Remediation made simple: Introducing new validity checks for GitHub tokens
GitHub now tells you whether GitHub tokens found by secret scanning are active so you can prioritize and escalate remediation efforts.

If you’re on an application security team, you might use secret scanning to reduce the risk of leaked credentials, like passwords and API keys. When an exposed credential is found, your first step is probably to check whether the token is still active, and what access it has. Now, with validity checks for GitHub tokens, we can help you do just that.
Validity checks determine whether a token is still active and, when possible, whether it was ever active. This is useful when you’re deciding how to remediate an exposure. For example, you might prioritize remediating active secrets before checking your security logs for unauthorized access via API keys that have already been revoked.
To check a GitHub token’s validity, open a secret scanning alert for the leaked GitHub token and the alert will tell you whether the secret is still active. If we can’t accurately detect the validity—this can happen when a token found on GitHub.com belongs to a GitHub Enterprise Server instance—we’ll provide insight on where to look for remediation.

Coming soon: We’ll validate secrets that belong to our 100+ secret scanning partners too. Learn more about how you can secure your repositories with secret scanning.
Tags:
Written by
Related posts

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, we’ll shed light on how these vulnerabilities that rely on a parser differential were uncovered.

Full exposure: A practical approach to handling sensitive data leaks
Treating exposures as full and complete can help you respond more effectively to focus on what truly matters: securing systems, protecting sensitive data, and maintaining the trust of stakeholders.

How GitHub uses CodeQL to secure GitHub
How GitHub’s Product Security Engineering team manages our CodeQL implementation at scale and how you can, too.