Apps & PATs

This feature is currently available in early access.

If you installed the StepSecurity Advanced GitHub App before January 6th, 2026, you will need to accept additional permissions to enable the Apps & PATs feature:

administration: read
personal_access_tokens: read

These permissions allow the StepSecurity Advanced GitHub App to:

Discover all GitHub Apps installed in the organization
Retrieve Fine-Grained Personal Access Tokens with organization access
List Classic Personal Access Tokens authorized via SAML/SSO

Available for Enterprise Tier Only

The Apps & PATs page provides visibility into all GitHub Apps and Personal Access Tokens (PATs) that have access to your GitHub organization.

This view helps security and platform teams understand which integrations and tokens exist, what permissions they have, and where they are used across the organization.

Why Reviewing Apps & PATs Matters

GitHub Apps and Personal Access Tokens are commonly used to power CI/CD workflows, automation, and third-party integrations. Over time, organizations often accumulate:

Apps with broad or outdated permissions
Tokens that are long-lived or rarely reviewed
Access owned by users or service accounts that no longer require it

These identities can introduce supply chain and CI/CD risk if they are over-privileged, unused, or poorly maintained. The Apps & PATs page helps teams continuously review and reduce this risk by making identity and access visibility easy and actionable.

GitHub Apps

The GitHub Apps tab shows all third-party apps installed in the organization.

For each app, StepSecurity displays:

App name and App ID
Granted permissions grouped by scope(red for admin, orange for write, blue for read operations)
Installation scope:
- All repositories
- Selected repositories
GitHub events the app can receive, such as workflow_run or workflow_job
Installation timestamp
Current status

Fine-Grained PATs

The Fine-Grained PATs section displays all fine-grained personal access tokens that have access to organization resources.

For each token, StepSecurity shows:

Owner
Token ID
Granted permissions
Repository access scope:
- All repositories
- Selected repositories
Creation time
Expiration time
Last used timestamp
Current status

This view helps teams understand which fine-grained tokens exist, who owns them, and how broadly they are scoped.

Classic PATs

The Classic PATs section shows classic personal access tokens that are authorized for the organization via SAML/SSO.

For each token, StepSecurity displays:

Owner
Credential ID
Token identifier (last 8 characters)
Authorized scopes
Authorization timestamp

Classic PATs do not support fine-grained permissions and are often long-lived. Visibility into these tokens is critical for reducing organization-wide risk.

Permission Scope Color Coding

To make permission reviews faster and more intuitive, StepSecurity uses color coding to highlight the risk level of GitHub App permissions:

Red indicates administrative permissions. Permissions that allow access to organization-level or high-impact administrative operations.
Yellow indicates write permissions. Permissions that allow modification of resources such as repositories, workflows, or Actions.
Blue indicates read-only permissions. Permissions that allow viewing metadata or resources without making changes.

This visual distinction helps teams quickly identify apps with elevated privileges without inspecting each permission individually.

PreviousNPM Package Search NextActions Secret

Last updated 4 minutes ago

Was this helpful?