Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-security-log-detections
Overview
3Dashboards
14Benchmarks
20Queries
1Variables
GitHub

Detection: Personal Access Token Granted

Overview

Detect when a GitHub fine-grained personal access token (PAT) was granted access to resources. Personal access tokens grant access to repositories, actions, or APIs, and unauthorized token creation can lead to credential leaks or compromised accounts. Monitoring these events helps ensure secure access management and compliance with security policies.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.personal_access_token_granted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.personal_access_token_granted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
user_programmatic_access_name as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_security_log
where
  action in ('personal_access_token.access_granted')
order by
  tp_timestamp desc;

Tags

category = Detections
folder = Personal Access Token
mitre_attack_ids = TA0003:T1098.001
plugin = github
service = GitHub/PersonalAccessToken