GitHub fine-grained personal access token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A GitHub fine-grained PAT (github_pat_...) was found. It grants the specific repository and permission scopes chosen when it was created.
Why it matters
A GitHub fine-grained personal access token grants the specific repository and permission scopes chosen at creation. Even scoped, a committed token is a live credential that an attacker can use immediately. The github_pat_ prefix is scanned for automatically.
How to fix it
Move the token into an environment variable or CI secret and read it at runtime. Keep the scope as narrow as the task allows. Revoke the exposed token in GitHub fine-grained token settings.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo