Learn about Chief Tools tokens and how to use and secure them.
Chief Tools tokens can be used to access the API of one or more Chief Tools without the need for your username and/or password. Tokens are managed by Account Chief.
Personal Access Tokens (PAT for short): are used to authenticate as your user account, it has the same access as you have in our web UI. Personal Access Tokens can be created from your account, you can access it directly by going to: account.chief.app/api/tokens.
When creating a token you get the option to set a date when the token expires, after this date passes the token will no longer be valid and usable, perfect for granting temporary access.If you whish for the token to remain active indefinitly you can leave the field empty.
You can select for which Chief Tool(s) the token you create is usable, this is recommended to limit the scope of what the token can access.If you whish for the token to be valid for all tools, don’t select any.
You can remove the token at any time, the token will be revoked immediately and will stop working right away so make sure the token is no longer in use when you do this.
Chief Tools tokens are part of the GitHub Secret Scanning program.
This means that if you accidentally push a token to a public repository we will be notified by GitHub and immediately revoke the token.
You can read their announcement on the GitHub blog.
Validate that the token was not misused. Even though the token was only public for a short time it’s possible it was maliciously used, check to make sure no unintended changes are made to your account
Ensure that the token is not in use currently, if it is you should issue and a new token and prevent it from being published publicly
Validate your processes to prevent publishing Chief Tools tokens publicly
If the token was a valid Chief Tools token we will let GitHub know that they succesfully reported a token to us, if the token was not we will let them know it was a false-positive.No other information about the token or what it could access is shared with GitHub.
GitGuardian helps developers keep 250+ types of secrets out of their source code.
Their automated secrets detection and remediation solution secures every step of the development life cycle, helping you monitor your code for sensitive data.You can read more about the capabilities of GitGuardian scanning for Chief Tools tokens in their docs.
Validate that the token was not misused. Even though the token was only public for a short time it’s possible it was maliciously used, check to make sure no unintended changes are made to your account
Ensure that the token is not in use currently, if it is you should issue and a new token and prevent it from being published publicly
Validate your processes to prevent publishing Chief Tools tokens publicly
No information is shared directly with GitGuardian, they are only scanning for tokens according to our format and alert if they think they found a token matching that format.