Accessing your security log
The security log lists all actions performed within the last 90 days.
-
In the upper-right corner of any page, click your profile photo, then click Settings.
-
In the "Archives" section of the sidebar, click Security log.
Searching your security log
The name for each audit log entry is composed of the action object or category qualifier, followed by an operation type. For example, the repo.create entry refers to the create operation on the repo category.
Each audit log entry shows applicable information about an event, such as:
- The enterprise or organization an action was performed in
- The user (actor) who performed the action
- The user affected by the action
- Which repository an action was performed in
- The action that was performed
- Which country the action took place in
- The date and time the action occurred
- Optionally, the source IP address for the user (actor) who performed the action
Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub Enterprise Cloud. For more information, see "About searching on GitHub."
Search based on operation
Use the operation qualifier to limit actions to specific types of operations. For example:
operation:accessfinds all events where a resource was accessed.operation:authenticationfinds all events where an authentication event was performed.operation:createfinds all events where a resource was created.operation:modifyfinds all events where an existing resource was modified.operation:removefinds all events where an existing resource was removed.operation:restorefinds all events where an existing resource was restored.operation:transferfinds all events where an existing resource was transferred.
Search based on repository
Use the repo qualifier to limit actions to a specific repository. For example:
repo:my-org/our-repofinds all events that occurred for theour-reporepository in themy-orgorganization.repo:my-org/our-repo repo:my-org/another-repofinds all events that occurred for both theour-repoandanother-reporepositories in themy-orgorganization.-repo:my-org/not-this-repoexcludes all events that occurred for thenot-this-reporepository in themy-orgorganization.
Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.
Search based on the user
The actor qualifier can scope events based on who performed the action. For example:
actor:octocatfinds all events performed byoctocat.actor:octocat actor:hubotfinds all events performed byoctocatorhubot.-actor:hubotexcludes all events performed byhubot.
Note that you can only use a GitHub Enterprise Cloud username, not an individual's real name.
Search based on the action performed
The events listed in your security log are triggered by your actions. Actions are grouped into the following categories:
| Category name | Description |
|---|---|
billing | Contains all activities related to your billing information. |
codespaces | Contains all activities related to GitHub Codespaces. For more information, see "GitHub Codespaces overview." |
marketplace_agreement_signature | Contains all activities related to signing the GitHub Marketplace Developer Agreement. |
marketplace_listing | Contains all activities related to listing apps in GitHub Marketplace. |
oauth_access | Contains all activities related to OAuth Apps you've connected with. |
payment_method | Contains all activities related to paying for your GitHub subscription. |
personal_access_token | Contains activities related to fine-grained personal access tokens. For more information, see "Creating a personal access token." |
profile_picture | Contains all activities related to your profile picture. |
project | Contains all activities related to project boards. |
public_key | Contains all activities related to your public SSH keys. |
repo | Contains all activities related to the repositories you own. |
sponsors | Contains all events related to GitHub Sponsors and sponsor buttons (see "About GitHub Sponsors" and "Displaying a sponsor button in your repository") |
two_factor_authentication | Contains all activities related to two-factor authentication. |
user | Contains all activities related to your account. |
Exporting your security log
You can export the log as JSON data or a comma-separated value (CSV) file.
To filter the results in your export, search by one or more of these supported qualifiers before using the Export drop-down menu.
| Qualifier | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
org | octo-org |
repo | octo-org/documentation |
created | 2019-06-01 |
After you export the log, you'll see the following keys and values in the resulting file.
| Key | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
actor_location.country_code | US |
org | octo-org |
repo | octo-org/documentation |
created_at | 1429548104000 (Timestamp shows the time since Epoch with milliseconds.) |
data.email | octocat@nowhere.com |
data.hook_id | 245 |
data.events | ["issues", "issue_comment", "pull_request", "pull_request_review_comment"] |
data.events_were | ["push", "pull_request", "issues"] |
data.target_login | octocat |
data.old_user | hubot |
data.team | octo-org/engineering |
Security log actions
An overview of some of the most common actions that are recorded as events in the security log.
