Skip to content

Refactor access token sections in github_security_log/queries.md for consistency #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 23, 2025
Merged

Refactor access token sections in github_security_log/queries.md for consistency #37

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 33 additions & 31 deletions docs/tables/github_security_log/queries.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ order by
folder: Authentication
```

## Access Token Examples
## Personal Access Token Examples

### Personal Access Token Creation

Expand All @@ -88,7 +88,7 @@ order by
```

```yaml
folder: Access Token
folder: Personal Access Token
```

### Personal Access Token Usage
Expand All @@ -111,72 +111,78 @@ order by
```

```yaml
folder: Access Token
folder: Personal Access Token
```

### OAuth Application Authorizations
### Repository-Specific Token Access

Monitor OAuth application authorization events.
Monitor personal access tokens granted access to specific repositories.

```sql
select
timestamp,
action,
actor,
oauth_application_name,
oauth_application_id
repositories,
permissions,
repository_selection
from
github_security_log
where
action like 'oauth_authorization.%'
repositories is not null
and action in ('personal_access_token.access_granted', 'personal_access_token.request_created')
order by
timestamp desc;
```

```yaml
folder: Access Token
folder: Personal Access Token
```

### Token Regeneration Events
### Token Permission Changes

Track when authentication tokens were regenerated.
Track changes in token permissions using the old_value field.

```sql
select
timestamp,
action,
actor,
token_id,
tp_source_ip
permissions_added,
permissions_unchanged,
permissions_upgraded,
old_value,
new_value
from
github_security_log
where
action like '%regenerate%'
action = 'personal_access_token.request_created'
and (permissions_added is not null or permissions_upgraded is not null)
order by
timestamp desc;
```

```yaml
folder: Access Token
folder: Personal Access Token
```

### Repository-Specific Token Access
## Access Token Examples

Monitor personal access tokens granted access to specific repositories.
### OAuth Application Authorizations

Monitor OAuth application authorization events.

```sql
select
timestamp,
action,
actor,
repositories,
permissions,
repository_selection
oauth_application_name,
oauth_application_id
from
github_security_log
where
repositories is not null
and action in ('personal_access_token.access_granted', 'personal_access_token.request_created')
action like 'oauth_authorization.%'
order by
timestamp desc;
```
Expand All @@ -185,25 +191,21 @@ order by
folder: Access Token
```

### Token Permission Changes
### Token Regeneration Events

Track changes in token permissions using the old_value field.
Track when authentication tokens were regenerated.

```sql
select
timestamp,
action,
actor,
permissions_added,
permissions_unchanged,
permissions_upgraded,
old_value,
new_value
token_id,
tp_source_ip
from
github_security_log
where
action = 'personal_access_token.request_created'
and (permissions_added is not null or permissions_upgraded is not null)
action like '%regenerate%'
order by
timestamp desc;
```
Expand Down
Loading