GitHub Fine Grained Personal Access Token

Description

General

• Documentation: https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens

• Summary: GitHub Fine-Grained Personal Access Tokens are a more granular and secure alternative to classic Personal Access Tokens. These tokens allow users to define highly specific permissions for accessing repositories, organizations, or other resources.

• IPs allowlist: No

• Scopes: Fine-Grained Personal Access Tokens can have a wide variety of permissions, including read/write access to specific repositories, workflows, or packages. For a full list of available permissions, refer to the GitHub documentation.

Revoke the secret

Tokens can be revoked from the access tokens panel. Navigate to the "Fine-grained tokens" section and delete the token to revoke access.

Check for suspicious activity

There is no way to check the exact last API calls made with a token. However, GitHub provides security logs to review account activity and detect suspicious behavior.

Details for GitHub fine-grained personal access token

• Family: token

• Category: version_control_platform

• Company: GitHub

• High recall: False

• Validity check available: True

• Analyzer available: True

• On-premise instances exist: True

• Only valid secrets raise an alert: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 45.53

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - github_pat_

Examples

- text: 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
  apikey: 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

# Fat-fingered secret
- text: g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
  apikey: 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

Secret Analyzer

Analysis Method

• Provider allows scopes enumeration: False
• Total network call count: 80
• Total call count may vary: True

HTTP Calls

Requests are designed to capture metadata and not to function effectively.

• GET: /repos/*/*/actions/jobs/*
• GET: /repos/*/*/actions/permissions
• GET: /repos/*/*/actions/secrets/public-key
• GET: /repos/*/*/actions/variables
• GET: /repos/*/*/attestations/*
• GET: /repos/*/*/codespaces
• GET: /repos/*/*/codespaces/machines
• GET: /repos/*/*/codespaces/permissions_check
• GET: /repos/*/*/collaborators
• GET: /repos/*/*/commits/*/status
• GET: /repos/*/*/dependabot/secrets/public-key
• GET: /repos/*/*/deployments/*
• GET: /repos/*/*/hooks
• GET: /repos/*/*/milestones
• GET: /repos/*/*/pages/builds/latest
• GET: /repos/*/*/pulls
• GET: /repos/*/*/releases/latest
• GET: /repos/*/*/secret-scanning/alerts
• GET: /user
• GET: /user/blocks
• GET: /user/codespaces/secrets/public-key
• GET: /user/emails
• GET: /user/followers
• GET: /user/gpg_keys
• GET: /user/interaction-limits
• GET: /user/keys
• GET: /user/repos
• GET: /user/ssh_signing_keys
• GET: /users/*/settings/billing/actions
• PATCH: /repos/*/*/secret-scanning/alerts/*
• PATCH: /user/email/visibility
• POST: /gists
• POST: /repos/*/*/actions/jobs/*/rerun
• POST: /repos/*/*/actions/variables
• POST: /repos/*/*/attestations
• POST: /repos/*/*/autolinks
• POST: /repos/*/*/dependency-graph/snapshots
• POST: /repos/*/*/deployments
• POST: /repos/*/*/hooks
• POST: /repos/*/*/issues
• POST: /repos/*/*/pages
• POST: /repos/*/*/pulls
• POST: /repos/*/*/releases
• POST: /repos/*/*/statuses/*
• POST: /user/gpg_keys
• POST: /user/keys
• POST: /user/social_accounts
• POST: /user/ssh_signing_keys
• PUT: /repos/*/*/actions/secrets/*
• PUT: /repos/*/*/codespaces/secrets/*
• PUT: /repos/*/*/dependabot/secrets/*
• PUT: /user/blocks/*
• PUT: /user/codespaces/secrets/*
• PUT: /user/interaction-limits

Other Calls

Non-HTTP queries or HTTP calls made through a third-party app (e.g., Python package). No other calls for this analyzer.