Feature Request: Add support for GitHub Canarytokens

[bored-engineer]

I took at stab at implementing GitHub Canarytokens from scratch, I would love to figure out a way to integrate with canarytokens.org based on my learnings, adding support for GitHub PATs and/or Deploy Keys: blog.bored.engineer/github-canarytokens-5c9e36ad7ecf

[ranok]

Thanks for the great write up! We've explored this path before and gotten stuck on the enterprise subscription requirement. It's quite expensive per year and users are limited in the number of PATs they can generate.

The safety net idea is great as well, we've never thought about that method before.

[bored-engineer]

@ranok SSH Deploy Keys might be something that could be supported without requiring a large number of users (really only 1 admin) since they are tied to a repository not a user and can be created programmatically. Though if I'm being honest I think the utility of them is a bit limited compared to PATs. It would also be easier to profile them since you could collect the names of the canarytokens.org organizations/repositories by doing ssh git@github.com without triggering an audit log event and record the org/repo...

[bored-engineer]

GitHub OAuth tokens (gho_) are slightly interesting too, you can opt-out of token expiration and then it behaves mostly like a classic PAT. An Enterprise can have many organizations, and then each organization can own many GitHub apps, each of which can be consented to by the same user to generate different gho_ tokens. With a pool of users and organizations it might be possible, though it probably doesn't scale well either...

[bored-engineer]

The API insights endpoints are also interesting from a safety-net standpoint (pointed out by @AdnaneKhan), though they seem to have similar visibility gaps from audit logs with non-org endpoints like /search/* and similar.