[EDI] Defining custom patterns for secret scanning (#59777)

sabrowning1 · sophietheking · web-flow · commit 84c9d71b4344 · 2026-02-24T21:30:32.000Z
Co-authored-by: Sophie &lt;29382425+sophietheking@users.noreply.github.com&gt;
diff --git a/content/code-security/concepts/secret-security/custom-patterns.md b/content/code-security/concepts/secret-security/custom-patterns.md
@@ -0,0 +1,20 @@
+---
+title: Custom patterns
+intro: 'Detect secret types specific to your organization with custom patterns.'
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: concepts
+---
+
+You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For a list of supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).
+
+Custom patterns for {% data variables.product.prodname_secret_scanning %} are defined as regular expressions, and can be created at the enterprise, organization, or repository level. You can also enable push protection for custom patterns, stopping those secrets from ever reaching your repository.
+
+## Next steps
+
+To start using custom patterns, see [AUTOTITLE](/code-security/how-tos/secure-your-secrets/customize-leak-detection/defining-custom-patterns-for-secret-scanning).
diff --git a/content/code-security/concepts/secret-security/index.md b/content/code-security/concepts/secret-security/index.md
@@ -15,6 +15,7 @@ children:
   - /about-push-protection
   - /about-secret-security-with-github
   - /about-alerts
+  - /custom-patterns
   - /about-validity-checks
   - /about-delegated-bypass-for-push-protection
   - /about-bypass-requests-for-push-protection
diff --git a/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/defining-custom-patterns-for-secret-scanning.md b/content/code-security/how-tos/secure-your-secrets/customize-leak-detection/defining-custom-patterns-for-secret-scanning.md
@@ -1,7 +1,7 @@
 ---
 title: Defining custom patterns for secret scanning
 shortTitle: Define custom patterns
-intro: You can define your own custom patterns to extend the capabilities of {% data variables.product.prodname_secret_scanning %} by generating one or more regular expressions.
+intro: Protect your unique secret types by defining custom patterns with regular expressions.
 product: '{% data reusables.gated-features.secret-scanning-custom-patterns %}'
 permissions: '{% data reusables.permissions.security-enterprise-enable %}'
 redirect_from:
@@ -19,38 +19,11 @@ topics:
   - Secret scanning
 ---
 
-## About custom patterns for {% data variables.product.prodname_secret_scanning %}
-
-You can define custom patterns to identify secrets that are not detected by the default patterns supported by {% data variables.product.prodname_secret_scanning %}. For example, you might have a secret pattern that is internal to your organization. For details of the supported secrets and service providers, see [AUTOTITLE](/code-security/secret-scanning/introduction/supported-secret-scanning-patterns).
-
-You can define custom patterns for your enterprise, organization, or repository. {% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository.
-
-You can also enable push protection for custom patterns. For more information about push protection, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).
-
-## About using regular expressions for custom patterns
-
-You can specify custom patterns for {% data variables.product.prodname_secret_scanning %} as one or more regular expressions.
-
-{% data variables.product.prodname_secret_scanning_caps %} uses the [Hyperscan library](https://github.com/intel/hyperscan) and only supports Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see [Pattern support](http://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support) in the Hyperscan documentation.
-
-{% ifversion secret-scanning-custom-pattern-ai-generated %}Regular expressions can be entered manually or generated using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}.
-
-### Regular expression syntax for manually defining custom patterns {% endif %}
-
-The **More options {% octicon "chevron-down" aria-hidden="true" aria-label="chevron-down" %}** section in the UI helps you write regular expressions manually.
-
-* **Secret format:** an expression that describes the format of the secret itself.
-* **Before secret:** an expression that describes the characters that come before the secret. By default, this is set to `\A|[^0-9A-Za-z]` which means that the secret must be at the start of a line or be preceded by a non-alphanumeric character.
-* **After secret:** an expression that describes the characters that come after the secret. By default, this is set to `\z|[^0-9A-Za-z]` which means that the secret must be followed by a new line or a non-alphanumeric character.
-* **Additional match requirements:** one or more optional expressions that the secret itself must or must not match.
-
-For simple tokens you will usually only need to specify a secret format. The other fields provide flexibility so that you can specify more complex secrets without creating complex regular expressions. For an example of a custom pattern, see [Example of a custom pattern specified using additional requirements](#example-of-a-custom-pattern-specified-using-additional-requirements) below.
-
 {% ifversion secret-scanning-custom-pattern-ai-generated %}
 
-### Using {% data variables.secret-scanning.copilot-secret-scanning %}'s {% data variables.secret-scanning.custom-pattern-regular-expression-generator %}
+## Defining a custom pattern with {% data variables.product.prodname_copilot_short %}
 
-{% data reusables.secret-scanning.regular-expression-generator-overview %} For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-regex-generator) and [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning).
+You can use {% data variables.secret-scanning.copilot-secret-scanning %} to generate regular expressions based on a text description of the type of pattern you would like to detect, including optional example strings that should be detected. See [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning).
 
