← all rules
secret/github-pat
GitHub Personal Access Token (classic)
What it detects
Classic GitHub token granting repo, user, and potentially admin access.
How it runs
Run against every text file in the repo (with a binary-content filter and a `.repoguardignore` filter for fixtures). The matched value is masked before being persisted.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.