Skip to main content

Reviewing your security log

You can review the security log for your personal account to better understand actions you've performed and actions others have performed that involve you.

Accessing your security log

The security log lists all actions performed within the last 90 days.

  1. In the upper-right corner of any page on GitHub, click your profile photo, then click Settings.
  2. In the "Archives" section of the sidebar, click Security log.

Searching your security log

The name for each audit log entry is composed of a category of events, followed by an operation type. For example, the repo.create entry refers to the create operation on the repo category.

Each audit log entry shows applicable information about an event, such as:

  • The enterprise or organization an action was performed in
  • The user (actor) who performed the action
  • The user affected by the action
  • Which repository an action was performed in
  • The action that was performed
  • Which country the action took place in
  • The date and time the action occurred
  • The SAML SSO and SCIM identity of the user (actor) who performed the action
  • For actions outside of the web UI, how the user (actor) authenticated
  • Optionally, the source IP address for the user (actor) who performed the action

Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub Enterprise Cloud. For more information, see "About searching on GitHub."

Search based on operation

Use the operation qualifier to limit actions to specific types of operations. For example:

  • operation:access finds all events where a resource was accessed.
  • operation:authentication finds all events where an authentication event was performed.
  • operation:create finds all events where a resource was created.
  • operation:modify finds all events where an existing resource was modified.
  • operation:remove finds all events where an existing resource was removed.
  • operation:restore finds all events where an existing resource was restored.
  • operation:transfer finds all events where an existing resource was transferred.

Search based on repository

Use the repo qualifier to limit actions to a specific repository. For example:

  • repo:my-org/our-repo finds all events that occurred for the our-repo repository in the my-org organization.
  • repo:my-org/our-repo repo:my-org/another-repo finds all events that occurred for both the our-repo and another-repo repositories in the my-org organization.
  • -repo:my-org/not-this-repo excludes all events that occurred for the not-this-repo repository in the my-org organization.

Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.

Search based on the user

The actor qualifier can scope events based on who performed the action. For example:

  • actor:octocat finds all events performed by octocat.
  • actor:octocat actor:hubot finds all events performed by octocat or hubot.
  • -actor:hubot excludes all events performed by hubot.

Note that you can only use a GitHub Enterprise Cloud username, not an individual's real name.

Search based on the action performed

The events listed in your security log are triggered by your actions. Actions are grouped into different categories. For the full list of events in each category, see Security log events.

Category nameDescription
billingContains all activities related to your billing information.
codespacesContains all activities related to GitHub Codespaces. For more information, see GitHub Codespaces overview.
copilotContains all activities related to Copilot Business. For more information, see What is GitHub Copilot?.
marketplace_agreement_signatureContains all activities related to signing the GitHub Marketplace Developer Agreement.
marketplace_listingContains all activities related to listing apps in GitHub Marketplace.
oauth_accessContains all activities related to OAuth access tokens.
oauth_authorizationContains all activities related to authorizing OAuth apps. For more information, see Authorizing OAuth apps.
passkeyContains activities related to your passkeys. See About passkeys.
payment_methodContains all activities related to paying for your GitHub subscription.
personal_access_tokenContains activities related to fine-grained personal access tokens. For more information, see Managing your personal access tokens.
profile_pictureContains all activities related to your profile picture.
projectContains all activities related to projects (classic).
public_keyContains all activities related to your public SSH keys.
repoContains all activities related to the repositories you own.
sponsorsContains all events related to GitHub Sponsors and sponsor buttons (see About GitHub Sponsors and Displaying a sponsor button in your repository)
two_factor_authenticationContains all activities related to two-factor authentication.
userContains all activities related to your account.

Exporting your security log

You can export the log as JSON data or a comma-separated value (CSV) file with the Export dropdown menu.

To filter the results in your export, search by one or more of these supported qualifiers before using the Export dropdown menu.

QualifierExample value
actionteam.create
actoroctocat
usercodertocat
orgocto-org
repoocto-org/documentation
created2019-06-01
After you export the log, you'll see the following keys and values in the resulting file.
KeyExample value
actionteam.create
actoroctocat
usercodertocat
actor_location.country_codeUS
orgocto-org
repoocto-org/documentation
created_at1429548104000 (Timestamp shows the time since Epoch with milliseconds.)
data.emailoctocat@nowhere.com
data.hook_id245
data.events["issues", "issue_comment", "pull_request", "pull_request_review_comment"]
data.events_were["push", "pull_request", "issues"]
data.target_loginoctocat
data.old_userhubot
data.teamocto-org/engineering