For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-xrz.md. A documentation index is available at /llms.txt.

GitHub secret enumeration via API

github-telemetry

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1526-cloud-service-discovery

Goal

Detects enumeration of GitHub Actions secrets across multiple scopes — repository, organization, environment, and Dependabot — from a single token, indicating reconnaissance activity consistent with Nord Stream or similar CI/CD secret harvesting tools.

Strategy

This rule monitors GitHub API GET requests to secret listing endpoints beyond the repository-level scope already covered by existing detections. Nord Stream enumerates all accessible secret scopes before attempting extraction. A single token querying secrets across organisation, environment, and Dependabot scopes in a short window is highly anomalous for legitimate CI/CD usage and indicates systematic reconnaissance of available secrets.

Triage and response

  • Identify the token or credential associated with {{@hashed_token}} and determine whether secret enumeration across multiple scopes is consistent with its intended use.
  • Review which repositories and environments were queried and assess the sensitivity of secrets accessible to this token.
  • Check for subsequent branch protection changes or workflow activity from the same identity following the enumeration.
  • Determine whether any of the enumerated secret values should be considered compromised and require rotation.
  • Examine whether the enumeration occurred outside of normal business hours or from an unusual IP address or user-agent.