Secret scanning: on-demand revocation for GitHub personal access tokens - feedback

[erinhav]

What do you think about secret scanning's new one-click reporting feature?

On-demand revocation for GitHub personal access tokens

You can now report compromised GitHub personal access tokens to GitHub, directly from a secret scanning alert! When you let GitHub know that the secret has been compromised, GitHub will treat the token like a publicly leaked token and revoke it. This change simplifies remediation and makes it more easily actionable.

Soon, we’d love to extend this functionality to additional token issuers – so you disclose compromised credentials and initiate these remediation flows with the issuer, without having to leak the token publicly.

If you’ve had a chance to try out the beta feature, we'd love to hear your feedback on: 1) how we can make the feature more useful for you (e.g. organization-level policies for auto-reporting certain types of secrets in private repositories), 2) what token issuers are top of mind for you, 3) what you’d like us to tackle next!

📖 Helpful information and some friendly reminders:

• Learn more about the feature via product documentation
• Always consider rotating the secret first to prevent breaking workflows.
• The token owner of the GitHub personal access token will receive an email notification when their token is revoked.
• As a best practice, you should review any associated token metadata and reach out to the token owner, if possible, before reporting the token.
• Let us know what you think by signing up for a 60 minute feedback session or commenting below -- we're listening!

[apocalypse9949]

hello!

Token Metadata Insights: Providing additional metadata about the token, such as usage patterns or last-used timestamps, could help users assess the impact of revocation more effectively before taking action.
This feature enhances security by automating a critical step in secret management.
it has the potential to set a new standard for secret remediation. Feedback from the beta will likely play a crucial role in its evolution.

[Aushraful]

The one-click reporting feature for GitHub personal access tokens (PATs) is a great step forward, simplifying remediation and enhancing security. Here's concise feedback:

Strengths:

• Ease of Use: Streamlined token revocation directly from alerts saves time and reduces risk.
• Clear Communication: Email notifications ensure token owners are promptly informed.
• Vision for Expansion: Support for multiple token issuers will centralize remediation workflows.

Suggestions:

• Organization-Level Policies: Allow admins to auto-report certain secrets in private repos to enforce security consistently.
• Improved Admin Tools: Provide dashboards to track reported secrets, revoked tokens, and remediation impact.

This feature is impactful but can become indispensable with automation and better admin controls.