Github Audit Logs
GitHub Audit Logs provide a detailed record of actions and events within a GitHub organization or repository. These logs capture information such as user logins, repository changes (e.g., pushes, merges, deletions), permission modifications, and security settings updates. They help administrators track user activity, ensure security compliance, and audit changes for troubleshooting and incident investigation.
Ingest Methods
Github audit logs can be ingested using two separate methods, streaming audit logs where Github will push your logs to a cloud storage account to be ingested by RunReveal, and API polling where RunReveal will use an access token to poll your Github organization for new audit logs every 60 seconds.
Log Streaming
Resource Setup
If you plan to use audit log streaming you will need to setup the necessary resources and permissions for RunReveal to get access.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.
Github Setup
Once the resources and permissions are set for RunReveal you will need to setup Github to send logs to your bucket.
Follow the steps provided in the GitHub documentation to setup streaming for the cloud provider that you are using.
API Polling
When setting up API polling RunReveal will only need two items, the name of the organization that we should be polling audit logs for, and an API token to access your account.
API Token
To generate an API token navigate to the Personal access tokens (classic) page in your GitHub account and click on Generate new token, or follow this link https://github.com/settings/tokens/new
Make sure you are under your personal account settings and are logged in with a user that has access to your organizations audit logs. When creating a new token make sure its a classic type. The required permissions are not available for fine grained tokens yet.
Give the token a description and select an expiration for it. When selecting the scopes the only required scope is the read:audit_log.
Enable actor IP addresses (before RunReveal setup)
GitHub does not include actor IP addresses in audit logs unless you turn on source IP disclosure at the organization level. If this setting is off, RunReveal will ingest events without actor_ip (mapped to srcIP in github_logs), which limits geo and IP-based detections.
Enable this in GitHub before you connect RunReveal. The setting only affects new audit events after you save—it does not backfill IPs on historical logs.
- In GitHub, open your organization (not a repository).
- Go to Settings → Audit log → the Settings tab.
- Under Disclose actor IP addresses in audit logs, check Enable source IP disclosure.
- Click Save.
Review GitHub’s documentation on displaying IP addresses in the audit log for enterprise-wide behavior and legal/privacy considerations before enabling.
RunReveal Source Setup
Once GitHub-side setup is complete (including IP disclosure, if you need IP fields), log into RunReveal and create the Github source.
Select the ingest method that you are using and fill in the details for your setup.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: github_logs (65 columns)
github_logs (65 columns)| Column | Type |
|---|---|
document_id | String |
action | String |
created_at | String |
operation_type | String |
actor_is_bot | String |
actor_country_code | String |
org_id | String |
business | String |
business_id | String |
repo | String |
repo_id | String |
repository | String |
repository_id | String |
repository_public | String |
public_repo | String |
visibility | String |
user_id | String |
user_agent | String |
hashed_token | String |
token_id | String |
token_scopes | String |
programmatic_access_type | String |
external_identity_username | String |
issuer | String |
pull_request_title | String |
pull_request_url | String |
review_id | String |
workflow_run_id | String |
event | String |
trigger_id | String |
run_number | String |
run_attempt | String |
name | String |
| Column | Type |
|---|---|
started_at | String |
completed_at | String |
conclusion | String |
head_branch | String |
head_sha | String |
topic | String |
runner_id | String |
runner_name | String |
runner_group_id | String |
runner_group_name | String |
runner_owner_type | String |
job_name | String |
job_workflow_ref | String |
runner_labels | Raw |
secrets_passed | Raw |
environment_name | String |
after_sha | String |
branch | String |
overridden_codes | Raw |
reasons | Raw |
integration | String |
oauth_application_id | String |
request_method | String |
route | String |
url_path | String |
query_string | String |
request_body | String |
status_code | String |
rate_limit_remaining | String |
request_access_security_header | String |
transport_protocol | String |
transport_protocol_name | String |