Your enterprise's audit log contains an event for each action that a user or integration performs. If the action occurred outside of GitHub's web UI, the event's data will show details about how the user or integration authenticated.
If you learn that a token was compromised, you can understand the actions taken by the compromised token by searching the audit log for all events associated with that token.
Token data appears in the audit log for the following authentication methods.
- Personal access token
- OAuth token
- GitHub Apps (authentication as an app installation or on behalf of a user)
The following data about token use appears in the audit log to help you understand how the user or integration authenticated.
|SHA-256 hash of the token used for authentication.|
|Type of authentication used.|
|If applicable, the scopes for the token.|
To identify events associated with a specific token, you can use the UI or REST API. To identify any events, you will need to know the SHA-256 hash of the token first.
If you only have a raw token value, you'll need to generate a SHA-256 hash before you can search for the token.
For MacOS and Linux, you can use
echo -n TOKEN | openssl dgst -sha256 -binary | base64, replacing TOKEN with the token value.
For Powershell, you can use the following script to return a SHA-256 hash for a given string.
Param ( [Parameter(Mandatory=$true)] [string] $ClearString ) hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($ClearString)) hashString = [System.BitConverter]::ToString($hash) hashString.Replace('-', '')
While searching the audit log on GitHub, include
hashed_token:"VALUE" in your search query, replacing
VALUE with the SHA-256 hash of the token.
Note: Make sure to wrap the hashed token value in quotation marks.
hashed_token:"VALUE" in your search phrase, replacing VALUE with the URI-escaped hash.
For example, if the name of the enterprise account is
octo-corp, the following curl command would search @octo-corp's audit log for all events that are associated with the token whose URI-encoded SHA-256 hash is
curl --header "Accept: application/vnd.github+json" --header "Authorization: Bearer YOUR-TOKEN" --header "X-GitHub-Api-Version:2022-11-28" 'https://api.github.com/enterprises/octo-corp/audit-log?phrase=hashed_token:"EH4L8o6PfCqipALbL%2BQT62lyqUtnI7ql0SPbkaQnjv8"'