GitHub Fine Grained Personal Access Token
Description
General
-
Documentation: https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens
-
Summary: GitHub Fine-Grained Personal Access Tokens are a more granular and secure alternative to classic Personal Access Tokens. These tokens allow users to define highly specific permissions for accessing repositories, organizations, or other resources.
-
IPs allowlist: No
-
Scopes: Fine-Grained Personal Access Tokens can have a wide variety of permissions, including read/write access to specific repositories, workflows, or packages. For a full list of available permissions, refer to the GitHub documentation.
Revoke the secret
Tokens can be revoked from the access tokens panel. Navigate to the "Fine-grained tokens" section and delete the token to revoke access.
Check for suspicious activity
There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.
Details for Github fine grained pat
-
Family: token
-
Category: version_control_platform
-
Company: GitHub
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: True
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 1
-
Occurrences found for one million commits: 45.53
-
Prefixed: False
-
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- github_pat_
Examples
- text: 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
apikey: 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
# Fat-fingered secret
- text: g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
apikey: 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
Secret Analyzer
Analysis Method
- Provider allows scopes enumeration: False
- Total network call count: 80
- Total call count may vary: True
HTTP Calls
Requests are designed to capture metadata and not to function effectively.
- POST: /repos/*/*/releases
- PATCH: /repos/*/*/secret-scanning/alerts/*
- GET: /repos/*/*/actions/permissions
- PUT: /user/blocks/*
- GET: /user/keys
- GET: /repos/*/*/secret-scanning/alerts
- GET: /repos/*/*/codespaces
- PUT: /user/codespaces/secrets/*
- POST: /gists
- GET: /repos/*/*/attestations/*
- POST: /repos/*/*/attestations
- GET: /repos/*/*/hooks
- GET: /repos/*/*/codespaces/permissions_check
- GET: /repos/*/*/collaborators
- PUT: /user/interaction-limits
- GET: /repos/*/*/dependabot/secrets/public-key
- POST: /user/keys
- GET: /user
- POST: /repos/*/*/hooks
- GET: /repos/*/*/deployments/*
- POST: /repos/*/*/autolinks
- POST: /repos/*/*/pages
- GET: /user/blocks
- POST: /repos/*/*/actions/jobs/*/rerun
- GET: /user/followers
- POST: /repos/*/*/statuses/*
- GET: /repos/*/*/actions/variables
- GET: /user/interaction-limits
- POST: /repos/*/*/dependency-graph/snapshots
- GET: /repos/*/*/pages/builds/latest
- GET: /repos/*/*/pulls
- POST: /user/social_accounts
- POST: /repos/*/*/actions/variables
- POST: /repos/*/*/deployments
- GET: /user/gpg_keys
- GET: /user/emails
- PUT: /repos/*/*/dependabot/secrets/*
- GET: /repos/*/*/actions/secrets/public-key
- POST: /repos/*/*/pulls
- POST: /user/gpg_keys
- PATCH: /user/email/visibility
- GET: /user/ssh_signing_keys
- GET: /repos/*/*/releases/latest
- GET: /repos/*/*/codespaces/machines
- GET: /repos/*/*/actions/jobs/*
- POST: /user/ssh_signing_keys
- GET: /users/*/settings/billing/actions
- GET: /repos/*/*/commits/*/status
- GET: /repos/*/*/milestones
- PUT: /repos/*/*/actions/secrets/*
- GET: /user/repos
- PUT: /repos/*/*/codespaces/secrets/*
- GET: /user/codespaces/secrets/public-key
- POST: /repos/*/*/issues
Other Calls
No other calls for this analyzer.