# Supported Secret Categories ## Overview | Category | Example Providers & Tokens | Notes | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloud platforms | AWS access keys, Azure Storage SAS tokens, GCP API keys, IBM COS HMAC keys, SoftLayer credentials, HashiCorp Terraform passwords | Alerts include remediation guidance and links to rotation documentation. | | Developer tooling & CI | GitHub personal access tokens, Bitbucket app passwords, Artifactory API keys, npm access tokens, Slack webhooks, SendGrid API keys, Airtable tokens, Square access tokens | Nullify suppresses known test tokens while flagging production secrets introduced in commits or history. | | Authentication artefacts | JWTs, HTTP basic-auth strings, OAuth bearer tokens, webhook signing secrets | Detectors parse headers and base64 payloads to catch embedded credentials. | | Generic API keys | High-entropy keys that do not match a known provider but behave like credentials | Rules combine entropy thresholds with contextual keywords to minimise false positives. | | Personally identifiable information | Email addresses, phone numbers, postal addresses, dates of birth, payment cards | PII detections are explained in [Confidential Data Detection](https://docs.nullify.ai/capabilities/code-reviews/secrets-detection/confidential-data-detection). | Have a provider that is not listed? Define a [custom pattern](https://docs.nullify.ai/capabilities/code-reviews/secrets-detection/..#policy-controls) or contact Nullify support to add a managed detector.