Add "multi-part secrets" section to "Supported secret scanning patterns" article (#57088)

am-stead · subatoi · erinhav · web-flow · commit f44914692651 · 2025-09-10T08:42:27.000Z
Co-authored-by: Ben Ahmady &lt;32935794+subatoi@users.noreply.github.com&gt;
Co-authored-by: Erin Havens &lt;erinhav@github.com&gt;
diff --git a/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md b/content/code-security/secret-scanning/introduction/supported-secret-scanning-patterns.md
@@ -101,6 +101,18 @@ In addition to these generic non-provider patterns, {% data variables.product.pr
 
 Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.<!-- markdownlint-disable-line MD053 -->
 
+#### Multi-part secrets
+
+<a name="multi-part-secrets"></a>
+
+By default, {% data variables.product.prodname_secret_scanning %} supports validation for pair-matched access keys and key IDs.
+
+{% data variables.product.prodname_secret_scanning_caps %} also supports validation for individual key IDs for Amazon AWS Access Key IDs, in addition to existing pair matching.
+
+A key ID will show as active if {% data variables.product.prodname_secret_scanning %} confirms the key ID exists, regardless of whether or not a corresponding access key is found. The key ID will show as `inactive` if it's invalid (for example, if it is not a real key ID).
+
+Where a valid pair is found, the {% data variables.product.prodname_secret_scanning %} alerts will be linked.<!-- markdownlint-disable-line MD053 -->
+
 ## Further reading
 
 * [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)
diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml
@@ -199,6 +199,7 @@
   isPrivateWithGhas: true
   hasPushProtection: true
   hasValidityCheck: '{% ifversion fpt or ghes %}false{% else %}true{% endif %}'
+  ismultipart: true
   base64Supported: false
   isduplicate: false
 - provider: Amazon AWS
diff --git a/src/secret-scanning/middleware/secret-scanning.ts b/src/secret-scanning/middleware/secret-scanning.ts
@@ -46,6 +46,9 @@ export default async function secretScanning(
     if (entry.isduplicate) {
       entry.secretType += ' <br/><a href="#token-versions">Token versions</a>'
     }
+    if (entry.ismultipart) {
+      entry.secretType += ' <br/><a href="#multi-part-secrets">Multi-part secrets</a>'
+    }
   })
 
   return next()
diff --git a/src/types.ts b/src/types.ts
@@ -311,6 +311,7 @@ export type SecretScanningData = {
   isPrivateWithGhas: boolean
   hasPushProtection: boolean
   hasValidityCheck: boolean | string
+  ismultipart?: boolean
   base64Supported: boolean
   isduplicate: boolean
 }

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,9 @@ export default async function secretScanning(`
`46`	`46`	`if (entry.isduplicate) {`
`47`	`47`	`entry.secretType += ' <br/><a href="#token-versions">Token versions</a>'`
`48`	`48`	`}`
	`49`	`+ if (entry.ismultipart) {`
	`50`	`+ entry.secretType += ' <br/><a href="#multi-part-secrets">Multi-part secrets</a>'`
	`51`	`+ }`
`49`	`52`	`})`
`50`	`53`
`51`	`54`	`return next()`
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,7 @@ export type SecretScanningData = {`
`311`	`311`	`isPrivateWithGhas: boolean`
`312`	`312`	`hasPushProtection: boolean`
`313`	`313`	`hasValidityCheck: boolean \| string`
	`314`	`+ ismultipart?: boolean`
`314`	`315`	`base64Supported: boolean`
`315`	`316`	`isduplicate: boolean`
`316`	`317`	`}`