A secret-scanning alert is easier to act on when the label tells you how the secret was found. GitHub has renamed two detector categories, but the underlying detection behavior has not changed.
Quick answer
“Non-provider patterns” are now “generic patterns,” while “Copilot secret scanning” is now “AI-detected secrets.” Provider patterns find service-issued credentials; generic patterns and AI detection cover secrets such as private keys, connection strings, and passwords.
# A provider-shaped credential can match a known format.
PAYMENT_API_KEY=replace-with-real-secret
# A generic password may need structure, entropy, or context.
DATABASE_PASSWORD=replace-with-real-secret
what changed
The update changes product wording only. Webhooks, audit log events, REST API behavior, and detection logic remain compatible. GitHub describes patterns as deterministic checks that can combine regular expressions with signals such as entropy, while AI detection uses surrounding code to identify less structured secrets.
This is a current platform change, so confirm availability for your plan, organization, and installed client before changing a production workflow. Preview features can also change faster than generally available controls.
who should use it
Security responders should use the detector type as context, not as a severity score. A valid provider token usually has a clear revocation path. A generic password may require identifying the system, owner, reuse, and exposure window before remediation is complete.
The practical question is whether the feature removes a real bottleneck or security gap in your workflow. A new control is not valuable merely because it exists; it needs an owner, a narrow purpose, and an observable result.
a safe implementation
- Confirm whether the value is real or test data.
- Check validity and ownership.
- Revoke or rotate before removing it from code.
- Search history, forks, logs, and deployment variables for reuse.
Make the first rollout small enough to reverse. Record the previous behavior, the setting or command that changed it, and the person responsible for deciding whether the experiment expands.
the mistake to avoid
Deleting the current line is not enough because Git history and caches may still contain the value. Do not close an AI-detected alert merely because the string lacks a familiar token prefix.
Convenience features still operate inside your existing trust model. Repository permissions, protected environments, review rules, test accounts, and audit logs remain important even when the new workflow removes manual steps.
how to verify it
Confirm the old credential no longer authenticates, the application uses the replacement, and secret scanning no longer reports an active exposure. Record the incident timeline and affected systems for future audits.
Keep the verification evidence in the pull request or rollout ticket. That gives reviewers something concrete to evaluate and gives the next person a known baseline when the platform changes again.
rollout checklist
- Confirm the feature and client version are available.
- Test with non-production data and minimum permissions.
- Capture expected success and failure behavior.
- Document rollback and ownership.
- Recheck the official announcement before a wide rollout.
official reference
The announcement is the source of truth for availability and product behavior. This article focuses on the implementation decisions teams should make around it.