cloudflare · ethulia · Apr 9, 2026
@@ -18,9 +18,14 @@ Existing tokens continue to work. Every new token you create or [roll](/fundamen
 
 ## Leaked token detection
 
-The prefixed format and checksum allow credential scanning tools to detect leaked Cloudflare tokens with high confidence. Cloudflare partners with scanning providers to find your tokens before they can be used maliciously.
+The prefixed format and checksum allow credential scanning tools to detect leaked Cloudflare tokens with high confidence. Cloudflare partners with credential scanning providers to proactively find your leaked tokens and revoke them before they can be used maliciously.
 
-When a leaked token is detected, Cloudflare automatically revokes it and sends an email to the token owner so you can generate a replacement.
+### GitHub Secret Scanning
+
+Cloudflare participates in [GitHub's Secret Scanning program](https://docs.github.com/en/code-security/secret-scanning/introduction/about-secret-scanning). GitHub scans every commit for Cloudflare API credentials in both public and private repositories.
+
+- **Public repositories** — When GitHub detects a leaked Cloudflare token, it verifies the token using the checksum and sends Cloudflare a webhook. Cloudflare automatically revokes the token and notifies you by email so you can generate a replacement.
+- **Private repositories** — GitHub notifies you about any leaked Cloudflare tokens so you can rotate them.
 
 ## Pre-2026 formats