Release Date: June 23, 2026

This version adds nine new detectors — Amadeus OAuth Credentials, Kinde OAuth Credentials, TomTom API Key, Datadog Personal Access Token, and five Azure services (Maps, Mixed Reality, Service Bus, Quantum, and Bot Direct Line). It also introduces validity checkers for Gemfury Deploy/Push and Full Access tokens, refreshes the LiteLLM and GitLab runner authentication checkers, extends the Artifactory token detector to match longer host names, and updates the Google Cloud and GitLab token analyzers.

New Detectors​

• Amadeus OAuth Credentials: Add a new detector for Amadeus OAuth Credentials.
• Kinde OAuth Credentials: Add a new detector for Kinde OAuth Credentials.
• Azure Maps Key: Add a new detector for Azure Maps Key.
• Azure Mixed Reality Key: Add a new detector for Azure Mixed Reality Key.
• TomTom API Key: Add a new detector for TomTom API Key.
• Datadog Personal Access Token: Add a new detector for Datadog Personal Access Token.
• Azure Service Bus Key: Add a new detector for Azure Service Bus Key.
• Azure Quantum Key: Add a new detector for Azure Quantum Key.
• Azure Bot Direct Line Key: Add a new detector for Azure Bot Direct Line Key.

Detector Updates​

• Gemfury Deploy Or Push Token: Add a new checker for Gemfury Deploy Or Push Token.
• Gemfury Full Access Token: Add a new checker for Gemfury Full Access Token.
• LiteLLM API Key: Use the models endpoint and validate JSON response shape.
• LiteLLM API Key: Use the models endpoint and validate JSON response shape.
• GitLab runner authentication token: Fix the validity check for GitLab runner authentication tokens
• Artifactory Token With Host: Fixed artifactory_token_with_host detector to catch longer host names.

Analyzer Updates​

• Google Cloud Keys: Stop fetching project IAM members in analyzer metadata.
• GitLab Token: Fix fine-grained GitLab PAT analyzer by removing scope checkers that cannot be validated.

  Release Date: June 9, 2026

This release of the GitGuardian detection engine adds new detectors for Stitch API Key, ActiveMQ Credentials, Instantly API Key, Gitea Access Token, Fal.ai API Key, SurrealDB Cloud JWT Token, Kimi API Key, and Wiz OAuth Credentials. It also introduces new validity checkers — several with custom-host support — for Okta Token, Okta OAuth Credentials, Azure Communication Services Connection String, Azure Storage Account Key, AWS Cognito OAuth 2.0 Credentials, LaunchDarkly SDK Key, Pulumi Access Token, and the Python Package Index Key. A number of existing checkers were upgraded to keep pace with provider changes: AWS IAM Keys now check all AWS regions, Sumo Logic gains the Switzerland and Korea deployments (dropping the retired India endpoint), and Supabase, Vultr, Baidu AI, and SAP OAuth Credentials were updated for revised endpoints and validity handling.

Notable precision improvements (measured on internal benchmarks):

• azure_active_directory_api_keys: significant reduction in false positives.

New Detectors​

• Stitch Api Key: [Detector-builder] Add a detector for Stitch Api Key
• ActiveMQ Credentials: Add a new detector for ActiveMQ Assignment.
• Instantly API Key: Add a new detector for Instantly API Key.
• Gitea Access Token: Add a new detector for Gitea Access Token.
• Fal.ai API Key: Add a new detector for Fal.ai API Key.
• SurrealDB Cloud JWT Token: Add a new detector for SurrealDB Cloud JWT Token.
• Kimi API Key: Add a new detector for Kimi API Key.
• Wiz OAuth Credentials: Add a new detector for Wiz OAuth Credentials.

Detector Updates​

• AWS IAM Keys: Update the AWS IAM checker to check all AWS regions.
• Okta Token: Add a new checker for Okta Token with custom_host_support.
• Okta Keys: Add a new checker for Okta OAuth Credentials with custom_host_support.
• Okta Keys: Add a new checker for Okta OAuth Credentials with custom_host_support.
• Azure Communication Services Connection String: Add a new checker for Azure Communication Services Connection String.
• Microsoft Azure Storage Account Key: Add a new checker for Azure Storage Account Key with custom_host_support.
• AWS Cognito OAuth 2.0 Credentials: Add a new checker for AWS Cognito OAuth credentials with custom host support.
• LaunchDarkly SDK Key: Add a new checker for LaunchDarkly SDK Key.
• Azure Active Directory API Keys: Update the matchers to improve detection accuracy.
• Pulumi Access Token: Add a new checker for Pulumi Access Token.
• Sumo Logic Keys: Remove the non-existent India endpoint and add the Switzerland and Korea deployments.
• Supabase API Key: Return invalid when the project no longer exists, while keeping failed to check on a transient outage.
• Python Package Index Key: Add a checker validating PyPI API tokens against pypi.org and test.pypi.org
• Vultr Key: Migrate the checker to the Vultr v2 API as the v1 endpoint was removed.
• Baidu AI API Key: Use the chat/completions endpoint as the model listing endpoint no longer authenticates API keys.
• SAP OAuth Credentials: Treat a 404 from a non-existent tenant as invalid instead of failed to check.

  Release Date: May 25, 2026

This release of the GitGuardian detection engine adds six new detectors — for Authentik API Token, Pagar.me Encryption Key, Adobe Refresh Token, LiteLLM API Key, brapi.dev API Key, and Open VSX Access Token — together with new checkers for Google OAuth2 Keys and a new analyzer for Adafruit IO API Key.

Notable precision improvements (measured on internal benchmarks):

• snyk_key: precision raised from ~40% to ~90%.
• finicity_authentication_keys: precision raised from ~67% to ~98%.
• hunter_api_key: precision raised from ~9% to ~100%.
• datadog_api_credentials: significant reduction in false positives.
• github_access_token: significant reduction in false positives.
• heroku_platform_key: significant reduction in false positives.

New Detectors​

• Authentik API Token: Add a new detector for Authentik API Token.
• Pagar.me Encryption Key: Add a new detector for Pagar.me Encryption Key.
• Adobe Refresh Token: Add a new detector for Adobe Refresh Token.
• LiteLLM API Key: Add a new detector for LiteLLM API Key.
• brapi.dev API Key: Add a new detector for brapi.dev API Key.
• Open VSX Access Token: Add a new detector for Open VSX Access Token.

Detector Updates​

• Google OAuth2 Keys: Add checkers for Google OAuth2 Keys.
• Datadog API Credentials: Improve datadog_api_key precision.
• Finicity Authentication Keys: Improve finicity_auth_keys detector precision.
• Snyk Key: Improve snyk_key detector precision.
• GitHub Personal Access Token: Improve github_token detector precision.
• Hunter API Key: Improve hunter_api_key detector precision.
• Heroku Platform Key: Improve heroku_token detector precision.

New Analyzers​

• Adafruit IO API Key: Add a new analyzer for Adafruit IO API Key.

  Release Date: May 12, 2026

This release adds detectors for Aikido API OAuth2 Credentials, Logflare Access Token, PolyAPI API Key, Apollo.io API Key, AES Cipher Key, and SAP OAuth Credentials (replacing sap_ai_core_credentials). The Azure DevOps Personal Access Token, GitHub App Token, and Pagar.me API Key detectors gain support for new formats. A new checker ships for SAP OAuth Credentials and the Coralogix Personal Key checker now handles keys without granted permissions. The Datadog API Credentials and Azure OpenAI analyzers are also updated, with the latter now surfacing upstream HTTP status codes on failure.

Notable precision improvements (measured on internal benchmarks):

• azure_devops_personal_access_token: significant reduction in false positives.
• github_app_token: significant reduction in false positives.

New Detectors​

• Aikido API OAuth2 Credentials: Add a new detector for Aikido API OAuth2 Credentials.
• Logflare Access Token: Add a new detector for Logflare Access Token.
• PolyAPI API Key: Add a new detector for PolyAPI API Key.
• Apollo.io API Key: Add a new detector for Apollo API Key.
• AES Cipher Key: Add a new detector for AES Cipher Key.
• SAP OAuth Credentials: Add the sap_oauth_credentials detector. This detector replaces the sap_ai_core_credentials detector.

