Redact GitHub Personal Access Tokens
Detect and redact GitHub personal access tokens, fine-grained tokens, and OAuth tokens from Git configs, CI logs, and scripts. Prevent unauthorized repository access.
Detailed Explanation
Redacting GitHub Tokens
GitHub tokens grant access to repositories, organizations, and GitHub APIs. A leaked token can allow an attacker to read private code, push malicious commits, create releases, or exfiltrate sensitive data from your organization.
GitHub Token Types
GitHub uses several token formats, each with a distinctive prefix:
| Token Type | Prefix | Length | Example |
|---|---|---|---|
| Personal Access Token (classic) | ghp_ |
40 chars | ghp_ABCDEFghijklmnop1234567890abcdefgh |
| Fine-grained PAT | github_pat_ |
variable | github_pat_11AABBC... |
| OAuth Access Token | gho_ |
40 chars | gho_ABCDEFghijklmnop1234567890abcdefgh |
| GitHub App Installation Token | ghs_ |
40 chars | ghs_ABCDEFghijklmnop1234567890abcdefgh |
| GitHub App User Token | ghu_ |
40 chars | ghu_ABCDEFghijklmnop1234567890abcdefgh |
Detection Pattern
The prefixed format makes GitHub tokens highly reliable to detect:
(ghp_|gho_|ghs_|ghu_|github_pat_)[A-Za-z0-9_]{30,}
This pattern produces virtually zero false positives because the prefixes are unique to GitHub.
Common Leak Locations
- Git configuration —
.gitconfigor.git-credentialswith HTTPS URLs likehttps://ghp_xxx@github.com/... - CI/CD logs — GitHub Actions workflows that accidentally echo the
GITHUB_TOKEN - Shell history — Commands like
curl -H "Authorization: token ghp_..." - Package manager configs —
.npmrcwith//npm.pkg.github.com/:_authToken=ghp_... - Docker build args — Tokens passed as build arguments and cached in image layers
# Before redaction
git clone https://ghp_ABCDEFghijklmnop1234567890abcdefgh@github.com/org/repo.git
export GITHUB_TOKEN=ghp_ABCDEFghijklmnop1234567890abcdefgh
# After redaction
git clone https://[REDACTED_GITHUB_TOKEN]@github.com/org/repo.git
export GITHUB_TOKEN=[REDACTED_GITHUB_TOKEN]
GitHub's Built-in Protection
GitHub automatically scans public repositories for leaked tokens and revokes them. However, this protection does not cover private Slack channels, email threads, internal wikis, or other non-GitHub platforms where tokens might be shared.
Use Case
A CI/CD engineer is debugging a failing GitHub Actions workflow and needs to share the build log with the platform team. The log accidentally contains the GITHUB_TOKEN used for package publishing. The Secret Redactor catches the ghp_ prefixed token and replaces it before the log is posted to the team's shared channel.