GitHub repository deploy key modified or created
Description
AlphaSOC detected the creation or modification of a GitHub repository deploy key. Deploy keys provide SSH-based access to individual repositories and can perform repository-level operations with elevated privileges.
Impact
Modification or creation of deploy keys can enable threat actors to maintain persistent access to repositories, deploy malicious code, and exfiltrate sensitive data. As deploy keys lack expiration dates and passphrase protection, compromised servers expose repositories to unauthorized access.
Severity
| Severity | Condition |
|---|---|
Low | GitHub repository deploy key modified or created |
Investigation and Remediation
Review GitHub audit logs to identify deploy key changes and verify the legitimacy of key creation or modification events. Determine the associated repository and server involved in the detected activity. Remove any unauthorized deploy keys and rotate those that show signs of compromise. Conduct an audit of repository access and recent changes to identify potential unauthorized modifications. Enable passphrase protection for deploy keys and implement regular key rotation policies to prevent unauthorized access.