Programatically rotate SSH keys, personal access tokens and deploy keys

I am looking for a way to automate auditing and rotating of SSH keys, personal access tokens and deploy keys. We use GitHub Org so I want to do this for my entire user population. I was thinking to regularly scan for these kinds of credentials and examine their age. If they are approaching a certain age I want to notify the owner so he/she can generate a new key and use that. If they are above the age limit I want to disable or delete them.

So far I have only been able to identify SSH keys through the v3 API using the /users/:user/keys endpoint. Is there a way to discover the other credentials?

Also what methods exist to actually delete or disable these type of credentials? If that is not possible just reporting on the keys would be better than nothing.

Thanks!

Morgan

2 Likes

Hi @nbmsm1,

Thanks for being here! There are no API endpoints for listing personal access tokens. Only the authenticated user can delete their own delete SSH keys.

1 Like

SSH keys can be added/viewed/removed through the API, but be careful with this: an ssh key added through the API using a personal access token will be removed when that personal access token is removed.

2 Likes

I raised this with GitHub support too. This was their reply:

There are no API endpoints for listing personal access tokens. Only the authenticated user can delete their own SSH keys.

“I have added your interest in this feature to our internal tracking system. Our product development team carefully considers customer feedback when planning new features. If you’d like to see if we have added this feature, you can do so by keeping an eye on our blog.”

So the best I can do now is find and delete deploy keys and just report on SSH and GPG keys. Apparently this is a request that is being tracked and I think it should have priority since it would be a valuable security feature.

Morgan

1 Like

if you use vault you can use this


than you won’t have to create personal access token and emit installation tokens that expire within an hour