Accessing your security log
The security log lists all actions performed within the last 90 days.
-
In the upper-right corner of any page, click your profile photo, then click Settings.
-
In the user settings sidebar, click Security log.
Searching your security log
The log lists the following information about each action:
- Which repository an action was performed in
- The user that performed the action
- The action that was performed
- Which country the action took place in
- The date and time the action occurred
Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub. For more information, see "Searching on GitHub."
Search based on operation
Use the operation qualifier to limit actions to specific types of operations. For example:
operation:accessfinds all events where a resource was accessed.operation:authenticationfinds all events where an authentication event was performed.operation:createfinds all events where a resource was created.operation:modifyfinds all events where an existing resource was modified.operation:removefinds all events where an existing resource was removed.operation:restorefinds all events where an existing resource was restored.operation:transferfinds all events where an existing resource was transferred.
Search based on repository
Use the repo qualifier to limit actions to a specific repository. For example:
repo:my-org/our-repofinds all events that occurred for theour-reporepository in themy-orgorganization.repo:my-org/our-repo repo:my-org/another-repofinds all events that occurred for both theour-repoandanother-reporepositories in themy-orgorganization.-repo:my-org/not-this-repoexcludes all events that occurred for thenot-this-reporepository in themy-orgorganization.
Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.
Search based on the user
The actor qualifier can scope events based on who performed the action. For example:
actor:octocatfinds all events performed byoctocat.actor:octocat actor:hubotfinds all events performed by bothoctocatandhubot.-actor:hubotexcludes all events performed byhubot.
Note that you can only use a GitHub username, not an individual's real name.
Search based on the action performed
| Category Name | Description |
|---|---|
account_recovery_ | Contains all activities related to adding a recovery token. |
billing | Contains all activities related to your billing information. |
marketplace_agreement_ | Contains all activities related to signing the GitHub Marketplace Developer Agreement. |
marketplace_listing | Contains all activities related to listing apps in GitHub Marketplace. |
oauth_access | Contains all activities related to OAuth Apps you've connected with. |
payment_method | Contains all activities related to paying for your GitHub subscription. |
profile_picture | Contains all activities related to your profile picture. |
project | Contains all activities related to project boards. |
public_key | Contains all activities related to your public SSH keys. |
repo | Contains all activities related to the repositories you own. |
sponsors | Contains all events related to GitHub Sponsors and sponsor buttons (see "About GitHub Sponsors" and "Displaying a sponsor button in your repository") |
two_factor_authentication | Contains all activities related to two-factor authentication. |
user | Contains all activities related to your account. |
A description of the events within these categories is listed below.
The account_recovery_token category
| Action | Description |
|---|---|
| confirm | Triggered when you successfully store a new token with a recovery provider. |
| recover | Triggered when you successfully redeem an account recovery token. |
| recover_error | Triggered when a token is used but GitHub is not able to validate it. |
The billing category
| Action | Description |
|---|---|
| change_billing_type | Triggered when you change how you pay for GitHub. |
| change_email | Triggered when you change your email address. |
The marketplace_agreement_signature category
| Action | Description |
|---|---|
| create | Triggered when you sign the GitHub Marketplace Developer Agreement. |
The marketplace_listing category
| Action | Description |
|---|---|
| approve | Triggered when your listing is approved for inclusion in GitHub Marketplace. |
| create | Triggered when you create a listing for your app in GitHub Marketplace. |
| delist | Triggered when your listing is removed from GitHub Marketplace. |
| redraft | Triggered when your listing is sent back to draft state. |
| reject | Triggered when your listing is not accepted for inclusion in GitHub Marketplace. |
The oauth_access category
| Action | Description |
|---|---|
| create | Triggered when you grant access to an OAuth App. |
| destroy | Triggered when you revoke an OAuth App's access to your account. |
The payment_method category
| Action | Description |
|---|---|
| clear | Triggered when a payment method on file is removed. |
| create | Triggered when a new payment method is added, such as a new credit card or PayPal account. |
| update | Triggered when an existing payment method is updated. |
The profile_picture category
| Action | Description |
|---|---|
| update | Triggered when you set or update your profile picture. |
The project category
| Action | Description |
|---|---|
create | Triggered when a project board is created. |
rename | Triggered when a project board is renamed. |
update | Triggered when a project board is updated. |
delete | Triggered when a project board is deleted. |
link | Triggered when a repository is linked to a project board. |
unlink | Triggered when a repository is unlinked from a project board. |
project.access | Triggered when a project board's visibility is changed. |
update_user_permission | Triggered when an outside collaborator is added to or removed from a project board or has their permission level changed. |
The public_key category
| Action | Description |
|---|---|
| create | Triggered when you add a new public SSH key to your GitHub account. |
| delete | Triggered when you remove a public SSH key to your GitHub account. |
The repo category
