Overhaul the "Support patterns" article (#60991)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com>

Author: 4 people

.github/workflows/headless-tests.yml

@@ -33,6 +33,7 @@ jobs:
         node:
           - playwright-rendering
           - playwright-a11y
+          - playwright-secret-scanning
       fail-fast: false
     timeout-minutes: 60
     steps:

content/code-security/reference/secret-security/supported-secret-scanning-patterns.md

@@ -10,7 +10,6 @@ redirect_from:
   - /code-security/secret-scanning/secret-scanning-partners
   - /code-security/secret-scanning/secret-scanning-patterns
   - /code-security/secret-scanning/introduction/supported-secret-scanning-patterns
-layout: inline
 shortTitle: Supported patterns
 autogenerated: secret-scanning
 contentType: reference
@@ -24,32 +23,33 @@ category:
 
 For in-depth information about each alert type, see [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts).
 
-For details about all the supported patterns, see the [Supported secrets](#supported-secrets) section below.
-
 If you use the REST API for {% data variables.product.prodname_secret_scanning %}, you can use the `Secret type` to report on secrets from specific issuers. For more information, see [AUTOTITLE](/enterprise-cloud@latest/rest/secret-scanning).
 
-If you believe that {% data variables.product.prodname_secret_scanning %} should have detected a secret committed to your repository, and it has not, you first need to check that {% data variables.product.prodname_dotcom %} supports your secret. For more information, refer to the following sections. For more advanced troubleshooting information, see [AUTOTITLE](/code-security/secret-scanning/troubleshooting-secret-scanning-and-push-protection/troubleshooting-secret-scanning).
+### Pattern categories
+
+| Category | Description | Detection approach | Example |
+|----------|-------------|-------------------|---------|
+| **Generic** | Secrets not tied to a specific provider, such as private keys and database connection strings | Regex-based | `rsa_private_key` |
+| **AI-detected** | Generic passwords detected by {% data variables.secret-scanning.copilot-secret-scanning %} using AI models | AI-based | `password` |
+| **Provider** | Secrets tied to a specific service provider (such as AWS, Azure, Stripe) | Regex-based | `aws_access_key_id` |
 
-## Supported secrets
+### Capabilities by category
 
-The tables list the secrets supported by {% data variables.product.prodname_secret_scanning %} for each secret type. Information in the tables may include this data:
+| Capability | Generic patterns | AI-detected | Provider patterns |
+|------------|:-:|:-:|:-:|
+| User alerts | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
+| Partner notifications | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} (if partner) |
+| Push protection (default) | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} (most) |
+| Push protection (configurable) | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Some |
+| Validity checks | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Some |
+| Extended metadata | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Some |
+| Base64 format support | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Some |
 
-* **Provider:** Name of the token provider.{% ifversion fpt or ghec %}
-* **Partner:** Token for which leaks are reported to the relevant token partner. Applies to public repositories and all gists, including secret gists. Secret gists are not private and can be accessed by anyone with the URL. See [About gists](/get-started/writing-on-github/editing-and-sharing-content-with-gists/creating-gists#about-gists).
-* **User:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
-  * Applies to public repositories, and to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
-  * Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which usually have a higher ratio of false positives.
-  * For {% data variables.product.prodname_secret_scanning %} to scan for non-provider patterns, the detection of non-provider patterns must be enabled for the repository or the organization. For more information, see [AUTOTITLE](/code-security/secret-scanning/enabling-secret-scanning-features/enabling-secret-scanning-for-your-repository).
-  {% data reusables.secret-scanning.non-provider-patterns-beta %}{% endif %}{% ifversion ghes %}
-* **{% data variables.product.prodname_secret_scanning_caps %} alert:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}.
-  * Applies to private repositories where {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} are enabled.
-  * Includes {% ifversion secret-scanning-alert-experimental-list %}default{% else %}high confidence{% endif %} tokens, which relate to supported patterns and specified custom patterns, as well as non-provider tokens such as private keys, which often result in false positives.{% endif %}
-* **Push protection:** Token for which leaks are reported to users on {% data variables.product.prodname_dotcom %}. Applies to repositories with {% data variables.product.prodname_secret_scanning %} and push protection enabled.
-* **Validity check:** Token for which a validity check is implemented. {% ifversion secret-scanning-validity-check-partner-patterns %}For partner tokens, {% data variables.product.prodname_dotcom %} sends the token to the relevant partner. Note that not all partners are based in the United States. For more information, see [{% data variables.product.prodname_AS %}](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security) in the Site Policy documentation.{% else %} Currently only applies to {% data variables.product.prodname_dotcom %} tokens.{% endif %}
-* **Metadata check:** Token for which extended metadata is available, providing additional context about the detected secret.
-* **Base64:** Token for which Base64-encoded versions are supported.
+>[! NOTE] Validity and extended metadata checks are only available to users with {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} who enable the feature as part of {% data variables.product.prodname_GH_secret_protection %}.
 
