GitHub personal access token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A GitHub personal access token (ghp_...) was found. Depending on its scopes it can read or push to repositories and act on the account.
Why it matters
A GitHub personal access token authenticates to the GitHub API as the user who created it. Depending on its scopes it can read private repositories, push code, or change account settings. Public repos are scanned for the ghp_ prefix continuously.
How to fix it
Move the token into an environment variable or a GitHub Actions secret, and read it at runtime. Prefer a fine-grained token scoped to only the repos and permissions needed. Revoke the exposed token in GitHub developer settings.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo