Skip to content

GitHub Self-Hosted Runner Token

Service Name: GitHub

Service Description: GitHub is a web-based platform for version control and collaboration that lets developers store, manage, track, and control changes to their code. Self-hosted runners are systems you deploy and manage to run jobs from GitHub Actions on your own infrastructure.

Service Address: https://github.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization or enterprise level through security settings.

Secret Access Scope: Grants access to register and connect self-hosted runners to GitHub repositories, organizations, or enterprises. These tokens allow runners to communicate with GitHub Actions and execute workflows.

Secret Revokement URL: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners

Secret Example: ACSAC3TOKENMR2YM4QGFCMNDVS5XCVYHKJ

Suspicious Activity Investigation Instructions:

  • Review GitHub Actions workflow runs for any unauthorized or suspicious jobs.
  • Check the list of registered self-hosted runners in your repository/organization settings.
  • Examine the runner's logs for any unusual commands or workflow executions.
  • Review GitHub audit logs for runner registration events.
  • Monitor for unauthorized code execution or data access through runner jobs.

Mitigation Instructions:

  • Remove the compromised runner from GitHub by navigating to repository/organization Settings > Actions > Runners.
  • Decommission the runner machine or isolate it from your network.
  • Generate a new runner registration token in GitHub.
  • Revoke the old token by removing the runner from GitHub.
  • Review and update GitHub Actions workflow permissions and environment secrets.
  • Consider implementing additional security controls like IP restrictions for GitHub access.
  • Audit other runners for potential compromise and rotate their tokens if necessary.
  • Review GitHub Actions workflow files for any malicious modifications.