-### Non-provider patterns
+## Supported generic patterns
+
+<!-- Generic is what we know internally as non-provider -->
 
 {% data reusables.secret-scanning.non-provider-patterns-beta %}
 
@@ -96,11 +96,11 @@ Precision levels are estimated based on the pattern type's typical false positiv
 {% endif %}
 
 >[!NOTE]
-> Validity checks are **not supported** for non-provider patterns.
+> Validity checks are **not supported** for generic/ non-provider patterns.
 
 {% ifversion secret-scanning-ai-generic-secret-detection %}
 
-### {% data variables.secret-scanning.copilot-secret-scanning %}
+## Supported AI-detected patterns
 
 {% data variables.product.prodname_secret_scanning_caps %} uses {% data variables.product.prodname_copilot_short %} to detect generic passwords. See [AUTOTITLE](/code-security/secret-scanning/copilot-secret-scanning/responsible-ai-generic-secrets).
 
@@ -111,44 +111,14 @@ Precision levels are estimated based on the pattern type's typical false positiv
 >[!NOTE] Push protection and validity checks are not supported for passwords.
 {% endif %}
 
-### {% ifversion secret-scanning-alert-experimental-list %}Default{% else %}High confidence{% endif %} patterns
-
-<!-- Team plan and GHEC version of table -->
-{% ifversion fpt or ghec %}
-
-> [!NOTE]
-> Validity and extended metadata checks are only available to users with {% data variables.product.prodname_team %} or {% data variables.product.prodname_enterprise %} who enable the feature as part of {% data variables.product.prodname_GH_secret_protection %}.
-
-| Provider | Token | Partner | User | Push protection | Validity check | Metadata check | Base64 |
-|----|:----|:----:|:----:|:----:|:----:|:----:|:----:|
-{%- for entry in secretScanningData %}
-| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPublic %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.isPrivateWithGhas %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.hasPushProtection %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.hasValidityCheck %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.hasExtendedMetadata %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.base64Supported %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} |
-{%- endfor %}
-
-{% endif %}
-
-<!-- GHES 3.9+ table -->
-{% ifversion ghes %}
-
-| Provider | Token | {% data variables.product.prodname_secret_scanning_caps %} alert | Push protection | Validity check | Base64 |
-|----|:----|:----:|:----:|:----:|:----:|
-{%- for entry in secretScanningData %}
-| {{ entry.provider }} | {{ entry.secretType }} | {% if entry.isPrivateWithGhas %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.hasPushProtection %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.hasValidityCheck %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} | {% if entry.base64Supported %}<span role="img" class="octicon-bg-check" aria-label="Supported">✓</span>{% else %}<span role="img" class="octicon-bg-x" aria-label="Unsupported">✗</span>{% endif %} |
-{%- endfor %}
-
-{% endif %}
+## Supported provider patterns
 
-#### Token versions
+Use the table below to search, filter, and browse all supported patterns. You can filter by provider name, push protection support, validity checks, and more.
 
 <a name="token-versions"></a>
 
-Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.<!-- markdownlint-disable-line MD053 -->
-
-## Further reading
+> [!NOTE] Service providers update the patterns used to generate tokens periodically and may support more than one version of a token. Push protection only supports the most recent token versions that {% data variables.product.prodname_secret_scanning %} can identify with confidence. This avoids push protection blocking commits unnecessarily when a result may be a false positive, which is more likely to happen with legacy tokens.<!-- markdownlint-disable-line MD053 -->
 
