GitHub App Keys
Service Name: GitHub
Service Description: GitHub is a web-based platform for version control and collaboration that enables developers to store, manage, track, and control changes to their code. GitHub App Keys are used to authenticate GitHub Apps, which are integrations that can be installed directly on organizations and user accounts and granted access to specific repositories.
Service Address: https://github.com
Validation Type: API Auth
IP Allow list: IP restrictions are available at the organization level through GitHub Enterprise security settings.
Secret Access Scope: GitHub App Keys grant access to GitHub resources based on the permissions configured for the app, which may include repository access, issue management, workflow control, and other GitHub API features.
Secret Revokement URL: https://github.com/settings/apps (Navigate to your GitHub App > Settings > Delete this GitHub App)
Secret Example: ghu_16C7e42F292c6912E7710c838347Ae178B4a
Suspicious Activity Investigation Instructions:
- Review the GitHub audit log for unusual activity related to the app
- Check repository access logs for unexpected operations
- Monitor webhook deliveries for unusual patterns
- Review recent installations or permission changes for the app
- Check for unexpected repository access or code modifications
Mitigation Instructions:
- Immediately revoke the compromised GitHub App key by generating a new private key.
- Navigate to your GitHub App settings
- Select the affected app and select Generate a new private key
- Update all legitimate integrations with the new key
- Review and potentially restrict the app's permissions
- Enable additional security features like IP allow lists if available
- Review all repositories the app had access to for unauthorized changes
- Consider implementing GitHub Advanced Security for additional protection