GitHub token leak response

A leaked GitHub token can expose private repositories, CI secrets, package registries, and deployment workflows. The correct response is immediate and procedural: revoke first, investigate scope second, then rebuild trust for affected automation.

This checklist is designed for ghp_, gho_, ghs_, ghu_, and github_pat_ style leaks.

Why it matters

GitHub tokens are often reused in CI/CD systems and automation scripts. If one token leaks in logs, commit comments, or support tickets, attackers can clone source code, modify workflows, or publish malicious packages depending on scope.

Even short-lived exposure is risky. Public mirrors, notification systems, and archived tickets can persist leaked values longer than expected. Fast revocation plus safe evidence sharing is essential.

Step-by-step checklist

• Revoke the leaked token immediately in GitHub settings or via admin controls.
• Identify token type: personal access token, fine-grained PAT, app token, or automation token.
• Determine scope and repositories affected by that token.
• Check recent GitHub audit logs for suspicious clone, pull, push, secret, or workflow activity.
• Rotate any downstream secrets the token could access (for example, package registry or deployment secrets).
• Replace credentials in CI/CD systems and rerun required auth checks.
• Force refresh on local developer environments if shared scripts stored the token.
• Search commit history, issue trackers, chat logs, and support tickets for additional copies.
• Sanitize all evidence before sharing in internal and vendor channels.
• Document timeline: leak discovery, revoke time, investigation findings, and closure criteria.

Safe snippet examples

Before:

Authorization: token ghp_1234567890ABCDEFGHIJKLMN

After:

Authorization: token [REDACTED:GITHUB_TOKEN]

Before:

{
  "github_pat": "github_pat_11ABCDEF...",
  "repo": "org/private-service",
  "status": "failed"
}

After:

{
  "github_pat": "[REDACTED:GITHUB_TOKEN]",
  "repo": "org/private-service",
  "status": "failed"
}

Containment notes for CI/CD

• Re-issue tokens with least privilege and shorter expiration.
• Scope tokens to required repos only.
• Prefer GitHub Apps where possible instead of broad PAT usage.
• Keep tokens in secret managers, not plain env files in repos.
• Add automated scanning for ghp_ and github_pat_ patterns in logs and build output.

Tools and related reading

• cURL / Header Sanitizer
• Log / JSON Sanitizer
• HAR Sanitizer
• Rule Packs
• How to share logs safely
• Incident response log checklist
• Slack token leak response
• Support escalation with sanitized context

Repository and workflow hardening after revoke

Revocation is only step one. If a leaked token had repository or workflow scope, harden adjacent controls immediately:

• rotate repository secrets that might have been readable by the compromised token
• review workflow files for risky pull_request_target and broad permissions
• enforce branch protections on critical repos
• require approval for first-time workflow runs where possible
• restrict token scopes to specific repositories and operations

These controls reduce repeat risk if another token is exposed.

Incident timeline template for GitHub leaks

Use a concrete timeline with exact timestamps:

17:04 UTC - token exposure detected in support thread
17:09 UTC - token revoked
17:15 UTC - audit log review started
17:28 UTC - replacement credentials rolled out to CI
17:41 UTC - suspicious event scan completed (none found)
17:55 UTC - incident status downgraded to monitor-only

A timestamped timeline improves postmortem quality and helps prove containment speed.

Reviewer checklist before closure

• all exposed tokens revoked
• replacement tokens confirmed in CI/CD jobs
• audit logs reviewed for suspicious clone/push/workflow activity
• ticket/chat artifacts sanitized or removed where possible
• remediation tasks created for least-privilege cleanup

If any box is incomplete, keep incident open.

Related engineering controls

• use GitHub Apps for automation instead of broad personal tokens
• enforce repository secret scanning and push protection
• add sanitizer usage in escalation runbooks
• review token lifecycle quarterly

Strong token hygiene is a mix of rotation discipline and scope discipline.

Final pre-share check

Confirm token scope minimization is part of follow-up, not optional cleanup. Most repeat incidents are scope-management failures, not revocation failures.