-* [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning/about-alerts)
-{%- ifversion fpt or ghec %}
-* [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program)
-{%- endif %}
-* [AUTOTITLE](/code-security/getting-started/securing-your-repository)
-* [AUTOTITLE](/authentication/keeping-your-account-and-data-secure)
+<!-- The interactive "Supported patterns" table is autogenerated from YAML
+     data files in src/secret-scanning/data/pattern-docs/. The dropdown 
+     and column names live in data/ui.yml under secret_scanning. -->

data/ui.yml

@@ -198,6 +198,32 @@ rest_reference:
   notes: Notes
   parameters: Parameters for "{{ RESTOperationTitle }}"
   response: Response
+secret_scanning:
+  search_placeholder: Search by provider or secret name...
+  search_aria_label: Search patterns
+  filter_aria_label: Filter secret scanning patterns
+  filter_push_protection: 'Push protection'
+  filter_validity_check: 'Validity check'
+  filter_partner_alert: 'Partner alert'
+  filter_metadata: Metadata check
+  filter_base64: Base64
+  filter_all: All
+  filter_yes: 'Yes'
+  filter_no: 'No'
+  showing_patterns: 'Showing {filtered} of {total} patterns'
+  column_provider: Provider
+  column_secret: Secret
+  column_partner: Partner
+  column_user_alert: User alert
+  column_push_protection: Push protection
+  column_validity_check: Validity check
+  column_metadata: Metadata check
+  column_base64: Base64
+  bool_yes: 'Yes'
+  bool_no: 'No'
+  token_versions: Token versions
+  table_title: Supported patterns
+  pagination_label: Secret scanning patterns pagination
   request_example: Request example
   request_examples: Request examples
   example_response: Example response

src/article-api/transformers/secret-scanning-transformer.ts

@@ -66,6 +66,34 @@ export class SecretScanningTransformer implements PageTransformer {
     context.markdownRequested = true
     let content = await page.render(context)
 
+    // Inject the full patterns table for agent/crawler access
+    // (The React DataTable is not rendered in markdown mode)
+    if (context.secretScanningData && context.secretScanningData.length > 0) {
+      const bool = (v: unknown) => (v ? '✓' : '✗')
+      const escape = (s: string) => s.replace(/\\/g, '\\\\').replace(/\|/g, '\\|')
+      // Strip HTML from secretType before inserting into markdown table rows.
+      // The isduplicate logic above appends <br/><a> HTML which would break
+      // single-line markdown table rows once <br/> is later converted to \n.
+      const cleanSecretType = (s: string) =>
+        s
+          .replace(
+            / <br\/><a href="#token-versions">Token versions<\/a>/,
+            ', [Token versions](#token-versions)',
+          )
+          .replace(/<br\s*\/?>/gi, ', ')
+          .replace(/<a\s+href="([^"]*)"[^>]*>([^<]*)<\/a>/gi, '[$2]($1)')
+          .replace(/<[^>]+>/g, '')
+      const header =
+        '| Provider | Secret | Secret type | Partner | User alert | Push protection | Validity check | Metadata | Base64 |'
+      const separator = '| --- | --- | --- | :---: | :---: | :---: | :---: | :---: | :---: |'
+      const rows = context.secretScanningData.map(
+        (entry: Record<string, unknown>) =>
+          `| ${escape(String(entry.provider))} | ${escape(String(entry.supportedSecret))} | ${escape(cleanSecretType(String(entry.secretType)))} | ${bool(entry.isPublic)} | ${bool(entry.isPrivateWithGhas)} | ${bool(entry.hasPushProtection)} | ${bool(entry.hasValidityCheck)} | ${bool(entry.hasExtendedMetadata)} | ${bool(entry.base64Supported)} |`,
+      )
+      const table = ['\n\n## Supported patterns\n', header, separator, ...rows].join('\n')
+      content += table
+    }
+
     // Strip HTML comments from the rendered content
     content = content.replace(/<!--.*?-->/gs, '')
 
@@ -75,11 +103,16 @@ export class SecretScanningTransformer implements PageTransformer {
     // Convert <br/> tags to newlines and <a href="...">text</a> to markdown links
     content = content.replace(/<br\s*\/?>/gi, '\n')
     content = content.replace(/<a\s+href="([^"]*)"[^>]*>([^<]*)<\/a>/gi, '[$2]($1)')
-    // Strip any remaining HTML tags (loop to handle nested/malformed tags)
+    // Strip any remaining HTML tags. Loop until stable to handle nested or
+    // malformed tags (e.g. "<scr<script>ipt>"). Limit iterations to prevent
+    // infinite loops on pathological input.
     let previous = ''
-    while (content !== previous) {
+    let iterations = 0
+    const MAX_STRIP_ITERATIONS = 10
+    while (content !== previous && iterations < MAX_STRIP_ITERATIONS) {
       previous = content
       content = content.replace(/<[^>]+>/g, '')
+      iterations++
     }
 
     // Normalize whitespace after stripping comments