Secret scanning: on-demand revocation for GitHub personal access tokens - feedback

[erinhav]

What do you think about secret scanning's new one-click reporting feature?

On-demand revocation for GitHub personal access tokens

You can now report compromised GitHub personal access tokens to GitHub, directly from a secret scanning alert! When you let GitHub know that the secret has been compromised, GitHub will treat the token like a publicly leaked token and revoke it. This change simplifies remediation and makes it more easily actionable.

Soon, we’d love to extend this functionality to additional token issuers – so you disclose compromised credentials and initiate these remediation flows with the issuer, without having to leak the token publicly.

If you’ve had a chance to try out the beta feature, we'd love to hear your feedback on: 1) how we can make the feature more useful for you (e.g. organization-level policies for auto-reporting certain types of secrets in private repositories), 2) what token issuers are top of mind for you, 3) what you’d like us to tackle next!

📖 Helpful information and some friendly reminders:

• Learn more about the feature via product documentation
• Always consider rotating the secret first to prevent breaking workflows.
• The token owner of the GitHub personal access token will receive an email notification when their token is revoked.
• As a best practice, you should review any associated token metadata and reach out to the token owner, if possible, before reporting the token.
• Let us know what you think by signing up for a 60 minute feedback session or commenting below -- we're listening!