billing category actions
| Action | Description |
|---|---|
change_billing_type | Triggered when you change how you pay for GitHub. |
change_email | Triggered when you change your email address. |
codespaces category actions
| Action | Description |
|---|---|
create | Triggered when you create a codespace. |
resume | Triggered when you resume a suspended codespace. |
delete | Triggered when you delete a codespace. |
manage_access_and_security | Triggered when you update the repositories a codespace has access to. |
trusted_repositories_access_update | Triggered when you change your personal account's access and security setting for Codespaces. |
marketplace_agreement_signature category actions
| Action | Description |
|---|---|
create | Triggered when you sign the GitHub Marketplace Developer Agreement. |
marketplace_listing category actions
| Action | Description |
|---|---|
approve | Triggered when your listing is approved for inclusion in GitHub Marketplace. |
create | Triggered when you create a listing for your app in GitHub Marketplace. |
delist | Triggered when your listing is removed from GitHub Marketplace. |
redraft | Triggered when your listing is sent back to draft state. |
reject | Triggered when your listing is not accepted for inclusion in GitHub Marketplace. |
oauth_authorization category actions
| Action | Description |
|---|---|
create | Triggered when you grant access to an OAuth App. |
destroy | Triggered when you revoke an OAuth App's access to your account and when authorizations are revoked or expire. |
payment_method category actions
| Action | Description |
|---|---|
create | Triggered when a new payment method is added, such as a new credit card or PayPal account. |
update | Triggered when an existing payment method is updated. |
personal_access_token category actions
| Action | Description |
|---|---|
access_granted | Triggered when a fine-grained personal access token that you created is granted access to resources. |
access_revoked | Triggered when a fine-grained personal access token that you created is revoked. The token can still read public organization resources. |
create | Triggered when you create a fine-grained personal access token. |
credential_regenerated | Triggered when you regenerate a fine-grained personal access token. |
destroy | Triggered when you delete a fine-grained personal access token. |
request_cancelled | Triggered when you cancel a pending request for your fine-grained personal access token to access organization resources. |
request_created | Triggered when you create a fine-grained personal access token to access organization resources and the organization requires approval before a fine-grained personal access token can access organization resources. |
request_denied | Triggered when your request for a fine-grained personal access token to access organization resources is denied. For more information, see "Managing requests for personal access tokens in your organization." |
profile_picture category actions
| Action | Description |
|---|---|
update | Triggered when you set or update your profile picture. |
project category actions
| Action | Description |
|---|---|
access | Triggered when a project board's visibility is changed. |
create | Triggered when a project board is created. |
rename | Triggered when a project board is renamed. |
update | Triggered when a project board is updated. |
delete | Triggered when a project board is deleted. |
link | Triggered when a repository is linked to a project board. |
unlink | Triggered when a repository is unlinked from a project board. |
update_user_permission | Triggered when an outside collaborator is added to or removed from a project board or has their permission level changed. |
public_key category actions
| Action | Description |
|---|---|
create | Triggered when you add a new public SSH key to your account on GitHub.com. |
delete | Triggered when you remove a public SSH key to your account on GitHub.com. |
repo category actions
| Action | Description |
|---|---|
access | Triggered when you a repository you own is switched from "private" to "public" (or vice versa). |
add_member | Triggered when a GitHub Enterprise Cloud user is invited to have collaboration access to a repository. |
add_topic | Triggered when a repository owner adds a topic to a repository. |
archived | Triggered when a repository owner archives a repository. |
create | Triggered when a new repository is created. |
destroy | Triggered when a repository is deleted. |
disable | Triggered when a repository is disabled (e.g., for insufficient funds). |
download_zip | Triggered when a ZIP or TAR archive of a repository is downloaded. |
enable | Triggered when a repository is re-enabled. |
remove_member | Triggered when a GitHub Enterprise Cloud user is removed from a repository as a collaborator. |
remove_topic | Triggered when a repository owner removes a topic from a repository. |
rename | Triggered when a repository is renamed. |
staff_unlock | Triggered when an enterprise owner or GitHub Support (with permission from a repository administrator) temporarily unlocked the repository. The visibility of the repository isn't changed. |
