GitHub Token

Bridgecrew Policy ID: BC_GIT_43
Chekov Check ID: CKV_SECRET_43
Severity: LOW

GitHub Token


GitHub Personal Access Token

Personal access tokens (PATs) are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line. If you want to use a PAT to access resources owned by an organization that uses SAML SSO, you must authorize the PAT.

GitHub OAuth Access Token

GitHub's OAuth implementation supports the standard authorization code grant type and the OAuth 2.0 Device Authorization Grant for apps that don't have access to a web browser. If you want to skip authorizing your app in the standard way, such as when testing your app, you can use the non-web application flow. To authorize your OAuth app, consider which authorization flow best fits your app.

GitHub App Token

After you create a GitHub App, you'll need to generate one or more private keys. You'll use the private key to sign access token requests. You can create multiple private keys and rotate them to prevent downtime if a key is compromised or lost.

GitHub Refresh Token

To enforce regular token rotation and reduce the impact of a compromised token, you can configure your GitHub App to use expiring user access tokens. Expiring user tokens expire after 8 hours. When you receive a new user-to-server access token, the response will also contain a refresh token, which can be exchanged for a new user token and refresh token. Refresh tokens are valid for 6 months.

Fix - Buildtime

GitHub App Token

  1. In the upper-right corner of any page, click your profile photo, then click Settings.
  2. In the "Integrations" section of the sidebar, click Applications.
  3. Click the Authorized OAuth Apps tab.
  4. Review the tokens that have access to your account. For those that you don't recognize or that are out-of-date, click , then click Revoke. To revoke all tokens, click Revoke all.
curl \
  -H "Accept: application/vnd.github+json" \ 
  -H "Authorization: Bearer <YOUR-TOKEN>" \ \
  -d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'