Skip to main content

GitHub Personal Access Token

Description

General

  • Documentation: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens

  • Summary: GitHub is a code hosting platform for version control and collaboration. Personal Access Tokens (PATs) are used to authenticate API requests on behalf of a GitHub user. These tokens are issued by a user and can be configured with specific scopes to limit their permissions. GitGuardian supports both the old and new formats for these tokens. This detector group focuses on identifying classic GitHub Personal Access Tokens.

  • IPs allowlist: No

  • Scopes: Personal Access Tokens can be configured with a variety of scopes and permissions, such as read/write access to repositories, user data, or organization resources. For a full list of available scopes, refer to the GitHub documentation.

Revoke the secret

Tokens can be revoked from the access tokens panel. Navigate to the "Personal access tokens" section and delete the token to revoke access.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.

Details for Github token

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: True

  • Minimum number of matches: 1

  • Occurrences found for one million commits: very rare

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^csv?$
- ^ebuild$
- ^rst$
- ^txt$
- ^xcuserstate$
banlist_filenames:
- Cartfile\.resolved
- Portfile$
- '[0-9]+\.pack$'
- \.gitrepo$
- ^m$
- _config\.yml$
- arm64
- build-log
- dependencies
- deps
- kernel
- monitor\.log
- ngsw\.json
- packages
- release(_|-)notes
- search_plus_index\.json
- vendor
- vendor\.conf
- x86
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- gh[-_.]?api[-_]?key
- gh[-_.]?token
- github
- type: ContentWhitelistPreValidator
patterns:
- '[0-9a-f]{40}'

Examples

- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

- text: |
GitHub(81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b)
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b

- text: |
GitHubToken = 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61

- text: |
GitHubToken = "81c4ef6cabcf4473bb98b28de4fb9ac606b97f62"
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f62
- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19

Details for Github personal access token v2

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 98.07

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghp_

Examples

- text: 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
apikey: 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

# Fat-fingered secret
- text: g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
apikey: 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

Secret Analyzer

Analysis Method

  • Provider allows scopes enumeration: False
  • Total network call count: 1
  • Total call count may vary: False

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

  • GET: /user

Other Calls

No other calls for this analyzer.