From b4948a9450659ff5afcbf8c8d35866c13f87d372 Mon Sep 17 00:00:00 2001
From: Hannah Gould <44214179+hagould@users.noreply.github.com>
Date: Tue, 26 May 2026 17:37:04 -0700
Subject: [PATCH] Fix ghs_ token regex for new stateless format (#1840)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 hooks/secrets-scanner/scan-secrets.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hooks/secrets-scanner/scan-secrets.sh b/hooks/secrets-scanner/scan-secrets.sh
index c5fee2e8..8ecbc5e1 100755
--- a/hooks/secrets-scanner/scan-secrets.sh
+++ b/hooks/secrets-scanner/scan-secrets.sh
@@ -30,7 +30,7 @@ PATTERNS=(
   # GitHub tokens
   "GITHUB_PAT|critical|ghp_[0-9A-Za-z]{36}"
   "GITHUB_OAUTH|critical|gho_[0-9A-Za-z]{36}"
-  "GITHUB_APP_TOKEN|critical|ghs_[0-9A-Za-z]{36}"
+  "GITHUB_APP_TOKEN|critical|ghs_[0-9A-Za-z._-]{36,}"
   "GITHUB_REFRESH_TOKEN|critical|ghr_[0-9A-Za-z]{36}"
   "GITHUB_FINE_GRAINED_PAT|critical|github_pat_[0-9A-Za-z_]{82}"