criticalExposed Secrets

GitHub Personal Access Token Leaked in Code

What Is This Vulnerability?

A GitHub personal access token (PAT) has been hardcoded into source files, CI configuration, or scripts. These tokens grant access to repositories, organizations, and GitHub APIs with the same permissions as the token owner, allowing attackers to read private repos, push malicious code, or delete resources.

Why It Happens

Developers embed tokens directly into automation scripts, CI pipelines, or API client code for convenience. Tokens are sometimes pasted into code during debugging and left behind. GitHub CLI commands with inline tokens in shell history can also end up committed in scripts.

Example Code

Vulnerablegithub-client.ts
import { Octokit } from "@octokit/rest";

const octokit = new Octokit({
  auth: "ghp_ABCDeFgHiJkLmNoPqRsTuVwXyZ0123456789",
});

async function getRepos() {
  return octokit.repos.listForAuthenticatedUser();
}
Fixedgithub-client.ts
import { Octokit } from "@octokit/rest";

const octokit = new Octokit({
  auth: process.env.GITHUB_TOKEN,
});

async function getRepos() {
  if (!process.env.GITHUB_TOKEN) {
    throw new Error("GITHUB_TOKEN environment variable is required");
  }
  return octokit.repos.listForAuthenticatedUser();
}

How Hackers Exploit It

Automated scanners constantly search GitHub for token patterns starting with ghp_, gho_, or github_pat_. Once a valid token is found, attackers can clone private repositories, inject backdoors into codebases, create releases with malware, access organization secrets, and pivot to other systems using information from private repos.

How to Fix It

Never hardcode GitHub tokens. Use environment variables or GitHub Actions secrets for CI/CD. Immediately revoke any token that has been committed by going to GitHub Settings, then Developer Settings, then Personal Access Tokens. Enable GitHub secret scanning on your repositories. Use fine-grained tokens with minimal required permissions.

Frequently Asked Questions

How does GitHub detect leaked tokens?
GitHub has a secret scanning feature that automatically detects tokens committed to public repositories and notifies the token owner. For GitHub Enterprise, you can enable secret scanning on private repos as well. GitHub also partners with service providers to revoke leaked tokens automatically.
What is the difference between classic and fine-grained tokens?
Classic tokens (ghp_ prefix) grant broad permissions based on scopes. Fine-grained tokens (github_pat_ prefix) let you limit access to specific repositories and choose exactly which API permissions to allow, reducing the blast radius if the token leaks.
Can a leaked token be used after I delete the repository?
Yes. Deleting a repository does not revoke the token. The token remains valid until you explicitly revoke it in your GitHub settings. Always revoke compromised tokens directly rather than relying on removing the code that exposed them.

Related Security Topics

SSH Private Key Committed to Version Control

Learn about ssh private key committed to version control and how to fix it.

AWS Access Keys Committed to Source Code

Learn about aws access keys committed to source code and how to fix it.

.env File Accessible Publicly or Committed to Git

Learn about .env file accessible publicly or committed to git and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by github personal access token leaked in code.