GitHub Self-Hosted Runner Token
Service Name: GitHub
Service Description: GitHub is a web-based platform for version control and collaboration that lets developers store, manage, track, and control changes to their code. Self-hosted runners are systems you deploy and manage to run jobs from GitHub Actions on your own infrastructure.
Service Address: https://github.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization or enterprise level through security settings.
Secret Access Scope: Grants access to register and connect self-hosted runners to GitHub repositories, organizations, or enterprises. These tokens allow runners to communicate with GitHub Actions and execute workflows.
Secret Revokement URL: https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners
Secret Example: ACSAC3TOKENMR2YM4QGFCMNDVS5XCVYHKJ
Suspicious Activity Investigation Instructions:
- Review GitHub Actions workflow runs for any unauthorized or suspicious jobs.
- Check the list of registered self-hosted runners in your repository/organization settings.
- Examine the runner's logs for any unusual commands or workflow executions.
- Review GitHub audit logs for runner registration events.
- Monitor for unauthorized code execution or data access through runner jobs.
Mitigation Instructions:
- Remove the compromised runner from GitHub by navigating to repository/organization Settings > Actions > Runners.
- Decommission the runner machine or isolate it from your network.
- Generate a new runner registration token in GitHub.
- Revoke the old token by removing the runner from GitHub.
- Review and update GitHub Actions workflow permissions and environment secrets.
- Consider implementing additional security controls like IP restrictions for GitHub access.
- Audit other runners for potential compromise and rotate their tokens if necessary.
- Review GitHub Actions workflow files for any malicious modifications.