Detector Updates​

• Azure DevOps Personal Access Token: Improve precision and catch new formats of Azure DevOps PAT.
• GitHub App Token: Improve precision and catch new formats of GitHub Server-to-server Token.
• Pagar.me API Key: Update regex pattern to support Pagar.me API keys in sandbox environment.
• SAP OAuth Credentials: Add a checker for the sap_oauth_credentials detector.
• Coralogix Personal key: Update checker for Coralogix Personal Key to support keys without granted permissions.

Analyzer Updates​

• Datadog API Credentials: Remove apm_api_catalog_write scope checker from Datadog API credentials analyzer.
• Azure Open AI API key: Surface upstream HTTP status codes when a request to Azure OpenAI fails instead of swallowing them as a generic invalid-secret error.

  Release Date: April 27, 2026

This release ships 16 new detectors (Baidu AI Cloud API Key, Baidu Cloud API Keys, HashiCorp Consul ACL Token, ElevenLabs API Key, Datadog Application Key, Volcengine API Key, QQ Robot API Keys, Canva Integration OAuth 2.0, Bitrise Personal Access Token, Bitrise Workspace API Token, MaxMind License Key, Snyk Key V2, Cloudflare API Token V2, CockroachDB API Key, Coder Session Token, Aikido CI Scanning Token), updated detectors for Azure OpenAI (new key format), GitLab (fine-grained personal access tokens), Google Cloud (lower memory on secret-dense files), PayPal Braintree and Slack Bot Token (more accurate check statuses), new analyzers for Azure AI Search and Azure OpenAI, and analyzer updates for GitLab (fine-grained PATs), PostgreSQL Credentials and Anthropic Admin Key. The grafbase_access_token checker is also disabled ahead of the detector's removal in the next release.

Notable precision improvements (measured on internal benchmarks):

• paypal_braintree_keys: significant reduction in false positives.

New Detectors​

• Aikido CI Scanning Token: Add a new detector for Aikido CI Scanning Token.
• Baidu AI API Key: Add a new detector for Baidu AI Cloud API Key.
• Baidu Cloud API Keys: Add a new detector for Baidu Cloud API Keys.
• Bitrise Personal Access Token: Add a new detector for Bitrise Personal Access Token.
• Bitrise Workspace API Token: Add a new detector for Bitrise Workspace API Token.
• Canva Integration OAuth2: Add a new detector for Canva Integration OAuth 2.0.
• Cloudflare API Token: Add a new detector for Cloudflare API Token V2 with new token format.
• CockroachDB API Key: Add a new detector for CockroachDB API Key.
• Coder Session Token: Add a new detector for Coder Session Token.
• Datadog Application Key: Add a new detector for Datadog Application Key.
• ElevenLabs API Key: Add a new detector for ElevenLabs API Key.
• Hashicorp Consul ACL Token: Add a new detector for HashiCorp Consul ACL Token.
• MaxMind License Key: Add a new detector for MaxMind License Key.
• QQ Robot API Keys: Add a new detector for QQ Robot API Keys.
• Snyk Key: Add a new detector for Snyk Key V2.
• Volcengine API Key: Add a new detector for Volcengine API Key.

Detector Updates​

• Azure Open AI API key: Update the azure_open_ai_api_key detector to support the new key format.
• GitLab Token: Update GitLab checker to support fine-grained personal access tokens.
• Google Cloud Keys: The googlecloud detector now uses less memory on files full of secrets.
• Grafbase Access Token: Disabled checker for the grafbase_access_token: the service has been discontinued.
• PayPal Braintree Keys: Improve precision of PayPal Braintree Keys detector.
• Slack Bot Token: Some tokens that could have been wrongly reported as "Invalid" before are now reported as "Failed to check".

New Analyzers​

• Azure AI Search Key: Add a new analyzer for Azure AI Search Key.
• Azure Open AI API key: Add analyzer for Azure Open AI API key.

Analyzer Updates​

• Anthropic Admin Key: Only check workspace members endpoint accessibility.
• GitLab Token: Update GitLab analyzer to support fine-grained personal access tokens.
• PostgreSQL Credentials: The postgresql_credentials secret analyzer no longer fails on instances that do not support ORDER BY for ARRAY_AGG.

  Release Date: April 14, 2026

This release introduces new detectors for Payhere, HubSpot, Birdeye, Datadog, and GitGuardian access tokens, a new Azure SignalR checker, analyzers for Intercom, Notion, and Azure Cosmos DB, plus precision improvements to several existing detectors.

Notable precision improvements (measured on internal benchmarks):

• open_weather_map_token: precision raised from ~2.7% to ~91.7%.
• npm_token: precision raised from ~50.7% to ~99%.
• atlassian_oauth2: significant reduction in false positives.

New Detectors​

• Payhere App Credentials: Add a new detector for Payhere App Credentials with its corresponding checker.
• HubSpot API Key: Add a new detector for Hubspot API Key with its corresponding checker.
• Birdeye API Key: Add a new detector for Birdeye API Key with its corresponding checker.
• Datadog API Credentials: Add a new detector for Datadog API Keys with its corresponding checker.
• Payhere Merchant Secret: Add a new detector for Payhere Merchant Secret.
• GitGuardian Personal Access Token: Add detector and checker for GitGuardian Personal Access Token
• GitGuardian Service Access Token: Add detector and checker for GitGuardian Service Access Token

Detector Updates​

• Azure SignalR Connection String: Add a new checker for Azure SignalR Connection String.
• Jira Basic Auth: Improve jira_basic_auth content whitelist pre-validator pattern.
• Atlassian Oauth2 Keys: Improved precision by restricting the regex pattern.
• npm Token: Improve precision by updating assignment name keywords.
• OpenWeatherMap Token: Improve detector precision.

New Analyzers​

• Intercom Access Token: Add a new analyzer for Intercom Access Token.
• GitGuardian Personal Access Token: Add analyzer for GitGuardian Personal Access Token.
• GitGuardian Service Access Token: Add analyzer for GitGuardian Service Access Token.
• Notion Integration Token: Add a new analyzer for Notion Integration Token.
• Azure Cosmos DB Credentials: Add a new analyzer for Azure Cosmos DB Credentials.

  Release Date: March 31, 2026

This release introduces new detectors for Paymob and ConvertTo-SecureString, analyzers for Sentry, Figma, Datadog, and Google Cloud, plus various detector and checker fixes.

The highlight of this release is a new family of private key checkers. For generic PKCS#8, OpenSSH, RSA, and elliptic curve private keys, GitGuardian can now verify whether the key is registered with GitLab or GitHub, letting you distinguish live, account-linked keys from unused ones and prioritize remediation accordingly.

Notable precision improvements:

• gitlab_token: improved precision.
• azure_subscription_key: improved precision.

New Detectors and Checkers​

• Paymob API Key: Add a new detector for Paymob API Key.
• Paymob Secret Key: Add a new detector for Paymob Secret Key.

New Detectors​

• ConvertTo-SecureString Password: Add a new detector for ConvertTo-SecureString Password.
• Paymob HMAC Secret: Add a new detector for Paymob HMAC Secret.

New Checkers​

• Kubernetes Docker Secret: Add custom checkers to handle individual secrets stored in the base64-encoded string.
• Generic Private Key: Check whether a PKCS#8 private key is registered with GitLab or GitHub.
• OpenSSH Private Key: Check whether an OpenSSH private key is registered with GitLab or GitHub.
• RSA Private Key: Check whether an RSA private key is registered with GitLab or GitHub.
• Elliptic Curve Private Key: Check whether an EC private key is registered with GitLab or GitHub.

New Analyzers​

• Sentry User Auth Token: Add a new analyzer for Sentry Token.
• Figma Personal Access Token: Add a new analyzer for Figma Personal Access Token.
• Datadog API Credentials: Add a new analyzer for Datadog API credentials.
• Google Cloud Keys: Add a new analyzer for Google Cloud Keys.

Detector Upgrades​

• GitLab Token: Fix false positive matching passwords in user:pass context
• Azure Subscription Key: azure_subscription_key detector no longer mistakenly reports ServiceNow sys ID as secrets.

