New Security Incident Response Capabilities

GitHub Enterprise Cloud has introduced enterprise-wide credential management tools designed to help organizations respond quickly and decisively to compromised credentials and high-impact security incidents.

Key Features

Enterprise owners (and delegated administrators with the new Manage enterprise credentials permission) can now:

• Review credential counts: View authorized credentials via SSO across one or more organizations in your enterprise
• Temporarily block SSO: Restrict SSO access to enterprise owners only, reducing blast radius during investigation
• Revoke SSO authorizations: Invalidate personal access tokens, SSH keys, and OAuth tokens across the enterprise
• Delete tokens and SSH keys: Remove credentials entirely across the enterprise (EMU accounts only)

Availability and Scope

These capabilities are available for:

• Enterprise Managed Users (EMU)
• Enterprises with personal accounts that have enabled single sign-on (SSO) at the enterprise or organization level

Enterprise owners can delegate credential management responsibilities to trusted administrators by assigning the new fine-grained Manage enterprise credentials permission.

Important Considerations

Use during major incidents only. These actions can break automations and disrupt developer workflows, so GitHub recommends using them only when responding to active security threats. For routine credential hygiene, enterprise administrators should use GitHub's maximum token lifetime policies instead.

All credential management actions are logged in the audit log, providing enterprise owners with detailed context for forensic investigation and compliance purposes.