Accessing your security log
The security log lists all actions performed within the last 90 days.
-
In the upper-right corner of any page, click your profile photo, then click Settings.
-
In the user settings sidebar, click Security log.
Searching your security log
The log lists the following information about each action:
- Which repository an action was performed in
- The user that performed the action
- The action that was performed
- Which country the action took place in
- The date and time the action occurred
Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub. For more information, see "Searching on GitHub."
Search based on operation
Use the operation qualifier to limit actions to specific types of operations. For example:
operation:accessfinds all events where a resource was accessed.operation:authenticationfinds all events where an authentication event was performed.operation:createfinds all events where a resource was created.operation:modifyfinds all events where an existing resource was modified.operation:removefinds all events where an existing resource was removed.operation:restorefinds all events where an existing resource was restored.operation:transferfinds all events where an existing resource was transferred.
Search based on repository
Use the repo qualifier to limit actions to a specific repository. For example:
repo:my-org/our-repofinds all events that occurred for theour-reporepository in themy-orgorganization.repo:my-org/our-repo repo:my-org/another-repofinds all events that occurred for both theour-repoandanother-reporepositories in themy-orgorganization.-repo:my-org/not-this-repoexcludes all events that occurred for thenot-this-reporepository in themy-orgorganization.
Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.
Search based on the user
The actor qualifier can scope events based on who performed the action. For example:
actor:octocatfinds all events performed byoctocat.actor:octocat actor:hubotfinds all events performed by bothoctocatandhubot.-actor:hubotexcludes all events performed byhubot.
Note that you can only use a GitHub username, not an individual's real name.
Search based on the action performed
The events listed in your security log are triggered by your actions. Actions are grouped into the following categories:
| Category name | Description |
|---|---|
account_recovery_token | Contains all activities related to adding a recovery token. |
billing | Contains all activities related to your billing information. |
codespaces | Contains all activities related to Codespaces. For more information, see "About Codespaces." |
marketplace_agreement_signature | Contains all activities related to signing the GitHub Marketplace Developer Agreement. |
marketplace_listing | Contains all activities related to listing apps in GitHub Marketplace. |
oauth_access | Contains all activities related to OAuth Apps you've connected with. |
payment_method | Contains all activities related to paying for your GitHub subscription. |
profile_picture | Contains all activities related to your profile picture. |
project | Contains all activities related to project boards. |
public_key | Contains all activities related to your public SSH keys. |
repo | Contains all activities related to the repositories you own. |
sponsors | Contains all events related to GitHub Sponsors and sponsor buttons (see "About GitHub Sponsors" and "Displaying a sponsor button in your repository") |
two_factor_authentication | Contains all activities related to two-factor authentication. |
user | Contains all activities related to your account. |
Exporting your security log
You can export the log as JSON data or a comma-separated value (CSV) file.
To filter the results in your export, search by one or more of these supported qualifiers before using the Export drop-down menu.
| Qualifier | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
org | octo-org |
repo | octo-org/documentation |
created | 2019-06-01 |
After you export the log as JSON or CSV, you'll see the following keys and values in the resulting file.
| Key | Example value |
|---|---|
action | team.create |
actor | octocat |
user | codertocat |
org | octo-org |
repo | octo-org/documentation |
created_at | 1429548104000 (Timestamp shows the time since Epoch with milliseconds.) |
data.hook_id | 245 |
data.events | ["issues", "issue_comment", "pull_request", "pull_request_review_comment"] |
data.events_were | ["push", "pull_request", "issues"] |
data.target_login | octocat |
data.old_user | hubot |
data.team | octo-org/engineering |
Security log actions
An overview of some of the most common actions that are recorded as events in the security log.
account_recovery_token category actions
| Action | Description |
|---|---|
confirm | Triggered when you successfully store a new token with a recovery provider. |
recover | Triggered when you successfully redeem an account recovery token. |
recover_error | Triggered when a token is used but GitHub is not able to validate it. |
billing category actions
| Action | Description |
|---|---|
change_billing_type | Triggered when you change how you pay for GitHub. |
change_email | Triggered when you change your email address. |
codespaces category actions
| Action | Description |
|---|---|
create | Triggered when you create a codespace. |
resume | Triggered when you resume a suspended codespace. |
delete | Triggered when you delete a codespace. |
manage_access_and_security | Triggered when you update the repositories a codespace has access to. |
trusted_repositories_access_update | Triggered when you change your user account's access and security setting for Codespaces. |
marketplace_agreement_signature category actions
| Action | Description |
|---|---|
create | Triggered when you sign the GitHub Marketplace Developer Agreement. |
marketplace_listing category actions
| Action | Description |
|---|---|
approve | Triggered when your listing is approved for inclusion in GitHub Marketplace. |
create | Triggered when you create a listing for your app in GitHub Marketplace. |
delist | Triggered when your listing is removed from GitHub Marketplace. |
redraft | Triggered when your listing is sent back to draft state. |
reject | Triggered when your listing is not accepted for inclusion in GitHub Marketplace. |
oauth_access category actions
| Action | Description |
|---|---|
create | Triggered when you grant access to an OAuth App. |
destroy | Triggered when you revoke an OAuth App's access to your account. |
payment_method category actions
| Action | Description |
|---|---|
clear | Triggered when a payment method on file is removed. |
create | Triggered when a new payment method is added, such as a new credit card or PayPal account. |
update | Triggered when an existing payment method is updated. |
profile_picture category actions
| Action | Description |
|---|---|
