GitHub Personal Access Token
Service Name: GitHub
Service Description: GitHub is a web-based platform for version control and collaboration that enables developers to store, manage, and track changes to their code repositories. It provides features for code hosting, pull requests, issue tracking, and project management.
Service Address: https://github.com/
Validation Type: API Auth, NHI Enriched
IP Allow list: GitHub supports IP allow lists at the organization level, not at the individual token level. Organization owners can restrict access to specific IP addresses.
Secret Access Scope: Grants programmatic access to GitHub resources based on the scopes assigned to the token. Can provide access to repositories, user data, organization settings, and other GitHub API endpoints.
Secret Revokement URL: https://github.com/settings/tokens
Secret Example: ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789
Suspicious Activity Investigation Instructions:
- Review the GitHub audit log for unusual activity associated with the token.
- Check repository access logs for unexpected operations or access patterns.
- Examine commit history for unauthorized commits or changes.
- Review GitHub Actions workflow runs for suspicious executions.
- Check for newly added webhooks, integrations, or GitHub Apps.
- Monitor for unauthorized repository access or organization membership changes.
Mitigation Instructions:
- Immediately revoke the compromised token by navigating to GitHub Settings > Developer Settings > Personal Access Tokens.
- Find the compromised token in the list and select Delete.
- Create a new token with appropriate scopes if needed.
- Review and audit all repositories for unauthorized changes or commits.
- Check for any added collaborators, webhooks, or GitHub Apps that may have been added by the attacker.
- Enable two-factor authentication if not already enabled.
- Consider implementing SAML SSO for organization access.
- Review and potentially reduce the scopes granted to new tokens.
- Set appropriate token expiration dates for all personal access tokens.