 {% endif %}
 
@@ -68,44 +41,13 @@ Before defining a custom pattern, you must ensure that {% ifversion ghas-product
 1. When you're ready to test your new custom pattern, to identify matches in the repository without creating alerts, click **Save and dry run**.
 {% data reusables.advanced-security.secret-scanning-dry-run-results %}
 {% data reusables.advanced-security.secret-scanning-create-custom-pattern %}
-1. Optionally, to enable push protection for your custom pattern, click **Enable**.
+1. Optionally, to enable push protection for your custom pattern, click **Enable**. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).
 
    > [!NOTE]
    > The "Enable" button isn't available until after the dry run succeeds and you publish the pattern.
 
-   For more information about push protection, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning).
-
 After your pattern is created, {% data reusables.secret-scanning.secret-scanning-process %} For more information on viewing {% data variables.secret-scanning.alerts %}, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning).
 
-### Example of a custom pattern specified using additional requirements
-
-A company has an internal token with five characteristics. They use the different fields to specify how to identify tokens as follows:
-
-| **Characteristic** | **Field and regular expression** |
-|----------------|------------------------------|
-| Length between 5 and 10 characters | Secret format: `[$#%@AA-Za-z0-9]{5,10}` |
-| Does not end in a `.` | After secret: `[^\.]` |
-| Contains numbers and uppercase letters | Additional requirements: secret must match `[A-Z]` and `[0-9]` |
-| Does not include more than one lowercase letter in a row | Additional requirements: secret must not match `[a-z]{2,}` |
-| Contains one of `$%@!` | Additional requirements: secret must match `[$%@!]` |
-
-These tokens would match the custom pattern described above:
-
-```shell
-a9@AAfT!         # Secret string match: a9@AAfT
-ee95GG@ZA942@aa  # Secret string match: @ZA942@a
-a9@AA!ee9        # Secret string match: a9@AA
-```
-
-These strings would not match the custom pattern described above:
-
-```shell
-a9@AA.!
-a@AAAAA
-aa9@AA!ee9
-aAAAe9
-```
-
 ## Defining a custom pattern for an organization
 
