Skip to main content

GitHub Fine Grained Personal Access Token

Description

General

  • Documentation: https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens

  • Summary: GitHub Fine-Grained Personal Access Tokens are a more granular and secure alternative to classic Personal Access Tokens. These tokens allow users to define highly specific permissions for accessing repositories, organizations, or other resources.

  • IPs allowlist: No

  • Scopes: Fine-Grained Personal Access Tokens can have a wide variety of permissions, including read/write access to specific repositories, workflows, or packages. For a full list of available permissions, refer to the GitHub documentation.

Revoke the secret

Tokens can be revoked from the access tokens panel. Navigate to the "Fine-grained tokens" section and delete the token to revoke access.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.

Details for Github fine grained pat

  • Family: token

  • Category: version_control_platform

  • Company: GitHub

  • High recall: False

  • Validity check available: True

  • Analyzer available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 45.53

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator
patterns:
- github_pat_

Examples

- text: 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
apikey: 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

# Fat-fingered secret
- text: g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
apikey: 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

Secret Analyzer

Analysis Method

  • Provider allows scopes enumeration: False
  • Total network call count: 80
  • Total call count may vary: True

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

  • POST: /repos/*/*/releases
  • PATCH: /repos/*/*/secret-scanning/alerts/*
  • GET: /repos/*/*/actions/permissions
  • PUT: /user/blocks/*
  • GET: /user/keys
  • GET: /repos/*/*/secret-scanning/alerts
  • GET: /repos/*/*/codespaces
  • PUT: /user/codespaces/secrets/*
  • POST: /gists
  • GET: /repos/*/*/attestations/*
  • POST: /repos/*/*/attestations
  • GET: /repos/*/*/hooks
  • GET: /repos/*/*/codespaces/permissions_check
  • GET: /repos/*/*/collaborators
  • PUT: /user/interaction-limits
  • GET: /repos/*/*/dependabot/secrets/public-key
  • POST: /user/keys
  • GET: /user
  • POST: /repos/*/*/hooks
  • GET: /repos/*/*/deployments/*
  • POST: /repos/*/*/autolinks
  • POST: /repos/*/*/pages
  • GET: /user/blocks
  • POST: /repos/*/*/actions/jobs/*/rerun
  • GET: /user/followers
  • POST: /repos/*/*/statuses/*
  • GET: /repos/*/*/actions/variables
  • GET: /user/interaction-limits
  • POST: /repos/*/*/dependency-graph/snapshots
  • GET: /repos/*/*/pages/builds/latest
  • GET: /repos/*/*/pulls
  • POST: /user/social_accounts
  • POST: /repos/*/*/actions/variables
  • POST: /repos/*/*/deployments
  • GET: /user/gpg_keys
  • GET: /user/emails
  • PUT: /repos/*/*/dependabot/secrets/*
  • GET: /repos/*/*/actions/secrets/public-key
  • POST: /repos/*/*/pulls
  • POST: /user/gpg_keys
  • PATCH: /user/email/visibility
  • GET: /user/ssh_signing_keys
  • GET: /repos/*/*/releases/latest
  • GET: /repos/*/*/codespaces/machines
  • GET: /repos/*/*/actions/jobs/*
  • POST: /user/ssh_signing_keys
  • GET: /users/*/settings/billing/actions
  • GET: /repos/*/*/commits/*/status
  • GET: /repos/*/*/milestones
  • PUT: /repos/*/*/actions/secrets/*
  • GET: /user/repos
  • PUT: /repos/*/*/codespaces/secrets/*
  • GET: /user/codespaces/secrets/public-key
  • POST: /repos/*/*/issues

Other Calls

No other calls for this analyzer.