Checker Upgrades​

• Supabase API Key: Fix checker to correctly return INVALID for revoked keys.

  Release Date: March 20, 2026

This release introduces 19 new detectors and checkers including Azure, DeepL, Oracle, SAP, and Polar tokens, 4 new analyzers, and improved detection precision and checker reliability across multiple existing secrets.

Notable Detection Changes​

Starting with this release, we'll highlight notable detector changes that may affect your scan results. In this release, all detectors remain stable - you can expect minimal changes to detection accuracy. Future releases with significant changes will be called out here.

New Detectors and Checkers​

• Polar Organization Access Token: Add a detector for Polar Organization Access Token.
• Google Cloud Express API Key: Add a detector for Google Cloud Express API Key
• Microsoft Azure Storage Account Key: Add a new detector for Microsoft Azure Storage Account Key with Account Name.
• Azure Language API Key: Add a new detector for Azure Language API Key.
• Azure IoT Hub Connection String: Add a new detector for Azure IoT Hub Connection String.
• DeepL Free API Keys: Implemented detector for DeepL Free API keys
• DeepL Pro API Keys: Implemented detector for DeepL Pro API keys
• Azure Document Intelligence Key: Add a new detector for Azure Document Intelligence Key.
• Azure Speech Services Key: Add a new detector for Azure Speech Services Key.
• Azure Computer Vision Key: Add a new detector for Azure Computer Vision API Key.
• Azure Text Translation Key: Add a new detector for Azure Text Translation Key.
• Oracle Credentials: Add a new detector for Oracle JDBC credentials.
• GitGuardian Public Monitoring API Key: Add detector for new GitGuardian Public Monitoring API Key format
• GitGuardian Internal Monitoring Key: Add detector for new GitGuardian Internal Monitoring Key format
• SAP AI Core Credentials: Add a new detector for SAP AI Core Credentials.
• Odoo External API Key: Add a new detector for Odoo External API Key.

New Detectors​

• K3s Token: Add a detector for K3s tokens
• Zoho API Key: Add a detector for Zoho API Key
• ServiceNow Generic Password: Add a new detector for passwords in ServiceNow configuration files.

New Analyzers​

• Azure App Configuration Connection String: Add a new analyzer for Azure App Configuration Connection String.
• Google API Key: Add a new analyzer for Google API Key.
• Azure Speech Services Key: Add a new analyzer for Azure Speech Services Key.
• FTP Credentials: Add a new analyzer for FTP credentials.

Detector Upgrades​

• Oracle Credentials: Improve the Oracle JDBC connection string detector by updating the regex.
• AWS IAM STS Keys: Reduce false positives by requiring assignment context for client_secret match
• GitLab incoming mail token: Improve precision by updating the regex pattern.
• Pusher Channels Keys: Remove unneeded CWPV pattern
• Jina API Key: Pin key length according to empirical evidence.

Checker Upgrades​

• SMTP credentials: hard-coded well-known SMTP services parameters
• MongoDB Credentials: Fix false positives by using authenticated operation instead of server_info()
• Langfuse Credentials: Add custom host support for langfuse_credentials checker
• GitLab Agent Kubernetes Token: Add custom host support for gitlab_agent_kubernetes_token checker
• GitLab CI/CD Job Token: Add custom host support for gitlab_ci_cd_job_token checker
• GitLab SCIM Token: Add custom host support for gitlab_scim_token checker
• Microsoft Power Apps Webhook: Return invalid check status for deleted webhooks.
• Jina API Key: Interpret 402 low credit status as a sign of a valid key.
• Snowflake Credentials: Refactor snowflake_uri checker to use Snowflake's REST login endpoint.

Analyzer Upgrades​

• GitLab Token: The gitlab_token analyzer now includes more info about the token, and if available, about the token owner.
• PostgreSQL Credentials: Handle connection timeout errors gracefully with a proper AnalyzerFailed exception

  Release Date: March 03, 2026

This release introduces 4 new detectors for MiniMax, Retell, Azure Storage Account Key, and curl credentials, along with a 12% scanning speed improvement.

New Detectors and Checkers​

• MiniMax API Key: Added a detector and checker for MiniMax API keys.
• Retell API Key: Added a detector and checker for Retell API keys.
• Microsoft Azure Storage Account Key: Added a detector and checker for Microsoft Azure Storage Account Key with Account Name.

New Detectors​

• Curl Username Password: Added a new detector for curl username and password credentials.

Detector Improvements​

• Azure Container Registry Key: Updated detector to catch more token lengths.
• MongoDB Credentials: Fixed false positives in checker by using authenticated operation instead of server_info().

Engine Enhancements​

• Scanning speed improved by 12% as a result of optimizations to the scanner's internal logic.

  Release Date: February 19, 2026

Engine Performance​

This new version nearly doubles scanning speed, meaning significantly reduced scan times. Self-hosted customers will also benefit from lower resource consumption.

---

This release also introduces a significant expansion of detection capabilities with over 20 new detectors, particularly for Azure cloud services and payment platforms, along with new revokers and analyzer upgrades.

New Detectors and Checkers​

• WooCommerce Keys: Added a detector and checker for WooCommerce keys.
• Iyzico API Keys: Added a detector and checker for Iyzico API credentials.
• Mercado Pago OAuth: Added a detector and checker for Mercado Pago OAuth credentials.
• Kie AI API Key: Added a detector and checker for Kie AI API keys.
• Momo Credentials: Added a detector and checker for Momo credentials.
• Bitbucket HTTP Access Token: Added a detector and checker for Bitbucket HTTP access tokens.
• Cartesia API Key: Added a detector and checker for Cartesia API keys.
• PostgreSQL Credentials: Added a detector and checker for PostgreSQL assignment credentials without port.
• MariaDB Credentials: Added a detector and checker for MariaDB assignment credentials without port.
• Azure Event Hub Key: Added a detector and checker for Azure Event Hub keys.
• Azure Container Registry Key: Added a detector and checker for Azure Container Registry keys.
• Coralogix Personal Key: Added a detector and checker for Coralogix Personal keys.
• Coralogix Send-Your-Data Key: Added a detector and checker for Coralogix Send-Your-Data keys.
• Azure Web PubSub Connection String: Added a detector and checker for Azure Web PubSub connection strings.
• Azure Batch Credentials: Added a detector and checker for Azure Batch credentials.
• Azure APIM Gateway Key: Added a detector and checker for Azure APIM Gateway keys.
• Azure IoT Provisioning Connection String: Added a detector and checker for Azure IoT Provisioning connection strings.
• Azure AI Search Key: Added a detector and checker for Azure AI Search keys.
• GitLab CI/CD Job Token: Added a detector and checker for GitLab CI/CD Job tokens.
• Pagar.me API Key: Added a detector and checker for Pagar.me API keys.
• PostHog Personal API Key: Added a detector and checker for PostHog Personal API keys.

New Detectors​

• Yookassa API Key: Added a new detector for Yookassa API keys.
• WireGuard Credentials: Added a new detector for WireGuard credentials.
• Nuclei Private Key: Added a new detector for Nuclei signing keys.
• PostHog Project API Key: Added a new detector for PostHog Project API keys.
• OpenClaw Auth Token: Added a new detector for OpenClaw Auth tokens.

Detector Improvements​

• MongoDB Credentials: Improved the precision of the MongoDB Assignment No Port detector by removing false positives.
• MySQL Credentials: Improved detection precision for MySQL assignment no port by removing false positives.
• Oracle Credentials: Improved the Oracle JDBC connection string detector by increasing the minimum match length for the password.
• Username Password: Improved recall of the password regex.
• Neo4j Credentials: Fixed catastrophic backtracking when matching host.
• Generic High Entropy Secret: The detector now catches secrets assigned to variables like SECURITY_KEY.
• Databricks Authentication Token: Added support for optional single digit postfix in Databricks tokens.
• FTP Credentials: Improved recall of the FTP credentials assignment detector.
• Postman API Key: Checker now reports 403 response status code as invalid.
• Cloudflare CA Key: Updated checker to properly report 401 status code as invalid.
• Google API Key: The checker now detects more valid keys.
• Alchemy API Key: Updated deprecated base URL and request parameters in checker.
• LDAP Credentials: Added a connect timeout to the checker.

