GitHub Access Token

Description

General

• Documentation: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens

• Summary: GitHub is a code hosting platform for version control and collaboration. GitHub offers a very detailed API to programmatically control accounts. Most calls to API endpoints must be authenticated using dedicated tokens. These detectors focus on catching any type of token giving some access to a GitHub account. Supported GitHub tokens are :

  • Personal Access Tokens : These are issued by a GitHub user with a given scope of permissions. GitGuardian supports both old and new format for these tokens.
  • GitHub OAuth Access Tokens : These tokens are issued in an OAuth flow to authorize an application to act on behalf of a user.
  • GitHub User-to-server Tokens : These tokens are issued for a GitHub App and grant access to some API resources on behalf of a user. They last 8 hours and have to be refreshed afterwhat.
  • GitHub Server-to-server Token : These are tokens issued for a given GitHub App installation. They grant access to some API resources on behalf of an application's installation. These will last an hour by default.
  • Fine-grained Personal Access Tokens : These tokens are regular personal access tokens, but they have a pattern of their own and can have a large variety of scopes.

• IPs allowlist: No

• Scopes: The variety of permissions associated to a GitHub access token depends on the type of token concerned :

  • Several scopes and permissions can be chosen for classic GitHub personal access token
  • In case the leaked token is associated to a GitHub App or a GitHub Oauth App, the token has the permission that the application requested during the authorization flow : see the available list here.
  • Fine-grained personal access token can have a wide variety of permissions [described in the following list] (https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens).

Revoke the secret

Tokens can be revoked from the access tokens panel. Both personal access tokens and other types of tokens can be managed from this page.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub offers the possibility to review quite thoroughly security logs.

Details for Github token

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: True

• Minimum number of matches: 1

• Occurrences found for one million commits: very rare

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^csv?$
    - ^ebuild$
    - ^rst$
    - ^txt$
    - ^xcuserstate$
  banlist_filenames:
    - Cartfile\.resolved
    - Portfile$
    - '[0-9]+\.pack$'
    - \.gitrepo$
    - ^m$
    - _config\.yml$
    - arm64
    - build-log
    - dependencies
    - deps
    - kernel
    - monitor\.log
    - ngsw\.json
    - packages
    - release(_|-)notes
    - search_plus_index\.json
    - vendor
    - vendor\.conf
    - x86
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - gh[-_.]?api[-_]?key
    - gh[-_.]?token
    - github
- type: ContentWhitelistPreValidator
  patterns:
    - '[0-9a-f]{40}'

Examples

- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
  apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

- text: |
    GitHub(81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b)
  apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b

- text: |
    GitHubToken = 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61
  apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61

- text: |
    GitHubToken = "81c4ef6cabcf4473bb98b28de4fb9ac606b97f62"
  apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f62
- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
  apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

Details for Github personal access token v2

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 98.07

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - ghp_

Examples

- text: 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
  apikey: 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

# Fat-fingered secret
- text: g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
  apikey: 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

Details for Github user to server token v2

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 2.08

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - ghu_

Examples

- text: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: Xghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

Details for Github oauth access token v2

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 2.83

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - gho_

Examples

- text: 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
  apikey: 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

# Fat-fingered secret
- text: X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
  apikey: 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

Details for Github server to server token v2

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 0.92

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - ^(cs|x|p|s|r|m)?html5?~?$
    - ^[aps]?cssc?~?$
    - ^csv$
    - ^ebuild$
    - ^storyboard(c|er)?~?$
    - ^xib$
  banlist_filenames: []
  check_binaries: false
  include_default_banlist_extensions: false
  ban_markup: false
- type: ContentWhitelistPreValidator
  patterns:
    - ghs_

Examples

- text: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: gghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
  apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

Details for Github fine grained pat

• Family: Api

• Category: Version control platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 45.53

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - github_pat_

Examples

- text: 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
  apikey: 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

# Fat-fingered secret
- text: g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
  apikey: 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