Skip to content

LaconicNetwork/token-checker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
token_checker.py
token_checker.py
 
 

Repository files navigation

Token Checker

GitHub token capability auditor. Analyzes Personal Access Tokens to determine their permissions, accessible resources, and potential security implications.

Quick Start (Recommended)

Using uv - no installation required:

# Run directly without installing
uvx --from git+https://github.com/LaconicNetwork/token-checker token-checker <token>

# Or check specific org
uvx --from git+https://github.com/LaconicNetwork/token-checker token-checker --org Zenith-Foundation <token>

Installation Options

Option 1: uv (fastest)

git clone https://github.com/LaconicNetwork/token-checker
cd token-checker
uv sync
uv run token-checker <token>

Option 2: pip + venv (traditional)

git clone https://github.com/LaconicNetwork/token-checker
cd token-checker
python -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
pip install -e .
token-checker <token>

Usage

# Full audit
token-checker ghp_xxxxx

# Use environment variable
export GITHUB_TOKEN=ghp_xxxxx
token-checker

# Output as JSON
token-checker --json ghp_xxxxx > report.json

# Check access to specific organization
token-checker --org Zenith-Foundation ghp_xxxxx

What It Checks

Check Description
Token Type Classic PAT vs Fine-grained token
OAuth Scopes Full list of granted scopes
User Info Authenticated user details
Organizations Accessible orgs and role (member/admin)
Repositories Accessible repos with permission levels (read/push/admin)
Packages Access to GitHub Container Registry (ghcr.io)
Rate Limits Current API rate limit status

Security Recommendations

The tool flags potentially dangerous permissions:

Scope Risk Level Description
repo ⚠️ High Full access to all repositories
admin:org ⚠️ High Organization admin
delete:packages 🚨 Critical Can delete container images
workflow ⚠️ High Can modify GitHub Actions
write:packages ⚠️ Medium Can push to container registry

Example Output

============================================================
GitHub Token Capability Audit
============================================================
Timestamp: 2024-01-31T12:00:00

[1/5] Checking token type and scopes...
[2/5] Checking rate limits...
[3/5] Checking organization access...
[4/5] Checking repository access...
[5/5] Checking package/container access...

============================================================
AUDIT RESULTS
============================================================

Token Type: personal_access_token

Authenticated User:
  Login: username
  ID: 12345
  Type: User

OAuth Scopes (5):
  - read:org
  - repo
  - workflow
  - write:packages

Organization Access (2):
  - LaconicNetwork (role: member)
  - Zenith-Foundation (role: member)

Repository Access (50 sampled):
  - Private repos: 35
  - Admin access: 10
  - Push access: 45

============================================================
SECURITY RECOMMENDATIONS
============================================================
⚠️  Token has 'repo' scope - full access to all repositories
⚠️  Token can push to container registry
⚠️  Token can modify GitHub Actions workflows

About

GitHub token capability auditor

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages