Contentful preview API token | No | No | |
| Databricks API token | Databricks API token | No | No | |
| DataDog API Key | DataDogAPIKey | No | No | |
| DigitalOcean OAuth access token | digitalocean-access-token | No | No | |
| DigitalOcean personal access token | digitalocean-pat | No | No | |
| DigitalOcean refresh token | digitalocean-refresh-token | No | No | |
| Discord API key | Discord API key | No | No | |
| Discord client ID | Discord client ID | No | No | |
| Discord client secret | Discord client secret | No | No | |
| Docker Personal Access Token | DockerPersonalAccessToken | No | ||
| Doppler API token | Doppler API token | No | ||
| Doppler Service token | Doppler Service token | No | ||
| Dropbox API secret/key | Dropbox API secret/key | No | No | |
| Dropbox App Access Token | DropboxAppAccessToken | No | ||
| Dropbox long lived API token | Dropbox long lived API token | No | No | |
| Dropbox short lived API token | Dropbox short lived API token | No | ||
| Duffel API token | Duffel API token | No | No | |
| Dynatrace Platform Token | DynatracePlatformToken | No | No | |
| EasyPost production API key | EasyPost API token | No | No | |
| EasyPost test API key | EasyPost test API token | No | No | |
| Facebook token | Facebook token | No | No | |
| Fastly API user or automation token | Fastly API token | No | No | |
| Figma Personal Access Token | FigmaPersonalAccessToken | No | ||
| Finicity API token | Finicity API token | No | No | |
| Finicity client secret | Finicity client secret | No | No | |
| Flutterwave Prod Encrypted Key | FlutterwaveProdEncryptedKey | No | ||
| Flutterwave test encrypted key | Flutterwave encrypted key | No | No | |
| Flutterwave Prod Public Key | FlutterwaveProdPublicKey | No | ||
| Flutterwave test public key | Flutterwave public key | No | No | |
| Flutterwave Prod Secret Key | FlutterwaveProdSecretKey | No | ||
| Flutterwave test secret key | Flutterwave secret key | No | No | |
| Frame.io API token | Frame.io API token | No | No | |
| GCP API key | GCP API key | No | No | |
| GCP OAuth client secret | GCP OAuth client secret | No | ||
| GCP Vertex Express Mode Key | GCPVertexExpressModeKey | No | ||
| GitHub app token | Github App Token | No | ||
| GitHub App Installation Token | GithubAppInstallationToken | No | ||
| GitHub Fine Grained Personal Access Token | GithubFineGrainedPersonalAccessToken | No | ||
| GitHub OAuth Access Token | Github OAuth Access Token | No | ||
| GitHub personal access token (classic) | Github Personal Access Token | No | ||
| GitHub refresh token | Github Refresh Token | No | ||
| GitLab CI/CD job token | gitlab_ci_build_token | No | ||
| GitLab deploy token | gitlab_deploy_token | No | ||
| GitLab Feature Flags Client Token | None | No | No | |
| GitLab feed token | gitlab_feed_token | No | ||
| GitLab feed token v2 | gitlab_feed_token_v2 | |||
| GitLab incoming email token | gitlab_incoming_email_token | |||
| GitLab Kubernetes agent token | gitlab_kubernetes_agent_token | |||
| GitLab OAuth application secret | gitlab_oauth_app_secret | |||
| GitLab personal access token | gitlab_personal_access_token | |||
| GitLab Personal Access Token (routable) | gitlab_personal_access_token_routable | |||
| GitLab pipeline trigger token | gitlab_pipeline_trigger_token | |||
| GitLab runner authentication token | gitlab_runner_auth_token | |||
| GitLab runner registration token | gitlab_runner_registration_token | No | ||
| GitLab SCIM OAuth token | gitlab_scim_oauth_token | No | ||
| GoCardless API token | GoCardless API token | No | No | |
| Google API key | GCP API key | No | No | |
| Google (GCP) service account | Google (GCP) Service-account | No | ||
| Grafana Service Account Token | GrafanaServiceAccountToken | No | ||
| Grafana Cloud Access Policy Token | GrafanaCloudAccessPolicyToken | No | ||
| HashiCorp Terraform API token | Hashicorp Terraform user/org API token | No | ||
| HashiCorp Vault batch token | Hashicorp Vault batch token | No | ||
| HashiCorp Vault Service Token | HashicorpVaultServiceToken | No | ||
| Heroku API key or application authorization token | Heroku API Key | No | ||
| Highnote Live Secret Key | HighnoteLiveSecretKey | No | ||
| Highnote Test Secret Key | HighnoteTestSecretKey | No | ||
| HubSpot private app API token | Hubspot API token | No | ||
| Hugging Face User Access Token | HuggingFaceUserAccessToken | No | ||
| Instagram access token | Instagram access token | No | No | |
| Intercom API token | Intercom API token | No | No | |
| Intercom App Access Token | IntercomAppAccessToken | No | ||
| Intercom client secret or client ID | Intercom client secret/ID | No | No | |
| Ionic personal access token | Ionic API token | No | No | |
| Kubernetes Service Account Token | KubernetesServiceAccToken | No | ||
| LangChain API Key | LangChainAPIKey | No | ||
| Linear API token | Linear API token | No | ||
| Linear client secret or ID (OAuth 2.0) | Linear client secret/ID | No | No | |
| LinkedIn client ID | Linkedin Client ID | No | No | |
| LinkedIn client secret | Linkedin Client secret | No | No | |
| Lob API key | Lob API Key | No | No | |