transfer | Triggered when a repository is transferred. |
transfer_start | Triggered when a repository transfer is about to occur. |
unarchived | Triggered when a repository owner unarchives a repository. |
sponsors category actions
| Action | Description |
|---|---|
custom_amount_settings_change | Triggered when you enable or disable custom amounts, or when you change the suggested custom amount (see "Managing your sponsorship tiers") |
repo_funding_links_file_action | Triggered when you change the FUNDING file in your repository (see "Displaying a sponsor button in your repository") |
sponsor_sponsorship_cancel | Triggered when you cancel a sponsorship (see "Downgrading a sponsorship") |
sponsor_sponsorship_create | Triggered when you sponsor an account (see "Sponsoring an open source contributor") |
sponsor_sponsorship_payment_complete | Triggered after you sponsor an account and your payment has been processed (see "Sponsoring an open source contributor") |
sponsor_sponsorship_preference_change | Triggered when you change whether you receive email updates from a sponsored developer (see "Managing your sponsorship") |
sponsor_sponsorship_tier_change | Triggered when you upgrade or downgrade your sponsorship (see "Upgrading a sponsorship" and "Downgrading a sponsorship") |
sponsored_developer_approve | Triggered when your GitHub Sponsors account is approved (see "Setting up GitHub Sponsors for your personal account") |
sponsored_developer_create | Triggered when your GitHub Sponsors account is created (see "Setting up GitHub Sponsors for your personal account") |
sponsored_developer_disable | Triggered when your GitHub Sponsors account is disabled |
sponsored_developer_redraft | Triggered when your GitHub Sponsors account is returned to draft state from approved state |
sponsored_developer_profile_update | Triggered when you edit your sponsored developer profile (see "Editing your profile details for GitHub Sponsors") |
sponsored_developer_request_approval | Triggered when you submit your application for GitHub Sponsors for approval (see "Setting up GitHub Sponsors for your personal account") |
sponsored_developer_tier_description_update | Triggered when you change the description for a sponsorship tier (see "Managing your sponsorship tiers") |
sponsored_developer_update_newsletter_send | Triggered when you send an email update to your sponsors (see "Contacting your sponsors") |
waitlist_invite_sponsored_developer | Triggered when you are invited to join GitHub Sponsors from the waitlist (see "Setting up GitHub Sponsors for your personal account") |
waitlist_join | Triggered when you join the waitlist to become a sponsored developer (see "Setting up GitHub Sponsors for your personal account") |
successor_invitation category actions
| Action | Description |
|---|---|
accept | Triggered when you accept a succession invitation (see "Maintaining ownership continuity of your personal account's repositories") |
cancel | Triggered when you cancel a succession invitation (see "Maintaining ownership continuity of your personal account's repositories") |
create | Triggered when you create a succession invitation (see "Maintaining ownership continuity of your personal account's repositories") |
decline | Triggered when you decline a succession invitation (see "Maintaining ownership continuity of your personal account's repositories") |
revoke | Triggered when you revoke a succession invitation (see "Maintaining ownership continuity of your personal account's repositories") |
two_factor_authentication category actions
| Action | Description |
|---|---|
enabled | Triggered when two-factor authentication is enabled. |
disabled | Triggered when two-factor authentication is disabled. |
user category actions
| Action | Description |
|---|---|
add_email | Triggered when you add a new email address. |
codespaces_trusted_repo_access_granted | Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account. |
codespaces_trusted_repo_access_revoked | Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account. |
create | Triggered when you create a new personal account. |
change_password | Triggered when you change your password. |
forgot_password | Triggered when you ask for a password reset. |
hide_private_contributions_count | Triggered when you hide private contributions on your profile. |
login | Triggered when you log in to GitHub.com. |
failed_login | Triggered when you failed to log in successfully. |
remove_email | Triggered when you remove an email address. |
rename | Triggered when you rename your account. |
report_content | Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit. |
show_private_contributions_count | Triggered when you publicize private contributions on your profile. |
two_factor_requested | Triggered when GitHub Enterprise Cloud asks you for your two-factor authentication code. |
user_status category actions
| Action | Description |
|---|---|
update | Triggered when you set or change the status on your profile. For more information, see "Personalizing your profile." |
destroy | Triggered when you clear the status on your profile. |