 Before defining a custom pattern, you must ensure that you enable {% data variables.product.prodname_secret_scanning %} for the repositories that you want to scan in your organization. {% ifversion security-configurations %} You can use {% data variables.product.prodname_security_configurations %} to enable {% data variables.product.prodname_secret_scanning %} on all repositories in your organization. For more information, see [AUTOTITLE](/code-security/securing-your-organization/introduction-to-securing-your-organization-at-scale/about-enabling-security-features-at-scale).{% else %}
diff --git a/content/code-security/reference/secret-security/custom-patterns.md b/content/code-security/reference/secret-security/custom-patterns.md
@@ -0,0 +1,61 @@
+---
+title: Custom patterns reference
+shortTitle: Custom patterns
+intro: Use specific regular expression syntax to define accurate custom patterns for {% data variables.product.prodname_secret_scanning %}.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Secret scanning
+  - Secret Protection
+contentType: reference
+---
+
+## Regular expression library for custom patterns
+
+{% data variables.product.prodname_secret_scanning_caps %} custom patterns are defined using the [Hyperscan library](https://github.com/intel/hyperscan) and only support Hyperscan regex constructs, which are a subset of PCRE syntax. Hyperscan option modifiers are not supported. For more information on Hyperscan pattern constructs, see [Pattern support](https://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support) in the Hyperscan documentation.
+
+## Syntax for manually defining custom patterns
+
+The **More options {% octicon "chevron-down" aria-hidden="true" aria-label="chevron-down" %}** section in the UI helps you write regular expressions manually.
+
+* **Secret format:** an expression that describes the format of the secret itself.
+* **Before secret:** an expression that describes the characters that come before the secret. By default, this is set to `\A|[^0-9A-Za-z]` which means that the secret must be at the start of a line or be preceded by a non-alphanumeric character.
+* **After secret:** an expression that describes the characters that come after the secret. By default, this is set to `\z|[^0-9A-Za-z]` which means that the secret must be followed by a new line or a non-alphanumeric character.
+* **Additional match requirements:** one or more optional expressions that the secret itself must or must not match.
+
+For simple tokens you will usually only need to specify a secret format. The other fields provide flexibility so that you can specify more complex secrets without creating complex regular expressions.
+
+### Example custom pattern
+
+A company has an internal token with five characteristics. They use the different fields to specify how to identify tokens as follows:
+
+| **Characteristic** | **Field and regular expression** |
+|----------------|------------------------------|
+| Length between 5 and 10 characters | Secret format: `[$#%@AA-Za-z0-9]{5,10}` |
+| Does not end in a `.` | After secret: `[^\.]` |
+| Contains numbers and uppercase letters | Additional requirements: secret must match `[A-Z]` and `[0-9]` |
+| Does not include more than one lowercase letter in a row | Additional requirements: secret must not match `[a-z]{2,}` |
+| Contains one of `$%@!` | Additional requirements: secret must match `[$%@!]` |
+
+These tokens would match the custom pattern described above:
+
+```shell
+a9@AAfT!         # Secret string match: a9@AAfT
+ee95GG@ZA942@aa  # Secret string match: @ZA942@a
+a9@AA!ee9        # Secret string match: a9@AA
+```
+
+These strings would not match the custom pattern described above:
+
+```shell
+a9@AA.!
+a@AAAAA
+aa9@AA!ee9
+aAAAe9
+```
+
+## Limits
+
+{% data variables.product.prodname_secret_scanning_caps %} supports up to 500 custom patterns for each organization or enterprise account, and up to 100 custom patterns per repository.
diff --git a/content/code-security/reference/secret-security/index.md b/content/code-security/reference/secret-security/index.md
@@ -13,7 +13,7 @@ children:
   - /understanding-github-secret-types
   - /supported-secret-scanning-patterns
   - /secret-scanning-detection-scope
+  - /custom-patterns
   - /risk-report-csv-contents
   - /secret-scanning-pattern-configuration-data
 ---
-
diff --git a/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md b/data/reusables/advanced-security/secret-scanning-add-custom-pattern-details.md
@@ -1,7 +1,7 @@
 1. Enter the details for your new custom pattern. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
    1. In the "Pattern name" field, type a name for your pattern.
-   1. In the "Secret format" field, type a regular expression for the format of your secret pattern.{% ifversion secret-scanning-custom-pattern-ai-generated %} Alternatively, you can use the generator to generate a regular expression for you. For more information, see [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/generating-regular-expressions-for-custom-patterns-with-copilot-secret-scanning).{% endif %}
-   1. You can click **More options {% octicon "chevron-down" aria-hidden="true" aria-label="chevron-down" %}** to provide other surrounding content or additional match requirements for the secret format.
+   1. In the "Secret format" field, type a regular expression for the format of your secret pattern.
+   1. You can click **More options {% octicon "chevron-down" aria-hidden="true" aria-label="chevron-down" %}** to provide other surrounding content or additional match requirements for the secret format. See [AUTOTITLE](/code-security/reference/secret-security/custom-patterns#syntax-for-manually-defining-custom-patterns).
    1. Provide a sample test string to make sure your configuration is matching the patterns you expect.
 
 {% ifversion fpt or ghec %}
diff --git a/data/reusables/gated-features/secret-scanning-custom-patterns.md b/data/reusables/gated-features/secret-scanning-custom-patterns.md
@@ -1,10 +1 @@
-Custom patterns for {% data variables.product.prodname_secret_scanning %} is available for the following repository types:
-
-{% ifversion fpt %}
-* Organization-owned repositories on {% data variables.product.prodname_team %} with [{% data variables.product.prodname_GH_secret_protection %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
-
-{% ifversion ghec %}
-* Organization-owned repositories on {% data variables.product.prodname_team %} or {% data variables.product.prodname_ghe_cloud %} with [{% data variables.product.prodname_GH_secret_protection %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
-
-{% ifversion ghes %}
-* Organization-owned repositories with [{% data variables.product.prodname_GH_secret_protection %}](/get-started/learning-about-github/about-github-advanced-security) enabled{% endif %}
+Organization-owned repositories on {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} with [{% data variables.product.prodname_GH_secret_protection %}](/get-started/learning-about-github/about-github-advanced-security) enabled
diff --git a/data/reusables/secret-scanning/push-protection-enterprise-note.md b/data/reusables/secret-scanning/push-protection-enterprise-note.md
@@ -1,3 +1,3 @@
 > [!NOTE]
-> * To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-your-enterprise).
+> * To enable push protection for custom patterns, {% data variables.product.prodname_secret_scanning %} as push protection needs to be enabled at the enterprise level.
 > * Enabling push protection for commonly found custom patterns can be disruptive to contributors.
diff --git a/data/reusables/secret-scanning/push-protection-org-notes.md b/data/reusables/secret-scanning/push-protection-org-notes.md
@@ -1,4 +1,4 @@
 > [!NOTE]
 > * The option to enable push protection is visible for published patterns only.
-> * Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled. For more information, see [AUTOTITLE](/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization).
+> * Push protection for custom patterns will only apply to repositories in your organization that have {% data variables.product.prodname_secret_scanning %} as push protection enabled.
 > * Enabling push protection for commonly found custom patterns can be disruptive to contributors.
