Skip to content

Commit 024719b

Browse files
corycalahanstacycarterCopilotam-stead
authored
Adding additional investigation suggestions for security incidents (#61499)
Co-authored-by: Stacy Carter <stacycarter@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com>
1 parent 861a53e commit 024719b

2 files changed

Lines changed: 21 additions & 2 deletions

File tree

content/code-security/reference/security-incident-response/investigation-areas.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,8 @@ You found suspicious code in your repository, a security researcher reported an
109109

110110
* Review the **Actions** tab for unexpected workflow runs, especially those triggered by unfamiliar users or at unusual times.
111111
* Inspect workflow run logs for suspicious output.
112+
* Review the credentials accessible to suspicious workflow runs, including the default `GITHUB_TOKEN`, any {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} tokens, or other credentials stored as secrets. The `GITHUB_TOKEN` is scoped to the job and expires when the job completes, but other credentials have their own lifecycle and do not expire with the job. Any credential that may have been exposed should be treated as compromised and rotated or replaced immediately.
113+
* Be aware that workflow run logs only capture standard output from workflow steps. Activity that does not write to standard output (such as network calls, file system modifications, or background processes) will not appear in the logs. For a more comprehensive investigation, correlate with audit log events.
112114
* Use {% data variables.product.github %} code search to find suspicious files or code additions, particularly in workflow files (`.github/workflows/`), shell scripts, or configuration files.
113115
* Use the Activity view to check for pushes to unusual branch names, force pushes, pushes from unexpected actors.
114116
* Check the audit logs for changes to security settings or disablement actions (look for events like `repository_ruleset.destroy`, `repository_secret_scanning_push_protection.disable`, or other `.delete`, `.disable`, `.destroy` events).
@@ -127,6 +129,8 @@ You found suspicious code in your repository, a security researcher reported an
127129
### Key resources
128130

129131
* [Containment actions](/code-security/tutorials/secure-your-organization/responding-to-security-incidents#step-2-contain-the-threat)
132+
* [AUTOTITLE](/actions/concepts/security/github_token)
133+
* [AUTOTITLE](/actions/reference/security/secure-use)
130134

131135
{% ifversion fpt or ghec %}
132136

content/code-security/reference/security-incident-response/investigation-tools.md

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -156,7 +156,8 @@ Read access to the repository.
156156

157157
* Confirm what executed in CI/CD at a given time (such as the commands executed, or the dependency installed).
158158
* Investigate suspicious workflow runs, such as those triggered by an unfamiliar user or at an unusual time, to see what actions were performed, which secrets were accessed, and what code was executed.
159-
* Determine whether a workflow had access to any secrets.
159+
* Review what credentials a workflow job had access to, including the default `GITHUB_TOKEN`, any {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} tokens, other credentials stored as secrets, and access tokens obtained during the workflow run.
160+
* Retrieve logs programmatically via the REST API for archival, forensic, or automation purposes.
160161

161162
#### Permissions required
162163

@@ -166,8 +167,22 @@ Read access to the repository.
166167

167168
* [AUTOTITLE](/actions/how-tos/monitor-workflows/view-workflow-run-history)
168169
* [AUTOTITLE](/actions/how-tos/monitor-workflows/use-workflow-run-logs)
170+
* [AUTOTITLE](/actions/how-tos/manage-workflow-runs/download-workflow-artifacts)
171+
* [AUTOTITLE](/actions/concepts/security/github_token)
172+
* [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets)
173+
* [AUTOTITLE](/actions/reference/security/secure-use)
174+
* [AUTOTITLE](/rest/actions/workflow-runs)
175+
* [AUTOTITLE](/rest/actions/workflow-jobs)
176+
* [AUTOTITLE](/code-security/tutorials/implement-supply-chain-best-practices/securing-builds)
169177

170178
### Notes and limitations
171179

172180
* {% data variables.product.github %} automatically redacts secrets from workflow logs.
173-
* By default, workflow logs are retained by {% data variables.product.github %} for 90 days, but you can configure this retention period to be longer (up to 400 days for private repositories).
181+
* By default, workflow logs are retained by {% data variables.product.github %} for 90 days, but you can configure this retention period. {% ifversion fpt or ghec %}For public repositories, the maximum retention is 90 days. For private{% ifversion ghec %} and internal{% endif %} repositories, the maximum is 400 days.{% else %}The maximum retention is 400 days.{% endif %} Retention can be configured at the enterprise, organization, or repository level. If a workflow run occurred outside of your configured retention window, the logs may no longer be available. For more information, see [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository), [AUTOTITLE](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization), or [AUTOTITLE](/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise).
182+
* Workflow runs (including their logs) can also be deleted via the REST API. To check whether a run was deleted, query for `workflows.delete_workflow_run` events in the audit log.
183+
* The default `GITHUB_TOKEN` issued to each job is scoped to that job and expires when the job finishes or after its effective maximum lifetime (up to 24 hours on self-hosted runners). Even if a step captured the token, it cannot be reused after the job finishes. For more information, see [AUTOTITLE](/actions/concepts/security/github_token).
184+
* Other credentials referenced in workflows, such as {% data variables.product.pat_generic_plural %}, {% data variables.product.prodname_github_app %} installation tokens, or third-party API keys stored as secrets, have their own lifecycle and do not expire when the job ends. If a workflow step exposed one of these credentials, the token remains valid until it is revoked or expires according to its own policy. Any credential that may have been exposed should be treated as compromised and rotated or replaced immediately. Review the workflow file and the repository, organization, and environment secrets to determine which credentials were accessible. For more information, see [AUTOTITLE](/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets).
185+
* You can download logs for an entire workflow run or for a specific job programmatically using the REST API. Both endpoints return a redirect URL that is valid for one minute. For more information, see [AUTOTITLE](/rest/actions/workflow-runs) and [AUTOTITLE](/rest/actions/workflow-jobs).
186+
* Workflow run logs only capture standard output from workflow steps. Activity that does not write to standard output, such as network calls, file system modifications, or background processes, does not appear in the logs.
187+
* For {% data variables.product.github %}-hosted runners, the runner environment is ephemeral and destroyed after the job completes. {% data variables.product.github %} does not retain any data beyond the workflow run logs for these runners. For self-hosted runners, additional host-level or network telemetry may be available from your own infrastructure.
188+
* For a more comprehensive investigation, correlate workflow run logs with audit log events. Events such as `git.clone`, `git.fetch`, `git.push`, `protected_branch.create`, and `protected_branch.policy_override` can provide additional context. Because Git events in {% data variables.product.github %}-hosted audit logs are currently retained for only 7 days for enterprises, setting up streamed enterprise audit logs ahead of time is important for this type of investigation. For more information, see [AUTOTITLE](/code-security/tutorials/secure-your-organization/preparing-for-security-incidents).

0 commit comments

Comments
 (0)