GitHub Secret Scanning adds extended metadata and multipart validation
GitHub Secret Scanning now offers enriched metadata for supported secret types, including owner details, creation/expiry dates, and project context. These generally available enhancements allow development and security teams to assess exposure and prioritize remediation faster. Multipart validity checks are also expanded to cover key credential formats across major providers like Alibaba Cloud and Azure, with GitHub continually adding more support.
- →Extended metadata for secret scanning alerts
- →Multipart validation for secret validity
- →Metadata availability varies
Features (2) ›
- Extended metadata for secret scanning alerts
Secret scanning now surfaces enriched metadata for supported secret types, providing details about the secret's owner, creation/expiry dates, and project/organization context. This information is available across alert list filters, security campaign creation, webhook events, and the REST API to aid in faster triage and remediation.
- Multipart validation for secret validity
To determine secret validity, GitHub now leverages supplementary metadata for certain secret types that require more than just the secret literal. Multipart validity checks now cover key credential formats across major providers including Alibaba Cloud, Databricks, and Microsoft Azure.
Notes (1) ›
- Metadata availability varies
The availability of metadata for secrets can vary based on the secret provider, token type, and even the specific secret at different times. GitHub makes a best effort to display available metadata.
https://github.blog/changelog/2026-07-07-secret-scanning-extended-metadata-and-multipart-validation