An enterprise’s audit log contains events for each action performed by a user or integration. If the action occurred outside of GitHub’s web UI, the data in the event shows details about how the user or integration was authenticated.
If you discover token corruption, you can determine what actions the compromised token performed by searching the audit log for all events associated with that token.
Token data appears in audit logs for the following authentication methods:
- Personal access token
- OAuth token
- GitHub Apps (install apps or authenticate on behalf of users)
The following token usage data appears in the audit log to help you understand how a user or integration is authenticated:
| information | explanation |
|---|---|
You can use the UI or REST API to identify events associated with a specific token. To identify an event, you first need to know the SHA-256 hash of the token.
Generate SHA-256 hash value for token
Search information on GitHub
While searching audit logs on GitHub, you must include hashed_token:”VALUE” in your search query, replacing VALUE with the SHA-256 hash of the token.
reference: You must enclose the hashed token value in quotes.
Search using REST API
To retrieve a token using the REST API, you must generate a SHA-256 hash and then URI-escape the hash. Most major programming languages provide utilities for URI escaping. for example encodeURIComponent() encodes a string in JavaScript.
Then include the value hashed_token:”VALUE” in your search phrase, replacing it with the URI escape hash.
For example, if the name of the enterprise account is octo-corp, the following curl command searches the audit logs for @octo-corp for all events associated with a token whose URI-encoded SHA-256 hash is EH4L8o6PfCqipALbL%2BQT62lyqUtnI7ql0SPbkaQnjv8.
curl –header “Accept: application/vnd.github+json” –header “Authorization: Bearer YOUR-TOKEN” –header “X-GitHub-Api-Version:2022-11-28” ‘