New Analyzers​

• Anthropic Admin Key: Added a new analyzer for Anthropic Admin keys.
• Azure DevOps PAT With Org: Added a new analyzer for Azure DevOps PAT with Organization.

Analyzer Upgrades​

• PostgreSQL Credentials: The analyzer now properly reports the error message instead of raising an unexpected error upon access denied for database.
• SendGrid Key: The analyzer now properly reports when no scopes are found.

New Revokers​

• SendGrid Key: Added revoker for SendGrid API keys.
• Slack User Token: Added revoker for Slack user tokens.
• Slackbot Token: Added revoker for Slackbot tokens.
• Heroku Platform Key: Added revoker for Heroku platform keys.

  Release Date: January 29, 2026

This release adds 7 new detectors for AI, cloud, and communication platforms including Modelscope, Deepgram, and ZegoCloud, along with enhanced Azure SAS URL detection.

New Detectors and Checkers​

• Modelscope API Key: Added a detector and checker for Modelscope API keys.
• Proxmox API Token: Added a detector and checker for Proxmox API tokens.
• ZegoCloud Secret: Added a detector and checker for ZegoCloud secrets.
• Deepgram API Key: Added a detector and checker for Deepgram API keys.
• Microsoft Power Apps Webhook: Added a detector and checker for Microsoft Power Apps Webhook URLs.
• Mem0 API Key: Added a detector and checker for Mem0 API keys.

New Detectors​

• Obsidian API Key: Added a new detector for Obsidian API keys.

Detector Improvements​

• Azure SAS URL: Widened the regex to catch more types of Azure SAS URLs.
• Okta OAuth Credentials With Host: Adjusted detector to catch more client secrets.
• Azure Entra Access Token: Fixed a crash that occurred on invalid JWT tokens.
• Azure OpenAI API Key: Improved precision of detector.
• Azure Logic App Sig Key: Deprecated detector as it caused false positives and caught secrets already detected by the Azure SAS URL detector.

Analyzer Upgrades​

• Azure SAS URL: The azure_sas_url checker now verifies the expiration date of SAS tokens.

  Release Date: January 12, 2026

This release introduces 18+ new detectors covering cloud platforms, databases, and DevOps tools.

New Detectors and Checkers​

• Oracle Credentials: Added a detector and checker for Oracle JDBC connection string.
• Azure Entra App Secret: Added a detector and checker for Azure Entra App Secret.
• Azure Entra Access Token: Added a detector and checker for Azure Entra Access Token.
• GitLab SCIM Token: Added a detector and checker for GitLab SCIM Token.
• GitLab Agent Kubernetes Token: Added a detector and checker for GitLab Agent Kubernetes Token.
• ASI:One API Key: Added a detector and checker for ASI:One API keys.
• Azure IoT Device Connection String: Added a detector and checker for Azure IoT Device Connection String.
• Xendit Secret API Key: Added a detector and checker for Xendit Secret API Key.
• Supabase API Key: Added a detector and checker for Supabase API Key.
• Neoload Web Access Token: Added a detector and checker for Neoload Web Access Token.
• MongoDB Credentials: Added a new detector and checker for MongoDB assignment that does not match port.
• Azure Cache for Redis Access Key: Added a detector and checker for Azure Cache for Redis Access Key.

New Detectors​

• GitLab Feed Token: Added a new detector for GitLab feed token.
• Clerk Webhook Token: Added a new detector for Clerk Webhook Token.
• Better Auth Secret: Added a new detector for Better Auth Secret.
• Elastic Search API Key: Added a new detector for Elastic Search API Key.
• Redis Credentials: Added a new detector for Redis assignment that does not match port.
• Azure Relay Key: Added a new detector for Azure Relay Key.

Detector Improvements​

• Doppler API Key: Improved the Doppler API Key detector by widening the regex.
• Databricks Token With Hostname: Improved the Databricks Token With Hostname detector by adding support for GCP Databricks.
• JetBrains TeamCity Config Value: Fixed crash in detector that can happen with some false positives.
• Scraper API Key: Improved precision of detector.
• Slack Webhook URL: Improved the Slack Webhook URL detector to increase precision and reduce false positives.
• MongoDB Credentials: Enhanced the precision of MongoDB Assignment detector by removing the assignment prefix and adding post validators to ban other databases.
• Okta Keys: Do not match ReCAPTCHA site keys.
• Tailscale Pre-Authentication Key: Upgraded the Tailscale Pre-Authentication Key detector by widening the regex.

Analyzer Upgrades​

• Auth0 Keys: The auth0_keys analyzer now surfaces a wider range of error messages.
• Auth0 Keys: Report 404 status code as invalid for auth0_keys checker.
• Cohere API Key: Updated cohere_apikey checker to call a valid endpoint. The previous endpoint has been deprecated and removed.

  Release Date: December 15, 2025

This release introduces new detectors for Cloudflare R2 and Azure SAS URL, significant improvements to multiple detectors.

New Detectors and Checkers​

• Cloudflare R2 Token: Added a detector and checker for Cloudflare R2 tokens.
• Azure SAS URL: Added a detector and checker for Azure SAS URLs.
• MySQL Credentials: Added a new MySQL assignment detector that doesn't match ports.

New Checkers​

• Tailscale SCIM Key: Added a new checker for Tailscale SCIM keys.

Detector Improvements​

• SendGrid Key: Updated regex to make it stricter and updated checker endpoint.
• Dwolla Keys: Updated detector to include more values.
• PubNub Publish and Subscription Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Google OAuth2 Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Azure Cosmos DB Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Generic High Entropy Secret: Upgraded detector to remove false positives due to Google Tag Manager.
• HashiCorp Vault Token: Improved detector to not match one-time URLs anymore.
• Discord Webhook URL: Improved detector by widening the webhook_id length restrictions.
• Alchemy API Key: Updated checker endpoint.
• Fireworks AI API Key: Fixed the checker.

Miscellaneous​

• Added support for 378 new secret providers for improved incident prioritization on generic secrets.

  Release Date: December 5, 2025

This release introduces 6 new detectors with comprehensive coverage for cloud services and databases and support for 883 new secret providers.

New Detectors and Checkers​

• HighLevel Private Integration Token: Added a detector and checker for HighLevel Private Integration Token.
• Elastic API Key: Added a detector and checker for Elastic API keys.
• Google Cloud Keys: Added a detector and checker for Google Cloud Keys in base64 format.
• Socket Dev API Key: Added a detector and checker for Socket Dev API keys.
• Upstash Redis Credentials: Added a detector and checker for Upstash Redis credentials.
• Vapid Key: Added a new detector for Vapid keys.

New Checkers​

• Oracle Credentials: Added a new checker for Oracle credentials.

Detector Improvements​

• Cloudflare API Credentials: Updated checker to work with multiple types of tokens.
• MySQL Credentials: Enhanced recall of MySQL Assignment detector by removing the constraint on the prefix.
• GitLab Token: Updated gitlab_personal_token_v2 to cover new patterns.
• Fireworks AI API Key: Updated detector regex to improve recall.
• JSON Web Token: Fixed detector crashing if the expiration date was set to "inf".
• SSH Credentials: Updated SSH password detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Duo Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Azure Event Grid Access Key: Updated Azure Event Grid Access Key With Host detector to use an AggregateMatcher instead of explicitly listing multiple matchers.

Analyzer Upgrades​

• AWS IAM: Removed aws_iam analyzer as AWS IAM scope analysis is now performed by NHI integration with AWS.

Miscellaneous​

• Added support for 883 new secret providers for improved incident prioritization on generic secrets.

  Release Date: November 18, 2025

This release adds a new Google Cloud Access Token detector and checker, along with improvements to Hashicorp Vault, PagerDuty, Docker, and FullStory detectors.

New Detectors and Checkers​

• Google Cloud Access Token: Added a new detector and checker for Google Cloud Access Tokens.

Detector Improvements​

• Hashicorp Vault Token: Updated Hashicorp Vault Token detector to catch more types of patterns.
• Google Cloud Access Token: Updated documentation and metadata for Google Cloud Access Tokens detector.
• PagerDuty Authorization Token: Updated regex with token prefix for PagerDuty authorization token detector.

