The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
Accessing the audit log
The audit log lists events triggered by activities that affect your organization within the current month and previous six months. Only owners can access an organization's audit log.
By default, only events from the past three months are displayed. To view older events, you must specify a date range with the created parameter. For more information, see "Understanding the search syntax."
In the top right corner of GitHub.com, click your profile photo, then click Your organizations.
Next to the organization, click Settings.
In the "Archives" section of the sidebar, click Logs, then click Audit log.
Searching the audit log
The name for each audit log entry is composed of the action object or category qualifier, followed by an operation type. For example, the repo.create entry refers to the create operation on the repo category.
Each audit log entry shows applicable information about an event, such as:
The organization an action was performed in
The user (actor) who performed the action
The user affected by the action
Which repository an action was performed in
The action that was performed
Which country the action took place in
The date and time the action occurred
Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub. For more information, see "About searching on GitHub."
Search based on operation
Use the operation qualifier to limit actions to specific types of operations. For example:
operation:access finds all events where a resource was accessed.
operation:authentication finds all events where an authentication event was performed.
operation:create finds all events where a resource was created.
operation:modify finds all events where an existing resource was modified.
operation:remove finds all events where an existing resource was removed.
operation:restore finds all events where an existing resource was restored.
operation:transfer finds all events where an existing resource was transferred.
Search based on repository
Use the repo qualifier to limit actions to a specific repository. For example:
repo:my-org/our-repo finds all events that occurred for the our-repo repository in the my-org organization.
repo:my-org/our-repo repo:my-org/another-repo finds all events that occurred for both the our-repo and another-repo repositories in the my-org organization.
-repo:my-org/not-this-repo excludes all events that occurred for the not-this-repo repository in the my-org organization.
Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.
Search based on the user
The actor qualifier can scope events based on who performed the action. For example:
actor:octocat finds all events performed by octocat.
actor:octocat actor:hubot finds all events performed by octocat or hubot.
-actor:hubot excludes all events performed by hubot.
Note that you can only use a GitHub username, not an individual's real name.
Search based on the action performed
To search for specific events, use the action qualifier in your query. Actions listed in the audit log are grouped within the following categories:
Contains all activities related to crediting a contributor for a security advisory in the GitHub Advisory Database. For more information, see "About repository security advisories."
Contains organization-level configuration activities for Dependabot alerts in existing repositories. For more information, see "About Dependabot alerts."
Contains organization-level configuration activities for Dependabot security updates in existing repositories. For more information, see "Configuring Dependabot security updates."
Contains repository-level activities related to security advisories in the GitHub Advisory Database. For more information, see "About repository security advisories."
Contains repository-level activities related to enabling or disabling the dependency graph for a private repository. For more information, see "About the dependency graph."
Contains activities related to GitHub Actions workflows.
You can search for specific sets of actions using these terms. For example:
action:team finds all events grouped within the team category.
-action:hook excludes all events in the webhook category.
Each category has a set of associated actions that you can filter on. For example:
action:team.create finds all events where a team was created.
-action:hook.events_changed excludes all events where the events on a webhook have been altered.
Search based on time of action
Use the created qualifier to filter events in the audit log based on when they occurred. Date formatting must follow the ISO8601 standard, which is YYYY-MM-DD (year-month-day). You can also add optional time information THH:MM:SS+00:00 after the date, to search by the hour, minute, and second. That's T, followed by HH:MM:SS (hour-minutes-seconds), and a UTC offset (+00:00).
When you search for a date, you can use greater than, less than, and range qualifiers to further filter results. For more information, see "Understanding the search syntax."
For example:
created:2014-07-08 finds all events that occurred on July 8th, 2014.
created:>=2014-07-08 finds all events that occurred on or after July 8th, 2014.
created:<=2014-07-08 finds all events that occurred on or before July 8th, 2014.
created:2014-07-01..2014-07-31 finds all events that occurred in the month of July 2014.
Note: The audit log contains data for the current month and every day of the previous six months.
Search based on location
Using the qualifier country, you can filter events in the audit log based on the originating country. You can use a country's two-letter short code or its full name. Keep in mind that countries with spaces in their name will need to be wrapped in quotation marks. For example:
country:de finds all events that occurred in Germany.
country:Mexico finds all events that occurred in Mexico.
country:"United States" all finds events that occurred in the United States.
