Detection: GPG Key Created

Overview

Detect when a new GPG key is created in a GitHub account. GPG keys are typically used for commit signing, but attackers may add their own keys to impersonate trusted developers, bypass integrity checks, or evade detection through seemingly valid signed commits. Monitoring these events helps ensure the integrity of code contributions and detect potential account compromise.

References:

Generating a new GPG key

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.gpg_key_created

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.gpg_key_created --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_security_log
where
  action = 'gpg_key.create'
order by
  tp_timestamp desc;

Detection: GPG Key Created

Overview

Usage

SQL

Tags