| Action | Description |
|---|---|
| access | Triggered when you a repository you own is switched from "private" to "public" (or vice versa). |
| add_member | Triggered when a GitHub user is invited to have collaboration access to a repository. |
| add_topic | Triggered when a repository owner adds a topic to a repository. |
| archived | Triggered when a repository owner archives a repository. |
| create | Triggered when a new repository is created. |
| destroy | Triggered when a repository is deleted. |
| disable | Triggered when a repository is disabled (e.g., for insufficient funds). |
| enable | Triggered when a repository is re-enabled. |
| remove_member | Triggered when a GitHub user is removed from a repository as a collaborator. |
| remove_topic | Triggered when a repository owner removes a topic from a repository. |
| rename | Triggered when a repository is renamed. |
| transfer | Triggered when a repository is transferred. |
| transfer_start | Triggered when a repository transfer is about to occur. |
| unarchived | Triggered when a repository owner unarchives a repository. |
The sponsors category
| Action | Description |
|---|---|
| repo_funding_link_button_toggle | Triggered when you enable or disable a sponsor button in your repository (see "Displaying a sponsor button in your repository") |
| repo_funding_links_file_action | Triggered when you change the FUNDING file in your repository (see "Displaying a sponsor button in your repository") |
| sponsor_sponsorship_cancel | Triggered when you cancel a sponsorship (see "Downgrading a sponsorship") |
| sponsor_sponsorship_create | Triggered when you sponsor a developer (see "Sponsoring an open source contributor") |
| sponsor_sponsorship_preference_change | Triggered when you change whether you receive email updates from a sponsored developer (see "Managing your sponsorship") |
| sponsor_sponsorship_tier_change | Triggered when you upgrade or downgrade your sponsorship (see "Upgrading a sponsorship" and "Downgrading a sponsorship") |
| sponsored_developer_approve | Triggered when your GitHub Sponsors account is approved (see "Setting up GitHub Sponsors for your user account") |
| sponsored_developer_create | Triggered when your GitHub Sponsors account is created (see "Setting up GitHub Sponsors for your user account") |
| sponsored_developer_profile_update | Triggered when you edit your sponsored developer profile (see "Editing your profile details for GitHub Sponsors") |
| sponsored_developer_request_approval | Triggered when you submit your application for GitHub Sponsors for approval (see "Setting up GitHub Sponsors for your user account") |
| sponsored_developer_tier_description_update | Triggered when you change the description for a sponsorship tier (see "Changing your sponsorship tiers") |
| sponsored_developer_update_newsletter_send | Triggered when you send an email update to your sponsors (see "Contacting your sponsors") |
| waitlist_invite_sponsored_developer | Triggered when you are invited to join GitHub Sponsors from the waitlist (see "Setting up GitHub Sponsors for your user account") |
| waitlist_join | Triggered when you join the waitlist to become a sponsored developer (see "Setting up GitHub Sponsors for your user account") |
The successor_invitation category
| Action | Description |
|---|---|
| accept | Triggered when you accept a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
| cancel | Triggered when you cancel a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
| create | Triggered when you create a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
| decline | Triggered when you decline a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
| revoke | Triggered when you revoke a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
The two_factor_authentication category
| Action | Description |
|---|---|
| enabled | Triggered when two-factor authentication is enabled. |
| disabled | Triggered when two-factor authentication is disabled. |
The user category
| Action | Description |
|---|---|
| add_email | Triggered when you add a new email address. |
| create | Triggered when you create a new user account. |
| remove_email | Triggered when you remove an email address. |
| rename | Triggered when you rename your account. |
| change_password | Triggered when you change your password. |
| forgot_password | Triggered when you ask for a password reset. |
| login | Triggered when you log in to GitHub. |
| failed_login | Triggered when you failed to log in successfully. |
| two_factor_requested | Triggered when GitHub asks you for your two-factor authentication code. |
| show_private_contributions_count | Triggered when you publicize private contributions on your profile. |
| hide_private_contributions_count | Triggered when you hide private contributions on your profile. |
| report_content | Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit. |
The user_status category
| Action | Description |
|---|---|
| update | Triggered when you set or change the status on your profile. For more information, see "Setting a status." |
| destroy | Triggered when you clear the status on your profile. |
Exporting your security log
You can export the log as JSON data or a comma-separated value (CSV) file.
To filter the results in your export, search by one or more of these supported qualifiers before using the Export drop-down menu.
| Qualifier | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
org | octo-org |
repo | octo-org/documentation |
created | 2019-06-01 |
After you export the log as JSON or CSV, you'll see the following keys and values in the resulting file.
| Key | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
org | octo-org |
repo | octo-org/documentation |
created_at | 1429548104000 (Timestamp shows the time since Epoch with milliseconds.) |
data.hook_id | 245 |
data.events | ["issues", "issue_comment", "pull_request", "pull_request_review_comment"] |
data.events_were | ["push", "pull_request", "issues"] |
data.target_login | octocat |
data.old_user | hubot |
data.team | octo-org/engineering |