Exporting the audit log
You can export the log as JSON data or a comma-separated value (CSV) file.
To filter the results in your export, search by one or more of these supported qualifiers before using the Export drop-down menu.
Qualifier
Example value
action
team.create
actor
octocat
user
codertocat
org
octo-org
repo
octo-org/documentation
created
2019-06-01
After you export the log, you'll see the following keys and values in the resulting file.
Key
Example value
action
team.create
actor
octocat
user
codertocat
actor_location.country_code
US
org
octo-org
repo
octo-org/documentation
created_at
1429548104000 (Timestamp shows the time since Epoch with milliseconds.)
Organizations that use GitHub Enterprise Cloud can interact with the audit log using the GraphQL API and REST API. For more information, see the GitHub Enterprise Cloud documentation.
Audit log actions
An overview of some of the most common actions that are recorded as events in the audit log.
account category actions
Action
Description
billing_plan_change
Triggered when an organization's billing cycle changes.
plan_change
Triggered when an organization's subscription changes.
Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "About self-hosted runners."
self_hosted_runner_online
Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
self_hosted_runner_offline
Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
Note: To access Git events in the audit log, you must use the audit log REST API. The audit log REST API is available for users of GitHub Enterprise Cloud only. For more information, see "Organizations."
The audit log retains Git events for seven days. This is shorter than other audit log events, which can be retained for up to seven months.
Action
Description
clone
Triggered when a repository is cloned.
fetch
Triggered when changes are fetched from a repository.
push
Triggered when changes are pushed to a repository.
Triggered when an existing hook has its configuration altered.
destroy
Triggered when an existing hook was removed from a repository.
events_changed
Triggered when the events on a hook have been altered.
integration_installation category actions
Action
Description
contact_email_changed
A contact email for an integration was changed.
create
An integration was installed.
destroy
An integration was uninstalled.
repositories_added
Repositories were added to an integration.
repositories_removed
Repositories were removed from an integration.
suspend
An integration was suspended.
unsuspend
An integration was unsuspended.
version_updated
Permissions for an integration were updated.
integration_installation_request category actions
Action
Description
create
Triggered when an organization member requests that an organization owner install an integration for use in the organization.
close
Triggered when a request to install an integration for use in an organization is either approved or denied by an organization owner, or canceled by the organization member who opened the request.
issue category actions
Action
Description
destroy
Triggered when an organization owner or someone with admin permissions in a repository deletes an issue from an organization-owned repository.
marketplace_agreement_signature category actions
Action
Description
create
Triggered when you sign the GitHub Marketplace Developer Agreement.
marketplace_listing category actions
Action
Description
approve
Triggered when your listing is approved for inclusion in GitHub Marketplace.
create
Triggered when you create a listing for your app in GitHub Marketplace.
delist
Triggered when your listing is removed from GitHub Marketplace.
redraft
Triggered when your listing is sent back to draft state.
reject
Triggered when your listing is not accepted for inclusion in GitHub Marketplace.
Triggered when an organization admin creates an export of the organization audit log. If the export included a query, the log will list the query used and the number of audit log entries matching that query.
Triggered when an organization invitation has been revoked.
codeql_disabled
Triggered when an organization owner or person with admin access to the organization disables code scanning for repositories that use the default setup for CodeQL.
codeql_enabled
Triggered when an organization owner or person with admin access to the organization enables code scanning for repositories that are eligible to use the default setup for CodeQL.
create_actions_secret
Triggered when a GitHub Actions secret is created for an organization. For more information, see "Encrypted secrets."
Triggered when an owner disables a two-factor authentication requirement for all members, billing managers, and outside collaborators in an organization.
Triggered when the REST API is used to remove a self-hosted runner from a group. For more information, see "Actions."
runner_group_runners_updated
Triggered when a runner group's list of members is updated. For more information, see "Actions."
self_hosted_runner_online
Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
self_hosted_runner_offline
Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
self_hosted_runner_updated
Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "About self-hosted runners."
