GitHub Adds 28 Secret Detectors Including Snowflake and Vercel API Keys

GitHub expanded its secret scanning capabilities on March 10, 2026, adding 28 new secret detectors from 15 providers while enabling push protection by default for 39 additional patterns. The update targets credentials from major cloud and AI platforms including Vercel, Snowflake, Supabase, and DeepSeek.

The timing matters. Just two days before this announcement, security researchers flagged a massive malware operation spreading through GitHub repositories. Leaked API keys remain one of the most common attack vectors for crypto projects and Web3 infrastructure, where a single exposed Snowflake connection string or Supabase secret key can compromise entire backend systems.

What's Actually New

The 28 new detectors span authentication credentials that developers frequently mishandle. Vercel alone gets six new patterns covering API keys, personal access tokens, and integration tokens. Snowflake adds Postgres connection string detection—particularly relevant given how many DeFi analytics platforms rely on Snowflake for on-chain data warehousing.

Lark, the enterprise collaboration platform popular in Asian markets, receives comprehensive coverage with detectors for app secrets, user sessions, and aPaaS credentials. For teams building on Supabase's open-source Firebase alternative, both personal access tokens and secret keys now trigger alerts.

Push Protection Gets Teeth

The bigger story: 39 existing detectors now block commits by default rather than just alerting after the fact. This includes Databricks tokens (seven different patterns), Heroku Postgres connection URLs, and AWS API keys.

For crypto developers, the Pinecone additions stand out. Vector databases have become critical infrastructure for AI-powered trading bots and sentiment analysis tools. Exposed Pinecone credentials could let attackers poison embedding data or exfiltrate proprietary model training information.

Validity Checks Expand

GitHub now automatically verifies whether detected secrets remain active for five additional token types: Airtable personal access tokens, DeepSeek API keys, npm access tokens, Pinecone credentials, and Sentry personal tokens.

The DeepSeek inclusion reflects how quickly AI API keys have become high-value targets. With DeepSeek's models gaining traction as cost-effective alternatives to OpenAI, compromised keys could rack up substantial compute bills or expose proprietary prompts.

These updates apply automatically to repositories with secret scanning enabled, including free public repos. Organizations running private repositories can configure which patterns trigger push protection through their security settings.