Will It Vibe logoWill It Vibe?
SECRET-011High severity-15 points

GitHub app installation token

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A GitHub app / server-to-server token (ghs_...) was found. These are short-lived but still authenticate as the app installation while valid.

Why it matters

A GitHub app installation token authenticates as the app installation, with the permissions the app was granted on those repositories. Although short-lived, it is a working credential while valid and should never be committed. Committing it also suggests tokens are being logged or persisted somewhere they should not be.

How to fix it

Generate installation tokens at runtime from the app private key and use them immediately; never write them to a tracked file. Store the app private key itself in a secret store. Review why the token was persisted and remove that path.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks