GitHub token
ID |
github_token |
Severity |
critical |
Vendor |
GitHub |
Family |
API Token |
Description
GitHub provides a REST API under https://api.github.com for programmatic access to GitHub.
There is a GitHub user password for login into GitHub, but access tokens are the preferred way for authentication into the GitHub API or the GitHub command-line client. Please note that git operations into the server, like uploading commits to the remote repository (git push), recommend
| GitHub has discontinued password authentication to the API. Authentication should be done with an API token, such as an OAuth access token, GitHub App installation access token, or personal access token. |
The supported tokens are:
-
Personal Access Tokens: Issued by a GitHub user with a given scope of permissions. They are prefixed by
ghp_. -
OAuth Access Tokens: Issued in an OAuth flow to authorize an application to act on behalf of a user. They are prefixed by
gho_. -
User-to-server Tokens: Issued for a GitHub App and grant access to some API resources on behalf of a user. They are short-termed (expire after 8 hours) and need to be refreshed. Prefixed by
ghu_. -
Server-to-server Token: Issued for a given GitHub App installation. They grant access to some API resources, and are also short-termed (an hour by default). Prefixed by
ghu_.
For full details, see About authentication to GitHub.
Security
Leaking tokens may give attackers a window of opportunity to wreak havoc before expiration. They should be handled with as much care as with other credentials.
Automation using the continuous integration feature (GitHub Actions) use virtual machines to run automated processes (workflows).
GitHub creates a unique GITHUB_TOKEN secret at the start of each workflow run, which could be used for actions that need authentication into GitHub using the standard syntax for referencing secrets: ${{ secrets.GITHUB_TOKEN }}.
GitHub provides encrypted secrets, which are available for use into GitHub Actions workflows.
| GitHub itself automatically revokes a GitHub token when pushed to a public repository or public gist. |
Examples
A rather trivial token leakage is shown in the following .env file committed into a source repository:
GH_TOKEN=ghp_uTzsHn7...
| GitHub tokens are often leaked into logfiles, shell scripts, or unit tests in source code. |
Mitigation / Fix
-
Remove the GitHub access token from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). GitHub tokens can be revoked here.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any access token in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period. See Reviewing the audit log for further information.