| Lob publishable API key | Lob Publishable API Key | No | No | |
| Mailchimp API key | Mailchimp API key | No | ||
| Mailgun private API token | Mailgun private API token | No | ||
| Mailgun public verification key | Mailgun public validation key | No | No | |
| Mailgun webhook signing key | Mailgun webhook signing key | No | ||
| Mapbox API token | Mapbox API token | No | No | |
| Mapbox Secret API Token | MapboxSecretApiToken | No | No | |
| MaxMind License Key | MaxMind License Key | No | ||
| MessageBird access key | messagebird-api-token | No | No | |
| MessageBird API client ID | MessageBird API client ID | No | No | |
| Meta access token | Meta access token | No | No | |
| New Relic ingest browser API token | New Relic ingest browser API token | No | No | |
| New Relic ingest browser API token v2 | New Relic ingest browser API token v2 | No | ||
| New Relic REST API Key | New Relic REST API Key | No | ||
| New Relic user API ID | New Relic user API ID | No | ||
| New Relic user API key | New Relic user API Key | No | ||
| npm access token | npm access token | No | ||
| Oculus access token | Oculus access token | No | No | |
| Okta API Token | OktaAPIToken | No | ||
| Okta Client Secret | OktaClientSecret | No | No | |
| Onfido Live API Token | Onfido Live API Token | No | ||
| OpenAI API key | open ai token | No | No | |
| OpenAI Project Key | OpenAiProjectKey | No | ||
| OpenAI Service Account Key | OpenAiServiceAccountKey | No | ||
| Password in URL | Password in URL | No | No | |
| PGP private key | PGP private key | No | No | |
| PKCS8 private key | PKCS8 private key | No | No | |
| PlanetScale API token | Planetscale API token | No | ||
| PlanetScale App Secret | PlanetscaleAppSecret | No | ||
| PlanetScale OAuth Secret | PlanetscaleOAuthSecret | No | ||
| PlanetScale password | Planetscale password | No | ||
| PostHog Personal API key | PostHogPersonalAPIkey | No | ||
| PostHog Project API key | PostHogProjectAPIkey | No | ||
| Postman API token | Postman API token | No | No | |
| Postman Collection Access Key | PostmanCollectionAccessKey | No | ||
| Pulumi API token | Pulumi API token | No | No | |
| PyPi upload token | PyPI upload token | No | ||
| RSA private key | RSA private key | No | No | |
| RubyGems API token | Rubygem API token | No | ||
| Segment public API token | Segment Public API token | No | ||
| SendGrid API token | Sendgrid API token | No | ||
| Shippo API token | Shippo API token | No | ||
| Shippo Test API token | Shippo Test API token | No | No | |
| Shopify Partner API Token | ShopifyPartnerAPIToken | No | ||
| Shopify personal access token | Shopify access token | No | ||
| Shopify private app access token | Shopify private app access token | No | ||
| Shopify Custom App Access Token | Shopify custom app access token | No | ||
| Shopify shared secret | Shopify shared secret | No | ||
| Slack App Configuration Token | SlackAppConfigurationToken | No | ||
| Slack App Configuration Refresh Token | SlackAppConfigurationRefreshToken | No | ||
| Slack app level token | SlackAppLevelToken | No | ||
| Slack bot user OAuth token | Slack token | No | ||
| Slack webhook | Slack Webhook | No | No | |
| SonarQube Global Analysis Token | SonarQubeGlobalAnalysisToken | No | ||
| SonarQube Project Analysis Token | SonarQubeProjectAnalysisToken | No | ||
| SonarQube User Token | SonarQubeUserToken | No | ||
| Splunk Authentication Token | SplunkAuthToken | No | ||
| Splunk HTTP Event Collector (HEC) Token | SplunkHECToken | No | No | |
| SSH (DSA) private key | SSH (DSA) private key | No | No | |
| SSH (EC) private key | SSH (EC) private key | No | No | |
| SSH private key | SSH private key | No | No | |
| Stripe live restricted key | StripeLiveRestrictedKey | No | ||
| Stripe live secret key | StripeLiveSecretKey | No | ||
| Stripe Live Short Secret Key | StripeLiveShortSecretKey | No | ||
| Stripe publishable live key | StripeLivePublishableKey | No | No | |
| Stripe publishable test key | StripeTestPublishableKey | No | No | |
| Stripe restricted test key | StripeTestRestrictedKey | No | No | |
| Stripe secret test key | StripeTestSecretKey | No | No | |
| Stripe Test Short Secret Key | StripeTestShortSecretKey | No | ||
| Tailscale OAuth Client Secret | TailscaleOauthClientSecret | No | ||
| Tailscale API Access Token | TailscaleApiAccessToken | No | ||
| Tailscale Personal Auth Key | TailscalePersonalAuthKey | No | ||
| Tencent Cloud Secret ID | TencentCloudSecretID | No | ||
| Twilio Account SID | Twilio Account SID | No | ||
| Twilio API key | Twilio API Key | No | ||
| Twitch OAuth client secret | Twitch API token | No | No | |
| Typeform personal access token | Typeform API token | No | No | |
| Volcengine Access Key ID | VolcengineAccessKeyID | No | ||
| WakaTime API Key | WakaTimeAPIKey | No | ||
| X token | Twitter token | No | No | |
| Yandex.Cloud AWS API compatible access secret | Yandex.Cloud AWS API compatible Access Secret | No | No | |
| Yandex.Cloud API Key | Yandex.Cloud API Key | No | No | |
| Yandex.Cloud IAM cookie v1-1 | Yandex.Cloud IAM Cookie v1 - 1 | No | No | |
| Yandex.Cloud IAM cookie v1-3 | Yandex.Cloud IAM Cookie v1 - 3 | No | No |