Skip to main content

GitHub Personal Access Token approval policy modified

ID:github_token_auto_approve_policy_modified
Data type:GitHub
Severity:
Low
MITRE ATT&CK:TA0005:T1562.001

Description

AlphaSOC detected changes to GitHub Personal Access Token (PAT) approval policies. PATs are used for API and command line authentication to GitHub repositories and resources. Modifying these policies could potentially alter authentication controls and security mechanisms within your GitHub environment.

Impact

Changes to PAT approval policies may allow the creation of tokens without proper oversight, potentially bypassing established security controls. If exploited, modified PAT policies could enable unauthorized access to repositories and resources. Attackers who gain control of PAT policies could potentially use this to maintain access, access sensitive code, or execute unauthorized workflows.

Severity

SeverityCondition
Low
GitHub Personal Access Token approval policy modified

Investigation and Remediation

Review GitHub audit logs to identify the user who modified the PAT policies, then examine the specific changes made. Verify that the modifications align with your organization's change management processes. If unauthorized changes are found, restore secure PAT policies, revoke any potentially compromised tokens, and implement appropriate approval workflows. Consider limiting PAT creation permissions to necessary reviewers and implementing shorter token expiration periods for enhanced security.