Enterprise owners can now use new credential management actions to respond decisively to high-impact security incidents in their GitHub Enterprise Cloud enterprise accounts. These new capabilities are available for enterprise managed users (EMU) and enterprises with personal accounts that have enabled single sign-on (SSO) for the enterprise or its organizations.

If your enterprise is affected by compromised keys and tokens, enterprise owners can now take the following comprehensive actions for investigation and mitigation purposes:

  • Review counts of credentials that are authorized via SSO for one or more organizations in your enterprise
  • Temporarily block SSO for all users except enterprise owners to reduce the blast radius while you investigate
  • Revoke SSO authorizations for user credentials (personal access tokens, SSH keys, and OAuth tokens) across your enterprise
  • Delete user tokens and SSH keys across your enterprise, even if they don’t have an SSO authorization. This action is available only for EMU accounts.

Enterprise credential management page in an EMU enterprise, showing credential counts and incident response actions.

Use these actions only during major security incidents because they can break automations and disrupt developer workflows. Enterprise owners could get more context about the revoked and deleted credentials from the audit logs emitted by each of the new actions above. For regular token rotation at scale, we recommend setting maximum token lifetimes that best fit your security practices.

We’re also introducing a new fine-grained permission, Manage enterprise credentials, so enterprise owners can delegate credential management to trusted administrators who could then use the above actions when needed.

To learn more, see our documentation about how to respond to security incidents in your enterprise.

Join the discussion within GitHub Community.