GitHub secret enumeration via API
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects enumeration of GitHub Actions secrets across multiple scopes — repository, organization, environment, and Dependabot — from a single token, indicating reconnaissance activity consistent with Nord Stream or similar CI/CD secret harvesting tools.
Strategy
This rule monitors GitHub API GET requests to secret listing endpoints beyond the repository-level scope already covered by existing detections. Nord Stream enumerates all accessible secret scopes before attempting extraction. A single token querying secrets across organisation, environment, and Dependabot scopes in a short window is highly anomalous for legitimate CI/CD usage and indicates systematic reconnaissance of available secrets.
Triage and response
- Identify the token or credential associated with
{{@hashed_token}} and determine whether secret enumeration across multiple scopes is consistent with its intended use. - Review which repositories and environments were queried and assess the sensitivity of secrets accessible to this token.
- Check for subsequent branch protection changes or workflow activity from the same identity following the enumeration.
- Determine whether any of the enumerated secret values should be considered compromised and require rotation.
- Examine whether the enumeration occurred outside of normal business hours or from an unusual IP address or user-agent.