Analyzer Upgrades​

• Docker Credentials: Updated docker_credentials checker endpoint.
• FullStory API Key: Updated fullstory_api_key checker endpoint.

  Release Date: November 10, 2025

This release introduces 13 new detectors covering AI services (Hume AI, Azure AI Face, AssemblyAI), cloud platforms (AWS Bedrock, Grafbase), and databases (Neon), plus improvements to Kubernetes, Pinecone, and Discord detectors.

New Detectors and Checkers​

• Hume AI API Key: Added a new detector and checker for Hume AI API keys.
• Hume AI Secret Key: Added a new detector and checker for Hume AI Secret keys.
• Azure AI Face Authentication: Added a new detector and checker for Azure AI Face Authentication.
• Neon API Key: Added a new detector and checker for Neon API keys.
• E2B API Key: Added a new detector and checker for E2B API keys.
• MailerSend API Key: Added a new detector and checker for MailerSend API keys.
• Scraper API Key: Added a new detector and checker for Scraper API keys.
• AIProxy API Key: Added a new detector for AIProxy API keys.
• Cloudsmith Entitlement Token: Added a new detector and checker for Cloudsmith Entitlement Tokens.
• AWS Bedrock Long-term API Key: Added a new detector and checker for AWS Bedrock Long-term API keys.
• Harness API Key: Added a new detector and checker for Harness API keys.
• Grafbase Access Token: Added a new detector and checker for Grafbase Access Tokens.
• AssemblyAI Access Token: Added a new detector and checker for AssemblyAI Access Tokens.

Detector Improvements​

• Generic Password: Removed keyword timeout to increase recall.
• Pinecone API Key: Added new detector pinecone_api_key_v2 following the new API key format, with checkers for both v2 and the original format.
• Pinecone API Keys: Deprecated detector, to be replaced by pinecone_api_key detector.
• Keycloak API Keys: Updated provider and company name to Keycloak.
• Discord Bot Token: Updated to match new pattern.
• Kubernetes JWT: Improved performance of Kubernetes JWT detector.
• Tableau Personal Access Token: Improved regex pattern for matching Tableau personal access tokens.
• Sendinblue Key: Updated provider name to Brevo (new company name).

Analyzer Upgrades​

• Snowflake Credentials: The checker for snowpark_api_credentials secrets can now recognize more valid or invalid secrets.
• Kubernetes Cluster Certificate: Changed Kubernetes API endpoint and validated the JSON answer.
• Kubernetes JWT: Changed Kubernetes API endpoint and validated the JSON answer.

  Release Date: October 21, 2025

This release adds a new Coveo API Key detector, improvements to Resend and DigitalOcean detectors, and fixes proxy support for HTTP checkers.

New Detectors and Checkers​

• Coveo API Key: Added a detector and checker for Coveo API keys.

Detector Improvements​

• Resend API Key: Detector upgrade to remove false positives.

Analyzer Upgrades​

• DigitalOcean Spaces Token: The analyzer now checks for permissions to list buckets.

Engine Enhancements​

• Fixed proxy support for HTTP checkers.

  Release Date: October 10, 2025

This release introduces new detectors for Comet, Langfuse, and Okta credentials, plus improvements to MySQL and PostgreSQL analyzers.

New Detectors and Checkers​

• Comet API Key: Added a detector and checker for Comet API keys.
• Langfuse Credentials: Added a detector and checker for Langfuse credentials.
• Okta OAuth Credentials with Host: Added a detector and checker for Okta OAuth credentials with host.
• Okta API Token with Host: Added a detector and checker for Okta API tokens with host.

Detector Improvements​

• Generic Password: Detector upgrade to remove false positives in lock files.

Analyzer Upgrades​

• MySQL Credentials: The secret-analyzer now uses pymysql instead of mysql-connector-python for lighter weight implementation.
• PostgreSQL Credentials: Fixed failure in the analyzer when roles have quotes around them.

Miscellaneous​

• Improved GitHub classic analyzer for GitHub Enterprise that was using an old logic.

  Release Date: September 22, 2025

This release brings a major expansion with 16+ new detectors covering AI services (VirusTotal, Stability AI, Dify, Llama Cloud), cloud platforms (Cloudflare, AWS Cognito, Azure Cosmos DB), and DevOps tools (GitLab, Artifactory, Kubernetes).

New Detectors​

• Virustotal API Key – New detector for VirusTotal API keys.
• Cloudflare Turnstile Secret Key – Added a new detector for Cloudflare Turnstile secret keys.
• Stability AI API Key – Add a detector for Stability AI API Key.
• Azure Cognito OAuth Credentials – Added a new detector for AWS Cognito OAuth credentials.
• Azure Cognito OAuth Credentials with Host – Added detector with host-specific checks and checker.
• Artifactory Access Token – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Basic Auth Credentials – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Reference Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• GitLab Feature Flags Client Token with Project ID – Detect Gitlab feature flags tokens and associated project id.
• Kubernetes JWT with Host – New detector for Kubernetes JWT with host.
• GitLab Trigger Token – Add detector for GitLab Trigger Tokens.
• Brave Search API Key – Brave Search API keys.
• GitLab Deploy Token – GitLab deploy tokens.
• Firecrawl API Key – Firecrawl API keys.
• Dify API Key – Dify API keys.
• GitLab Runner Authentication Token – GitLab runner authentication tokens.
• Ubidots API Key – Ubidots API keys.
• Vapi API Key – Vapi API keys.
• Llama Cloud API Key – Llama Cloud API keys.
• Azure Cosmos DB Credentials – Extend host pattern to improve recall.
• GitLab Token – Restrict detector pattern to reduce false positives.
• ODBC Connection String – Improve ODBC connection string precision.

New or Updated Checkers​

• Various new and updated checkers accompany the new detectors, including host-specific and project-id aware checkers, improving verification and reducing false positives. See each detector for the exact checker entries.

  Release Date: September 15, 2025

This release adds new detectors for Weaviate and Cursor API keys, enhanced Snowflake validation support, and improvements to JWT handling and Google API key validation.

New Detectors​

• Weaviate Token with Hostname – Detects Weaviate tokens associated with specific hostnames.
• Cursor API Key – Adds detection for Cursor Admin & User API keys.

New Checkers​

• Weaviate Token with Hostname – Validity checker for identified tokens.
• Cursor API Key – Validity checker supporting Cursor Admin & User API keys.
• Snowflake Credentials
  • New validity checker for snowflake_uri detector.
  • New validity checker for snowpark_api_credentials detector.

Detector Improvements​

• Company Email + Password – Improved to exclude Zoom meeting details as false positives.
• Generic High Entropy Secret – Now ignores JSON Web Tokens; JWTs are handled by the dedicated json_web_token detector.
• Google API Key – Checker upgrade: Updated googleaiza checker to avoid reporting all secrets as valid.
• Jira Basic Auth – Fixed false positives.

  Release Date: August 27, 2025

This release introduces new detectors and checkers for various API keys, enhancements to existing detection capabilities, and improvements to documentation and testing processes.

New Detectors​

• Africa's Talking API Key – Africa's Talking provides SMS, voice, and payment APIs for businesses in Africa.
• Clipdrop API Key – Clipdrop offers AI-powered image editing and enhancement tools.
• StackHawk API Key – StackHawk enables automated application security testing for developers.
• Murf API Key – Murf provides AI voice generation and text-to-speech services.

Detector Improvements​

• Stripe Keys – Updated Stripe checker to prevent timeouts during checks.

  Release Date: August 7, 2025

This release focuses on enhancing the GitLab token detector and improving our CI processes.

Detector Improvements​

• GitLab Token – Detector Upgrade: Broader regex for gitlab_personal_token_v2 to match longer tokens, enhancing detection capabilities for GitLab personal tokens.

  Release Date: July 25, 2025

This release introduces new detectors for Weights & Biases API keys and Mercado Pago access tokens, along with significant improvements to existing detectors including Azure subscription keys and Bitbucket access tokens.

