Skip to content

GitHub API Token

Service Name: GitHub

Service Description: GitHub is a web-based platform for version control and collaboration that enables developers to store, manage, track, and control changes to their code. It provides hosting for software development and version control using Git.

Service Address: https://github.com/

Validation Type: API Auth, NHI Enriched

IP Allow list: IP restrictions are available at the organization level through GitHub Enterprise security settings.

Secret Access Scope: Grants programmatic access to GitHub repositories, issues, pull requests, and other GitHub API resources based on the token's permissions.

Secret Revokement URL: https://github.com/settings/tokens

Secret Example: ghp_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9

Suspicious Activity Investigation Instructions:

  • Review GitHub audit logs for unusual repository access or actions.
  • Check for unauthorized repository clones, forks, or downloads.
  • Monitor for unexpected collaborator additions or permission changes.
  • Examine commit history for unauthorized code changes or commits.
  • Review webhook configurations for unauthorized additions.
  • Check for unusual API calls or rate limit usage patterns.

Mitigation Instructions:

  • Immediately revoke the compromised token by navigating to GitHub Settings > Developer Settings > Personal Access Tokens.
  • Find the affected token and click "Delete.
  • Create a new token with appropriate scopes if needed.
  • Review repository access and permissions to ensure no unauthorized changes were made.
  • Enable two-factor authentication if not already enabled.
  • Consider implementing SAML SSO for organizational accounts.
  • Set up branch protection rules to prevent force pushes and deletions.
  • Review and update webhook configurations if necessary.
  • Consider implementing GitHub Advanced Security features for additional protection.