If youâre on an application security team, you might use secret scanning to reduce the risk of leaked credentials, like passwords and API keys. When an exposed credential is found, your first step is probably to check whether the token is still active, and what access it has. Now, with validity checks for GitHub tokens, we can help you do just that.
Validity checks determine whether a token is still active and, when possible, whether it was _ever_ active. This is useful when youâre deciding how to remediate an exposure. For example, you might prioritize remediating active secrets before checking your security logs for unauthorized access via API keys that have already been revoked.
To check a GitHub tokenâs validity, open a secret scanning alert for the leaked GitHub token and the alert will tell you whether the secret is still active. If we canât accurately detect the validityâthis can happen when a token found on GitHub.com belongs to a GitHub Enterprise Server instanceâweâll provide insight on where to look for remediation.
![Screenshot of the alert that tells whether a secret is still active.](https://github.blog/wp-content/uploads/2023/01/pat1.png?w=1024&resize=1024%2C826)
Coming soon: Weâll validate secrets that belong to our [100+ secret scanning partners]() too. Learn more about how you can [secure your repositories with secret scanning]().Read More