New Detectors​

• Weights & Biases API Key – Detects API keys for Weights & Biases services.
• Bitbucket App Password – New detector for Bitbucket app passwords to improve recall.
• Mercado Pago Access Token – Detects access tokens for Mercado Pago payment services.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Mercado Pago Access Token

Detector Improvements​

• Azure Subscription Key – Improved precision of Azure subscription key detector.
• X AI API Key – Properly report disabled API keys as invalid.
• Bitbucket Access Token – Restricted the detector to detect only Bitbucket repositories access tokens.
• CodeClimate Key – Deprecated CodeClimate key checker.

  Release Date: July 15, 2025

This release introduces new detectors for GitLab incoming mail tokens, Coze personal access tokens, Tavus API keys, and more. It also includes significant improvements to existing detectors and analyzers, such as those for Zendesk, Sendinblue, and Algolia, enhancing detection accuracy and performance.

New Detectors​

• GitLab Incoming Mail Token – Detects tokens used for GitLab incoming mail.
• Coze Personal Access Token – Detects personal access tokens for Coze services.
• Tavus API Key – Recognizes API keys for Tavus services.
• Heroku Platform Key – Detects prefixed variants of Heroku Platform Keys.
• SSH Credentials – New detector ssh_password_with_port allows matching SSH passwords with ports.
• Tableau Cloud PAT – Detects personal access tokens for Tableau Cloud.
• Notion Integration Token v2 – Detects the new Notion token format.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Coze Personal Access Token
• Tavus API Key
• Heroku Platform Key
• Tableau Cloud PAT
• Notion Integration Token v2
• Salesforce OAuth2

Detector Improvements​

• Google OAuth2 Keys – Improved precision for Google OAuth2 detector.
• Zendesk Token – Improved analyzer performance.
• Sendinblue Key – Improved analyzer performance.
• Generic High Entropy Secret – No longer considers IDs in ServiceNow migration files as secrets.
• Algolia Keys – Improved analyzer performance.
• Fastly Personal Token – Improved analyzer performance.
• [Hugging Face User Access] – Improved analyzer performance.

Engine Enhancements​

• All JWT detectors will now only catch signed JWTs, enhancing security.

  Release Date: July 2, 2025

This release introduces new detectors for AI71 and AMP API tokens, along with significant improvements to existing detectors and analyzers, such as those for GitHub, Slack, and DigitalOcean, enhancing detection accuracy and performance.

New Detectors​

• AI71 API Key – Detects API keys for AI71 services.
• AMP API Token – Recognizes API tokens for AMP services.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• AI71 API Key
• AMP API Token

Detector Improvements​

• Kubernetes Docker Secret – Enhanced detection for kubernetes.io/dockercfg secrets with more precise regex for JWTs.
• MySQL Assignment – Restricted the maximum number of secrets per document to prevent combinatorial explosion.
• Sourcegraph Token – Updated regex for sourcegraph_access_token_v3 as per customer request.
• GitHub Access Token – Improved GitHub classic analyzer performance.
• HashiCorp Vault Token – Improved precision for HashiCorp Vault token detection.
• Confluent Keys – Updated checker for Confluent API keys.
• GitHub Fine-Grained PAT – Analyzer now handles archived repositories.
• Slack Tokens – Improved SlackBot analyzer performance. Applies to Slackbot, Slack App, and Slack User tokens.
• DigitalOcean Spaces Token – Fixed checker for tokens that do not have permission to list buckets.

  Release Date: June 16, 2025

This release introduces several new detectors for Kubernetes user certificates, NVIDIA API keys, and various other services such as Alchemy, OpenRouter, and Duffel. We've also made improvements to existing detectors for enhanced detection accuracy and reduced false positives.

New Detectors​

• Kubernetes User Certificate with Port – Extracts port numbers for Kubernetes user certificates.
• NVIDIA API Key – Detects API keys for NVIDIA services.
• Alchemy API Key v2 – Identifies API keys for Alchemy services.
• OpenRouter API Key – Detects API keys for OpenRouter services.
• Duffel API Key – Recognizes API keys for Duffel services.
• Apify Token – Captures tokens for Apify services.
• Jina API Key – Detects API keys for Jina services.
• Deno Account Token – Identifies tokens for Deno accounts.
• Segment Workspace Key v2 – Detects workspace keys for Segment services.
• Resend API Key – Recognizes API keys for Resend services.
• VKontakte Access Token – Detects access tokens for VKontakte services.
• Fireworks AI API Key – Captures API keys for Fireworks AI services.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Kubernetes User Certificate with Port
• Alchemy API Key v2
• OpenRouter API Key
• Duffel API Key
• Apify Token
• Jina API Key
• Deno Account Token
• Resend API Key
• VKontakte Access Token
• Fireworks AI API Key

Detector Improvements​

• Generic High Entropy Secret – Removed AWS ECR images that were misclassified as secrets.
• Google OAuth2 Keys – Improved regex for better detection accuracy.
• Checkout Secret Key – Updated endpoint to avoid deprecated usage.
• Checkout Sandbox Secret Key – Enhanced pattern and updated endpoint for improved accuracy.
• Bunny.net API Key – Fixed checker for better validation.
• Dify API Key – Updated checker endpoint for enhanced detection.

  Release Date: June 10, 2025

This release adds 12 new detectors covering GitLab tokens, Kubernetes JWTs, Laravel encryption keys, and API keys for AI services like Dify, Firecrawl, and Llama Cloud. We've also enhanced existing detectors for Ubidots, Azure Cosmos DB, GitLab tokens, and ODBC connections to improve accuracy and reduce false positives.

New Detectors​

• Laravel Encryption Key with Host – Detects Laravel encryption keys associated with a host.
• GitLab Feature Flags Client Token with Project ID – Identifies tokens and project IDs for GitLab feature management.
• Kubernetes JWT with Host – Detects JWTs used in Kubernetes environments.
• GitLab Trigger Token – Recognizes tokens for triggering GitLab pipelines.
• Brave Search API Key – Detects API keys for accessing Brave Search.
• GitLab Deploy Token – Identifies deploy tokens for managing GitLab project deployments.
• Firecrawl API Key – Detects API keys for Firecrawl services.
• Dify API Key – Detects API keys for Dify services.
• GitLab Runner Authentication Token – Captures authentication tokens for GitLab runners.
• Ubidots API Key – Detects API keys for Ubidots.
• Vapi API Key – Detects API keys for Vapi services.
• Llama Cloud API Key – Ensures detection of API keys for Llama Cloud.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Laravel Encryption Key with Host
• GitLab Feature Flags Client Token with Project ID
• Kubernetes JWT with Host
• Brave Search API Key
• Firecrawl API Key
• Dify API Key
• GitLab Runner Authentication Token

Detector Improvements​

• Ubidots Token – Now includes new secret prefixes and improved checker responses for tokens from disabled accounts.
• Azure Cosmos DB Credentials – Enhanced host pattern to improve recall and detection accuracy.
• GitLab Token – Refined pattern to minimize false positives.
• ODBC Connection String – Advanced detection precision for ODBC strings.

Engine Enhancements​

• Expanded detection pattern list for encrypted strings to increase precision.
• Enhanced AssignmentRegexMatcher for N prefixed strings in SQL, supporting Microsoft SQL Server.

  Release Date: May 29, 2025

In our latest release, we have focused on refining our detection capabilities and introducing new tools to enhance the security of your digital assets. This update includes a new detector for GitLab feature flags tokens, along with significant improvements to existing detectors for AMQP credentials, Confluent keys, and Azure services.

New Detectors​

• GitLab Feature Flags Client Token – Detects tokens used for managing feature flags in GitLab projects, crucial for controlling feature rollouts and ensuring smooth deployment processes.

Detector Improvements​

• AMQP Credentials – Detector Upgrade: Enhanced multimatch selection to reduce false positive combinations, vital for secure message queuing in distributed systems.
• Confluent Keys – Detector Upgrade: Improved multimatch selection for better accuracy and fewer false positives, essential for managing access to Kafka clusters.
• Generic High Entropy Secret – Detector Upgrade: Excludes secrets ending with '.certificate' from being reported, reducing noise by ignoring non-sensitive certificates.
• Artifactory Token – Analyzer Upgrade: Improved stability by preventing crashes when analyzing secrets with multiple scopes, key for managing and securing software artifacts.
• Microsoft Azure Storage Connection String – Checker Upgrade: Enhanced to accept additional fields, crucial for accessing and managing Azure storage resources securely.
• Microsoft Azure Storage Account Key – Detector Upgrade: Increased precision, reducing false positives, critical for safeguarding data in cloud storage.