Triggered when an owner changes the default repository permission level for organization members.
update_member
Triggered when an owner changes a person's role from owner to member or member to owner.
update_member_repository_creation_permission
Triggered when an owner changes the create repository permission for organization members.
update_saml_provider_settings
Triggered when an organization's SAML provider settings are updated.
update_terms_of_service
Triggered when an organization changes between the Standard Terms of Service and the Corporate Terms of Service. For more information, see "Upgrading to the Corporate Terms of Service."
Triggered when a member of the organization cancels a request for their fine-grained personal access token to access organization resources.
request_created
Triggered when a member of the organization creates a fine-grained personal access token to access organization resources and the organization requires approval before a fine-grained personal access token can access organization resources. For more information, see "Managing requests for personal access tokens in your organization."
Triggered when GitHub Actions is enabled for a repository. Can be viewed using the UI. This event is not included when you access the audit log using the REST API. For more information, see "Using the audit log API."
Triggered when the runner application is started. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
self_hosted_runner_offline
Triggered when the runner application is stopped. Can only be viewed using the REST API; not visible in the UI or JSON/CSV export. For more information, see "Monitoring and troubleshooting self-hosted runners."
self_hosted_runner_updated
Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "About self-hosted runners."
Triggered when an enterprise owner or GitHub Support (with permission from a repository administrator) temporarily unlocked the repository. The visibility of the repository isn't changed.
Triggered when a repository owner or person with admin access to the repository disables the dependency graph for a private repository. For more information, see "About the dependency graph."
enable
Triggered when a repository owner or person with admin access to the repository enables the dependency graph for a private repository.
repository_invitation category actions
Action
Description
repository_invitation.accept
An invitation to join a repository was accepted.
repository_invitation.cancel
An invitation to join a repository was canceled.
repository_invitation.create
An invitation to join a repository was sent.
repository_invitation.reject
An invitation to join a repository was declined.
repository_vulnerability_alert category actions
Action
Description
create
Triggered when GitHub creates a Dependabot alert for a repository that uses a vulnerable dependency. For more information, see "About Dependabot alerts."
dismiss
Triggered when an organization owner or person with admin, write, or maintain access to the repository dismisses a Dependabot alert about a vulnerable dependency.
resolve
Triggered when someone with write or maintain access to a repository pushes changes to update and resolve a vulnerability in a project dependency.
repository_vulnerability_alerts category actions
Action
Description
authorized_users_teams
Triggered when an organization owner or a person with admin permissions to the repository updates the list of people or teams authorized to receive Dependabot alerts for the repository. For more information, see "Managing security and analysis settings for your repository."
disable
Triggered when a repository owner or person with admin access to the repository disables Dependabot alerts.
enable
Triggered when a repository owner or person with admin access to the repository enables Dependabot alerts.
secret_scanning_alert category actions
Action
Description
create
Triggered when GitHub detects an exposed secret and creates a secret scanning alert. For more information, see "Managing alerts from secret scanning."
reopen
Triggered when a user reopens a secret scanning alert.
resolve
Triggered when a user resolves a secret scanning alert.
sponsors category actions
Action
Description
custom_amount_settings_change
Triggered when you enable or disable custom amounts, or when you change the suggested custom amount (see "Managing your sponsorship tiers")
Triggered when an organization owner enables team discussions for an organization.
workflows category actions
Action
Description
cancel_workflow_run
Triggered when a workflow run has been cancelled. For more information, see "Canceling a workflow."
completed_workflow_run
Triggered when a workflow status changes to completed. Can only be viewed using the REST API; not visible in the UI or the JSON/CSV export. For more information, see "Viewing workflow run history."
created_workflow_run
Triggered when a workflow run is created. Can only be viewed using the REST API; not visible in the UI or the JSON/CSV export. For more information, see "Understanding GitHub Actions."
delete_workflow_run
Triggered when a workflow run is deleted. For more information, see "Deleting a workflow run."
disable_workflow
Triggered when a workflow is disabled.
enable_workflow
Triggered when a workflow is enabled, after previously being disabled by disable_workflow.
Triggered when a workflow job is started. Includes the list of secrets that were provided to the job. Can only be viewed using the REST API. It is not visible in the GitHub web interface or included in the JSON/CSV export. For more information, see "Events that trigger workflows."
approve_workflow_job
Triggered when a workflow job has been approved. For more information, see "Reviewing deployments."
reject_workflow_job
Triggered when a workflow job has been rejected. For more information, see "Reviewing deployments."