Skip to content

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 27 Jun 13:16
c5b8f94

Fixed

  • Secret scanner — GitHub App / Actions tokens. scanSecrets recognized
    ghp_ / gho_ / github_pat_ but missed the GitHub App token family:
    ghs_ (server-to-server — the GITHUB_TOKEN minted into every GitHub
    Actions run and the output of actions/create-github-app-token), ghu_
    (user-to-server), and ghr_ (refresh). An agent exfiltrating a ghs_ token
    to an external host therefore slipped the secret-exfil gate. This is the
    credential class stolen in the tj-actions/changed-files supply-chain attack
    (CVE-2025-30066). Now matched (gh[sur]_[A-Za-z0-9]{30,}) and blocked on
    egress; pinned by a regression test.