Miscellaneous​

• Established a priority rule favoring the confluent_api_keys detector over amqp_assignment and amqp_assignment_attached_port detectors.

  Release Date: May 20, 2025

In this release, we've focused on improving detection capabilities for Azure services, given their importance in cloud infrastructure. By introducing new detectors for Azure Entra ID tokens, Communication Services, and App Configuration connection strings, we aim to strengthen the protection of sensitive Azure credentials. These enhancements are essential for maintaining robust security, enabling organizations to use Azure's features safely.

New Detectors​

• Azure Entra ID Tokens – Detects tokens used for authentication within Azure's identity management service, Entra ID.
• Azure Communication Services Connection Strings – Identifies connection strings for Azure's comprehensive communication platform.
• Azure DevOps Personal Access Token – Recognizes personal access tokens used to authenticate with Azure DevOps.
• Laravel Encryption Key – Detects encryption keys used in Laravel applications for data security.
• Azure App Configuration Connection String – Identifies connection strings for managing application settings in Azure.
• X AI API Keys – Detects API keys for accessing X AI's artificial intelligence services.

Detector Improvements​

• Microsoft Azure Storage Connection String – Detector Upgrade: Improved regex precision for more accurate detection.
• ODBC Connection String – Detector Upgrade: Enhanced regex precision to better identify ODBC connection strings.
• Jira Token – Detector Upgrade: Corrected host regex to accurately match ports.
• SMB Credentials – Detector Upgrade: Now allows percent sign as a separator between username and password in host matches.
• Octopus API Key – Checker Upgrade: Updated to use the correct API endpoint, resolving issues with secret validity checks.

  Release Date: April 29, 2025

As AI adoption accelerates across organizations, securing API keys for platforms like Perplexity AI and Anthropic becomes increasingly critical. This update introduces specialized detectors for these emerging AI services alongside improvements to existing detectors and Azure cloud components.

New Detectors​

• Perplexity AI API Keys – Added a new detector for Perplexity AI API keys.
• Azure SignalR Connection String – Introduced a new detector for Azure SignalR Connection Strings.
• Azure Event Grid Access Key – Added new detectors for Azure Event Grid Access Keys and a New Checker for the azure_event_grid_access_key_with_host detector.
• Anthropic Admin Keys – Introduced a new detector and New Checker for Anthropic admin keys.
• GitGuardian Platform Magic Link – Added a new detector for GitGuardian Platform Magic Links.

Detector Improvements​

• LDAP Credentials – Checker Upgrade: Improved the LDAP checker to better distinguish between connection errors and invalid credentials. Updated ldap_credentials_assignment_with_dn to remove false positives.
• JSON Web Token – Detector Upgrade: The detector will now detect all JWTs regardless of their contents.
• Cloudinary API Keys – Detector Upgrade: Extended charset of cloudinary_api_key_config to improve recall.
• Auth0 Keys – Detector Upgrade: Improved recall of the detector to detect more domains.
• Claude API Key – Detector Upgrade: Refined regex for Claude API keys.
• Riot Games API Key – Checker Updated: Banlist checker will be deleted.
• LINE Notify Token – Checker Updated: Banlist checker as the service has been discontinued.

  Release Date: April 14, 2025

We're enhancing our engine with a major focus on Artifactory secret detection. Artifactory is a critical artifact repository manager used by thousands of organizations to store, manage, and distribute software packages and dependencies. Compromised Artifactory credentials can lead to supply chain attacks, allowing attackers to poison software dependencies or access proprietary code.

Multiple new detectors have been added for Artifactory:​

• Artifactory Reference Token
• Artifactory Reference Token With Host
• Artifactory Master Key
• Artifactory Basic Auth Credentials

Detector Improvements​

• Snowflake Credentials – The Snowpark API credentials detector has been enhanced to identify more patterns.
• IBM Cloud Key – We reduced false positives in the IBM Platform API key detector.
• PlanetScale Database Password - Expanded detection to cover more host names for the Planetscale database password detector.
• Artifactory Token With Host - Improved precision for host names.

  Release Date: March 19, 2025

This release adds a new Azure Logic App SAS detector, along with improvements to LINE Messaging and OpenAI API Key detectors.

New Detectors​

• Azure Logic App Shared Access Signature – New detector for Azure Logic App Shared Access Signature.

Detector Improvements​

• LINE Messaging OAuth2 – Removed false positives from the LINE Messaging OAuth2 detector.
• OpenAI API Key – Fixed a bug in the analyzer for OpenAI API Key that prevented it from reporting threads:* scopes.

Detector changes​

• FCM API Key – Removed FCM API Key checker since its API was removed.

Miscellaneous​

• Add User Agent GitGuardian in HTTPClient class used by analyzers.

  Release Date: February 27, 2025

This update introduces several critical security detectors for popular services, notably expanding OpenAI detection capabilities with new Project API Key, Admin API Key, and improved Service Account detection patterns. The addition of 1Password Service Account Token detection is equally significant, as both these services represent high-value security targets. OpenAI API keys provide access to powerful AI capabilities and could lead to substantial usage charges if compromised, while 1Password tokens could potentially expose entire password vaults containing sensitive credentials across an organization.

New Detectors​

• OpenAI Project API Key (v2) – Added support for detecting the new format of OpenAI project API keys.
• OpenAI Admin API Key – New detection capability for OpenAI admin API keys.
• Netlify Token (v2) – Introduced detection for the latest version of Netlify tokens.
• 1Password Service Account Token – New detector added to identify 1Password service account tokens.
• DeepSeek API Key – Now detecting DeepSeek API keys.

Improved Detection​

• OpenAI Service Account – Expanded pattern coverage for better identification.
• Rails Master Key – Updated detection rules to minimize false positives.
• GitHub Tokens – Improved recall and validation for GitHub authentication tokens.
• Groq API Key – Enhanced detection rules for greater accuracy.
• Artifactory Token – New checker added to improve detection effectiveness.
• Generic Passwords – Excluded secrets containing ***** as they are likely false positives.
• Dropbox Key – Detector group split into Dropbox Key and Dropbox Access Token for improved granularity.
• FCM API Key – Validity check is no longer available since the API has been removed. While we can no longer retrieve the validity status for FCM secrets, we still detect the keys.

  Release Date: February 11, 2025

This release introduces 5 new detectors including SMB Credentials, Azure Storage Connection String, DeepSeek API Key, Netlify Token v2, and 1Password Service Account Token.

New Detectors​

• SMB Credentials – New detector smb_uri to detect SMB credentials inside a connection URI.
• Microsoft Azure Storage Connection String – New detector for Azure Blob Storage connection strings and a New Checker.
• DeepSeek API Key – Added detector and New Checker for DeepSeek API.
• Netlify Token v2 – New detector added for Netlify token v2.
• 1Password Service Account Token – New detector added for 1Password service account token.

Detector Improvements​

• Microsoft Azure Storage Account Key – Detector Upgrade: Removed a false positive from Microsoft Azure Storage Account Key (example from Microsoft documentation).
• Generic Password – Detector Upgrade: Removed secrets with ***** as they are likely to be false positives.
• Groq API Key – Detector Upgrade: Improved recall for Groq API.
• Netlify Token – Checker Upgrade: Updated checker to match the documentation.

Engine Enhancements​

• Enabled HTTPChecker to function without a base URL.
• Network caching has been improved in some analyzers, resulting in fewer HTTP calls.

  Release Date: January 28, 2025

This release adds new detectors for Artifactory Token with Host and HubSpot Private App Token, along with enhanced validation for GitHub tokens.

