---
title: GitHub secret enumeration via API
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > GitHub secret enumeration via API
---

# GitHub secret enumeration via API
Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1526-cloud-service-discovery](https://attack.mitre.org/techniques/T1526) 
## Goal{% #goal %}

Detects enumeration of GitHub Actions secrets across multiple scopes — repository, organization, environment, and Dependabot — from a single token, indicating reconnaissance activity consistent with [Nord Stream](https://github.com/synacktiv/nord-stream/tree/main) or similar CI/CD secret harvesting tools.

## Strategy{% #strategy %}

This rule monitors GitHub API GET requests to secret listing endpoints beyond the repository-level scope already covered by existing detections. Nord Stream enumerates all accessible secret scopes before attempting extraction. A single token querying secrets across organisation, environment, and Dependabot scopes in a short window is highly anomalous for legitimate CI/CD usage and indicates systematic reconnaissance of available secrets.

## Triage and response{% #triage-and-response %}

- Identify the token or credential associated with `{{@hashed_token}}` and determine whether secret enumeration across multiple scopes is consistent with its intended use.
- Review which repositories and environments were queried and assess the sensitivity of secrets accessible to this token.
- Check for subsequent branch protection changes or workflow activity from the same identity following the enumeration.
- Determine whether any of the enumerated secret values should be considered compromised and require rotation.
- Examine whether the enumeration occurred outside of normal business hours or from an unusual IP address or user-agent.