update | Triggered when you set or update your profile picture. |
project category actions
| Action | Description |
|---|---|
access | Triggered when a project board's visibility is changed. |
create | Triggered when a project board is created. |
rename | Triggered when a project board is renamed. |
update | Triggered when a project board is updated. |
delete | Triggered when a project board is deleted. |
link | Triggered when a repository is linked to a project board. |
unlink | Triggered when a repository is unlinked from a project board. |
update_user_permission | Triggered when an outside collaborator is added to or removed from a project board or has their permission level changed. |
public_key category actions
| Action | Description |
|---|---|
create | Triggered when you add a new public SSH key to your GitHub account. |
delete | Triggered when you remove a public SSH key to your GitHub account. |
repo category actions
| Action | Description |
|---|---|
access | Triggered when you a repository you own is switched from "private" to "public" (or vice versa). |
add_member | Triggered when a GitHub user is invited to have collaboration access to a repository. |
add_topic | Triggered when a repository owner adds a topic to a repository. |
archived | Triggered when a repository owner archives a repository. |
create | Triggered when a new repository is created. |
destroy | Triggered when a repository is deleted. |
disable | Triggered when a repository is disabled (e.g., for insufficient funds). |
enable | Triggered when a repository is re-enabled. |
remove_member | Triggered when a GitHub user is removed from a repository as a collaborator. |
remove_topic | Triggered when a repository owner removes a topic from a repository. |
rename | Triggered when a repository is renamed. |
transfer | Triggered when a repository is transferred. |
transfer_start | Triggered when a repository transfer is about to occur. |
unarchived | Triggered when a repository owner unarchives a repository. |
sponsors category actions
| Action | Description |
|---|---|
custom_amount_settings_change | Triggered when you enable or disable custom amounts, or when you change the suggested custom amount (see "Managing your sponsorship tiers") |
repo_funding_links_file_action | Triggered when you change the FUNDING file in your repository (see "Displaying a sponsor button in your repository") |
sponsor_sponsorship_cancel | Triggered when you cancel a sponsorship (see "Downgrading a sponsorship") |
sponsor_sponsorship_create | Triggered when you sponsor an account (see "Sponsoring an open source contributor") |
sponsor_sponsorship_payment_complete | Triggered after you sponsor an account and your payment has been processed (see "Sponsoring an open source contributor") |
sponsor_sponsorship_preference_change | Triggered when you change whether you receive email updates from a sponsored developer (see "Managing your sponsorship") |
sponsor_sponsorship_tier_change | Triggered when you upgrade or downgrade your sponsorship (see "Upgrading a sponsorship" and "Downgrading a sponsorship") |
sponsored_developer_approve | Triggered when your GitHub Sponsors account is approved (see "Setting up GitHub Sponsors for your user account") |
sponsored_developer_create | Triggered when your GitHub Sponsors account is created (see "Setting up GitHub Sponsors for your user account") |
sponsored_developer_disable | Triggered when your GitHub Sponsors account is disabled |
sponsored_developer_redraft | Triggered when your GitHub Sponsors account is returned to draft state from approved state |
sponsored_developer_profile_update | Triggered when you edit your sponsored developer profile (see "Editing your profile details for GitHub Sponsors") |
sponsored_developer_request_approval | Triggered when you submit your application for GitHub Sponsors for approval (see "Setting up GitHub Sponsors for your user account") |
sponsored_developer_tier_description_update | Triggered when you change the description for a sponsorship tier (see "Managing your sponsorship tiers") |
sponsored_developer_update_newsletter_send | Triggered when you send an email update to your sponsors (see "Contacting your sponsors") |
waitlist_invite_sponsored_developer | Triggered when you are invited to join GitHub Sponsors from the waitlist (see "Setting up GitHub Sponsors for your user account") |
waitlist_join | Triggered when you join the waitlist to become a sponsored developer (see "Setting up GitHub Sponsors for your user account") |
successor_invitation category actions
| Action | Description |
|---|---|
accept | Triggered when you accept a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
cancel | Triggered when you cancel a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
create | Triggered when you create a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
decline | Triggered when you decline a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
revoke | Triggered when you revoke a succession invitation (see "Maintaining ownership continuity of your user account's repositories") |
two_factor_authentication category actions
| Action | Description |
|---|---|
enabled | Triggered when two-factor authentication is enabled. |
disabled | Triggered when two-factor authentication is disabled. |
user category actions
| Action | Description |
|---|---|
add_email | Triggered when you add a new email address. |
codespaces_trusted_repo_access_granted | Triggered when you [allow the codespaces you create for a repository to access other repositories owned by your user account](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces. |
codespaces_trusted_repo_access_revoked | Triggered when you [disallow the codespaces you create for a repository to access other repositories owned by your user account](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces. |
create | Triggered when you create a new user account. |
change_password | Triggered when you change your password. |
forgot_password | Triggered when you ask for a password reset. |
hide_private_contributions_count | Triggered when you hide private contributions on your profile. |
login | Triggered when you log in to GitHub. |
failed_login | Triggered when you failed to log in successfully. |
remove_email | Triggered when you remove an email address. |
rename | Triggered when you rename your account. |
report_content | Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit. |
show_private_contributions_count | Triggered when you publicize private contributions on your profile. |
two_factor_requested | Triggered when GitHub asks you for your two-factor authentication code. |
user_status category actions
| Action | Description |
|---|---|
update | Triggered when you set or change the status on your profile. For more information, see "Setting a status." |
destroy | Triggered when you clear the status on your profile. |