Skip to main content

GitHub Access Token

Description

General

  • Documentation: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens

  • Summary: GitHub is a code hosting platform for version control and collaboration. GitHub offers a very detailed API to programmatically control accounts. Most calls to API endpoints must be authenticated using dedicated tokens. These detectors focus on catching any type of token giving some access to a GitHub account. Supported GitHub tokens are :

    • Personal Access Tokens : These are issued by a GitHub user with a given scope of permissions. GitGuardian supports both old and new format for these tokens.
    • GitHub OAuth Access Tokens : These tokens are issued in an OAuth flow to authorize an application to act on behalf of a user.
    • GitHub User-to-server Tokens : These tokens are issued for a GitHub App and grant access to some API resources on behalf of a user. They last 8 hours and have to be refreshed afterwhat.
    • GitHub Server-to-server Token : These are tokens issued for a given GitHub App installation. They grant access to some API resources on behalf of an application's installation. These will last an hour by default.
    • Fine-grained Personal Access Tokens : These tokens are regular personal access tokens, but they have a pattern of their own and can have a large variety of scopes.
  • IPs allowlist: No

  • Scopes: The variety of permissions associated to a GitHub access token depends on the type of token concerned :

Revoke the secret

Tokens can be revoked from the access tokens panel. Both personal access tokens and other types of tokens can be managed from this page.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub offers the possibility to review quite thoroughly security logs.

Details for Github token

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: True

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 0.06

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^csv?$
- ^ebuild$
- ^rst$
- ^txt$
- ^xcuserstate$
banlist_filenames:
- Cartfile\.resolved
- Portfile$
- '[0-9]+\.pack$'
- \.gitrepo$
- ^m$
- _config\.yml$
- arm64
- build-log
- dependencies
- deps
- kernel
- monitor\.log
- ngsw\.json
- packages
- release(_|-)notes
- search_plus_index\.json
- vendor
- vendor\.conf
- x86
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- gh[-_.]?api[-_]?key
- gh[-_.]?token
- github
- type: ContentWhitelistPreValidator
patterns:
- '[0-9a-f]{40}'

Examples

- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

- text: |
GitHub(81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b)
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b

- text: |
GitHubToken = 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61

- text: |
GitHubToken = "81c4ef6cabcf4473bb98b28de4fb9ac606b97f62"
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f62
- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

Details for Github personal access token v2

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 234.2

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghp_

Examples

- text: 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
apikey: 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

# Fat-fingered secret
- text: g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
apikey: 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

Details for Github user to server token v2

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 0.78

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghu_

Examples

- text: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: Xghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

Details for Github oauth access token v2

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 6.38

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- gho_

Examples

- text: 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
apikey: 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

# Fat-fingered secret
- text: X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
apikey: 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

Details for Github server to server token v2

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 1.13

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghs_

Examples

- text: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

# Fat-fingered secret
- text: gghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0

Details for Github fine grained pat

  • Family: Api

  • Category: Version control platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 0.186

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator
patterns:
- github_pat_

Examples

- text: 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
apikey: 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

# Fat-fingered secret
- text: g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
apikey: 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

How can I help you ?