GitHub Access Token
Description
General
Documentation: https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens
Summary: GitHub is a code hosting platform for version control and collaboration. GitHub offers a very detailed API to programmatically control accounts. Most calls to API endpoints must be authenticated using dedicated tokens. These detectors focus on catching any type of token giving some access to a GitHub account. Supported GitHub tokens are :
- Personal Access Tokens : These are issued by a GitHub user with a given scope of permissions. GitGuardian supports both old and new format for these tokens.
- GitHub OAuth Access Tokens : These tokens are issued in an OAuth flow to authorize an application to act on behalf of a user.
- GitHub User-to-server Tokens : These tokens are issued for a GitHub App and grant access to some API resources on behalf of a user. They last 8 hours and have to be refreshed afterwhat.
- GitHub Server-to-server Token : These are tokens issued for a given GitHub App installation. They grant access to some API resources on behalf of an application's installation. These will last an hour by default.
- Fine-grained Personal Access Tokens : These tokens are regular personal access tokens, but they have a pattern of their own and can have a large variety of scopes.
IPs allowlist: No
Scopes: The variety of permissions associated to a GitHub access token depends on the type of token concerned :
- Several scopes and permissions can be chosen for classic GitHub personal access token
- In case the leaked token is associated to a GitHub App or a GitHub Oauth App, the token has the permission that the application requested during the authorization flow : see the available list here.
- Fine-grained personal access token can have a wide variety of permissions [described in the following list] (https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens).
Revoke the secret
Tokens can be revoked from the access tokens panel. Both personal access tokens and other types of tokens can be managed from this page.
Check for suspicious activity
There is no way to check the exact last API calls made with a token. However, GitHub offers the possibility to review quite thoroughly security logs.
Details for Github token
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: True
Minimum number of matches: 1
Occurrences found for one million commits: 0.06
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- ^csv?$
- ^ebuild$
- ^rst$
- ^txt$
- ^xcuserstate$
banlist_filenames:
- Cartfile\.resolved
- Portfile$
- '[0-9]+\.pack$'
- \.gitrepo$
- ^m$
- _config\.yml$
- arm64
- build-log
- dependencies
- deps
- kernel
- monitor\.log
- ngsw\.json
- packages
- release(_|-)notes
- search_plus_index\.json
- vendor
- vendor\.conf
- x86
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- gh[-_.]?api[-_]?key
- gh[-_.]?token
- github
- type: ContentWhitelistPreValidator
patterns:
- '[0-9a-f]{40}'
Examples
- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19
- text: |
GitHub(81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b)
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f6b
- text: |
GitHubToken = 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f61
- text: |
GitHubToken = "81c4ef6cabcf4473bb98b28de4fb9ac606b97f62"
apikey: 81c4ef6cabcf4473bb98b28de4fb9ac606b97f62
- text: 'github_token: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19'
apikey: 368ac3edf9e850d1c0ff9d6c526496f8237ddf19
Details for Github personal access token v2
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 234.2
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghp_
Examples
- text: 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
apikey: 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
# Fat-fingered secret
- text: g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
apikey: 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
Details for Github user to server token v2
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 0.78
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghu_
Examples
- text: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
# Fat-fingered secret
- text: Xghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghu_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
Details for Github oauth access token v2
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 6.38
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- gho_
Examples
- text: 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
apikey: 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
# Fat-fingered secret
- text: X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
apikey: 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
Details for Github server to server token v2
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 1.13
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions:
- ^(cs|x|p|s|r|m)?html5?~?$
- ^[aps]?cssc?~?$
- ^csv?$
- ^ebuild$
- ^storyboard(c|er)?~?$
- ^xib$
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: false
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- ghs_
Examples
- text: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
# Fat-fingered secret
- text: gghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
apikey: ghs_uTzsHn7ntsbrT3RUE7dsGx3Qq4689V2Jzoq0
Details for Github fine grained pat
Family: Api
Category: Version control platform
Company: GitHub
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 1
Occurrences found for one million commits: 0.186
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- github_pat_
Examples
- text: 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
apikey: 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
# Fat-fingered secret
- text: g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
apikey: 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