Secret scanning: 1-click revocation for GitHub tokens

github / roadmap

GitHub public roadmap

Creative Commons Attribution 4.0 International

7.88k stars 974 forks source link

Secret scanning: 1-click revocation for GitHub tokens #547

Closed github-product-roadmap closed 2 years ago

github-product-roadmap commented 2 years ago

Summary

Users will have the option to revoke GitHub tokens found by secret scanning with 1 click through the secret's UI alert view.

Intended Outcome

We want to enable GHAS customers to efficiently remediate detections of leaked GitHub tokens surfaced by secret scanning.

How will it work?

After taking any initial remediation steps on a detected GitHub token, users can click a Revoke secret button that will authorize GitHub to revoke the detected secret.

Screen Shot 2022-06-15 at 2 17 27 PM

ankneis commented 2 years ago

After reevaluation, we decided that we can best support our customers and their security teams by re-scoping the initial version of this feature as validity checks for GitHub tokens. This way, we hope that we provide our customers with a better understanding of the state of their alerts before they make the choice to revoke the secret or not.

You can follow our work on validity checks for GitHub tokens here: https://github.com/github/roadmap/issues/531