New Detectors​

• Artifactory Token With Host
• HubSpot Private App Token

Improved Detection for GitHub Tokens​

• Enhanced validation for GitHub Enterprise Token
• Refined rules for various GitHub authentication tokens:
  • OAuth Access Token
  • Personal Access Token
  • Server-to-Server Token
  • GitHub Token
  • User-to-Server Token

Browse all past GitGuardian detection engine releases below, including new and modified detectors.

December 23, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.129:
  • Added 1 detector:
    • GitLab OAuth Application Token
  • Modified 4 detectors:
    • Base64 Generic High Entropy Secret
    • GitGuardian Test Token Checked
    • MSSQL Credentials
    • Zendesk Token

December 12, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.128:
  • Added 4 detectors:
    • Jenkins API token
    • chpasswd Username Password
    • Nessus Agent Key
    • Statsig Server Secret Key
  • Modified 1 detector:
    • FTP credentials assignment

November 18, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.126:
  • Added 4 detectors:
    • X-API-Key Secret
    • Azure Functions App Key Header
    • Azure Functions App Key Query Parameter

November 4, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.125:
  • Added 4 detectors:
    • Cloudflare Tunnel Credentials
    • InfluxDB Token
    • InfluxDB Token with Host
    • Rails Master Key Assignment

October 21, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.124:
  • Added 1 detector:
    • BitBucket App Password
  • Modified 5 detectors:
    • Generic CLI Option Secret
    • MongoDB CLI Credentials
    • MySQL CLI Credentials
    • PostgreSQL CLI Credentials
    • Redis CLI Password

October 7, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.122: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • Added 3 detectors:
    • Atlassian Access Token
    • Bitbucket Access Token
    • Mistral AI API Key
  • Modified 1 detector:
    • Base64 Generic High Entropy Secret

August 26, 2024​

Secrets Detection​

Secrets detection engine upgrade to v2.120: Enhance recall and coverage while expanding the range of detectable secrets with updated detectors.

• Added 2 detectors:
  • Generic Password YAML
  • Buildkite API Token V2
• Modified 6 detectors:
  • Generic Database Assignment
  • Base64 Generic High Entropy Secret
  • Generic Password
  • Username Password
  • DigitalOcean Spaces Keys
  • reCAPTCHA Key

Note concerning the reCAPTCHA Key detector: Due to changes in the behavior of some Google APIs, we are no longer able to ensure the validity of reCaptcha keys. As this detector could be quite "noisy" the validity of the keys was a mandatory prerequisite in the detection flow and this can no longer be the case. We have however improved this detector to be as efficient as possible.

August 14, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.117: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • Added 2 detectors: Serpapi Token and Tavily API Key
  • Modified 1 detector: GitLab Token

July 15, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.116: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.

  Added 1 detector

  • JetBrains TeamCity config value
  Modified 3 generic detectors

  • Base64 Generic High Entropy Secret
  • Base64 Generic High Entropy Secret
  • Generic Password
  Modified 78 specific detectors

  We have enhanced our approach to searching for the prefix linked to the secret, considering more complex scenarios. This allows us to improve recall.

  
  

  • Adafruit IO API Key
  • Airtable API Key v2
  • Alchemy API Key
  • Amazon MWS Token
  • Checkout.com Sandbox API Secret Key
  • CircleCI Personal Token
  • Claude API Key
  • Clojars Deploy Token
  • Cloudinary API key URL
  • Contentful Content Management API Key
  • DigitalOcean OAuth Application Token V1
  • DigitalOcean Personal Access Token V1
  • DigitalOcean Refresh Token V1
  • Discord Webhook URL
  • Docker Swarm Join Token
  • Docker Swarm Unlock Key
  • EasyPost API Key
  • Firebase Cloud Messaging API Key
  • Figma Personal Access Token
  • Flutterwave API Key
  • Frame IO Token
  • GitHub fine-grained personal access token
  • GitHub Oauth Access Token
  • GitHub Personal Access Token
  • GitHub Server-to-server Token
  • GitHub User-to-server Token
  • GitLab Token
  • Grafana Cloud API Key
  • Grafana Service Account Token
  • Groq API Key
  • Heartland API key
  • Langchain API Key
  • Linear API Key
  • Base64 Midtrans API Key
  • Notion Integration Token
  • npm Token Prefixed
  • Nylas API Key
  • OpenAI Project API Key
  • Paystack Key
  • Plaid Access Token
  • PlanetScale OAuth Token
  • Postman API Key
  • PubNub Publish Key
  • Readme API Key
  • Riot Games API Key
  • RubyGems.org API Key
  • Samsara API Key
  • SendinBlue Key v3
  • Sentry Org Auth Token
  • Sentry User Auth Token v2
  • Shippo API token
  • Shopify Generic App Token
  • Shopify Private App Token
  • Slack App Token
  • Slack Configuration Refresh Token
  • Slack Configuration Token
  • Slack User Token
  • Sourcegraph Access Token v3
  • Sourcegraph Enterprise subscription Token
  • Sourcegraph License Key Token
  • Sourcegraph Access Token v2
  • Sourcegraph User Gateway Access Token
  • Sqreen Token
  • Square Access Token
  • Stripe Webhook Secret
  • Tailscale API Key
  • Tailscale OAuth Key
  • Tailscale Pre-Authentication Key
  • Tailscale SCIM Key
  • Tailscale Webhook Key
  • Typeform API Token
  • Ubidots Token
  • Vercel Blob Token
  • WakaTime API Key
  • WePay token
  • Yandex Predictor API Key
  • Zillow Key
  • Zuplo API Key

June 17, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.115: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • 4 detectors added: Sentry Org Auth Token, Sentry User Auth Token v2, Slack Configuration Refresh Token, Slack Configuration Token
  • 5 detectors updated: Equinix Authentication Token, Sentry User Auth Token v1, Signifyd API Key, Slack Bot Token, Slack User Token

June 4, 2024​

Secrets Detection​

• Secrets detection engine upgrade to version 2.114: Enhance recall and coverage while expanding the range of detectable secrets with new and updated detectors.
  • 9 detectors added: ASP.NET Decryption Key, ASP.NET Validation Key, Langchain API Key, OpenAI Project API Key, OpenAI Service Account, Sourcegraph Enterprise Subscription Token, Sourcegraph License Key Token, Sourcegraph User Gateway Access Token, WakaTime API Key
  • 4 detectors updated: Sentry Token, Generic Database assignment, Generic FTP Assignment, Generic Username Password

May 20, 2024​

Secrets Detection​

• Secrets detection engine: upgrade to version 2.113 with the addition of 5 new detectors (Nylas API Key,Sourcegraph Access Token v3, Duplo Cloud API Key,Fernet Key, Vercel Blob Token) and the improvement of 10 detectors (Base64 Generic High Entropy Secret, Generic Database Assignment, Generic High Entropy Secret, PostgreSQL CLI Credentials, Postgres assignment attached port, PostgreSQL Pgpass Credentials, PostgreSQL URI, Sourcegraph Access Token v2, Yelp API Key, Google Gemini API Key).

April 23, 2024​

Secrets Detection​

• Secrets detection engine: upgrade to version 2.111 with the addition of 3 new detectors (Grafana Cloud API Key, Groq API Key, Nx Cloud Token) and the improvement of 1 detector (Generic High Entropy Secret)

April 15, 2024​

Secrets Detection​

• Secrets detection engine: Generic CLI Secret and Generic Database Assignment detectors are now supported and active by default for data sources other than VCS.
• Secrets detection engine: upgrade to version 2.110 with the addition of 4 new detectors (Dropbox Key, Midtrans API Key, Sanity Token, Zuplo API Key) and the improvements of 3 detectors (Artifactory Token, GoCardless API Key, Plivo Auth Tokens).

April 8, 2024​

Secrets Detection​

• Secrets detection engine: upgrade to version 2.109 with the addition of 2 new detectors (Azure Open AI API key, Kubernetes Docker Secret) and the improvement of 4 detectors (GitLab Token, Google API Key, Okta Keys, Slack Bot Token)

March 18, 2024​

Secrets Detection​

• Secrets detection engine: upgrade to version 2.108 with the addition of 3 new detectors (Snowflake API credentials, Replicate User Access Token, Workato API Key) and the improvement of 3 detectors (Rails Master Key, Generic password, Generic High Entropy secret)