Reviewing your security log

You can review the security log for your user account to better understand actions you've performed and actions others have performed that involve you.

Accessing your security log

The security log lists all actions performed within the last 90 days.

In the upper-right corner of any page, click your profile photo, then click Settings.
In the user settings sidebar, click Security log.

Searching your security log

The log lists the following information about each action:

Which repository an action was performed in
The user that performed the action
The action that was performed
Which country the action took place in
The date and time the action occurred

Note that you cannot search for entries using text. You can, however, construct search queries using a variety of filters. Many operators used when querying the log, such as -, >, or <, match the same format as searching across GitHub. For more information, see "Searching on GitHub."

Search based on operation

Use the operation qualifier to limit actions to specific types of operations. For example:

operation:access finds all events where a resource was accessed.
operation:authentication finds all events where an authentication event was performed.
operation:create finds all events where a resource was created.
operation:modify finds all events where an existing resource was modified.
operation:remove finds all events where an existing resource was removed.
operation:restore finds all events where an existing resource was restored.
operation:transfer finds all events where an existing resource was transferred.

Search based on repository

Use the repo qualifier to limit actions to a specific repository. For example:

repo:my-org/our-repo finds all events that occurred for the our-repo repository in the my-org organization.
repo:my-org/our-repo repo:my-org/another-repo finds all events that occurred for both the our-repo and another-repo repositories in the my-org organization.
-repo:my-org/not-this-repo excludes all events that occurred for the not-this-repo repository in the my-org organization.

Note that you must include the account name within the repo qualifier; searching for just repo:our-repo will not work.

Search based on the user

The actor qualifier can scope events based on who performed the action. For example:

actor:octocat finds all events performed by octocat.
actor:octocat actor:hubot finds all events performed by both octocat and hubot.
-actor:hubot excludes all events performed by hubot.

Note that you can only use a GitHub username, not an individual's real name.

Search based on the action performed

Category Name	Description
`account_recovery_token`	Contains all activities related to adding a recovery token.
`billing`	Contains all activities related to your billing information.
`marketplace_agreement_signature`	Contains all activities related to signing the GitHub Marketplace Developer Agreement.
`marketplace_listing`	Contains all activities related to listing apps in GitHub Marketplace.
`oauth_access`	Contains all activities related to OAuth Apps you've connected with.
`payment_method`	Contains all activities related to paying for your GitHub subscription.
`profile_picture`	Contains all activities related to your profile picture.
`project`	Contains all activities related to project boards.
`public_key`	Contains all activities related to your public SSH keys.
`repo`	Contains all activities related to the repositories you own.
`sponsors`	Contains all events related to GitHub Sponsors and sponsor buttons (see "About GitHub Sponsors" and "Displaying a sponsor button in your repository")
`two_factor_authentication`	Contains all activities related to two-factor authentication.
`user`	Contains all activities related to your account.

A description of the events within these categories is listed below.

The `account_recovery_token` category

Action	Description
confirm	Triggered when you successfully store a new token with a recovery provider.
recover	Triggered when you successfully redeem an account recovery token.
recover_error	Triggered when a token is used but GitHub is not able to validate it.

The `billing` category

Action	Description
change_billing_type	Triggered when you change how you pay for GitHub.
change_email	Triggered when you change your email address.

The `marketplace_agreement_signature` category

Action	Description
create	Triggered when you sign the GitHub Marketplace Developer Agreement.

The `marketplace_listing` category

Action	Description
approve	Triggered when your listing is approved for inclusion in GitHub Marketplace.
create	Triggered when you create a listing for your app in GitHub Marketplace.
delist	Triggered when your listing is removed from GitHub Marketplace.
redraft	Triggered when your listing is sent back to draft state.
reject	Triggered when your listing is not accepted for inclusion in GitHub Marketplace.

The `oauth_access` category

Action	Description
create	Triggered when you grant access to an OAuth App.
destroy	Triggered when you revoke an OAuth App's access to your account.

The `payment_method` category

Action	Description
clear	Triggered when a payment method on file is removed.
create	Triggered when a new payment method is added, such as a new credit card or PayPal account.
update	Triggered when an existing payment method is updated.

The `profile_picture` category

Action	Description
update	Triggered when you set or update your profile picture.

The `project` category

Action	Description
`create`	Triggered when a project board is created.
`rename`	Triggered when a project board is renamed.
`update`	Triggered when a project board is updated.
`delete`	Triggered when a project board is deleted.
`link`	Triggered when a repository is linked to a project board.
`unlink`	Triggered when a repository is unlinked from a project board.
`project.access`	Triggered when a project board's visibility is changed.
`update_user_permission`	Triggered when an outside collaborator is added to or removed from a project board or has their permission level changed.

The `public_key` category

Action	Description
create	Triggered when you add a new public SSH key to your GitHub account.
delete	Triggered when you remove a public SSH key to your GitHub account.

The `repo` category

Action	Description
access	Triggered when you a repository you own is switched from "private" to "public" (or vice versa).
add_member	Triggered when a GitHub user is invited to have collaboration access to a repository.
add_topic	Triggered when a repository owner adds a topic to a repository.
archived	Triggered when a repository owner archives a repository.
create	Triggered when a new repository is created.
destroy	Triggered when a repository is deleted.
disable	Triggered when a repository is disabled (e.g., for insufficient funds).
enable	Triggered when a repository is re-enabled.
remove_member	Triggered when a GitHub user is removed from a repository as a collaborator.
remove_topic	Triggered when a repository owner removes a topic from a repository.
rename	Triggered when a repository is renamed.
transfer	Triggered when a repository is transferred.
transfer_start	Triggered when a repository transfer is about to occur.
unarchived	Triggered when a repository owner unarchives a repository.

The `sponsors` category

Action	Description
repo_funding_link_button_toggle	Triggered when you enable or disable a sponsor button in your repository (see "Displaying a sponsor button in your repository")
repo_funding_links_file_action	Triggered when you change the FUNDING file in your repository (see "Displaying a sponsor button in your repository")
sponsor_sponsorship_cancel	Triggered when you cancel a sponsorship (see "Downgrading a sponsorship")
sponsor_sponsorship_create	Triggered when you sponsor a developer (see "Sponsoring an open source contributor")
sponsor_sponsorship_preference_change	Triggered when you change whether you receive email updates from a sponsored developer (see "Managing your sponsorship")
sponsor_sponsorship_tier_change	Triggered when you upgrade or downgrade your sponsorship (see "Upgrading a sponsorship" and "Downgrading a sponsorship")
sponsored_developer_approve	Triggered when your GitHub Sponsors account is approved (see "Setting up GitHub Sponsors for your user account")
sponsored_developer_create	Triggered when your GitHub Sponsors account is created (see "Setting up GitHub Sponsors for your user account")
sponsored_developer_profile_update	Triggered when you edit your sponsored developer profile (see "Editing your profile details for GitHub Sponsors")
sponsored_developer_request_approval	Triggered when you submit your application for GitHub Sponsors for approval (see "Setting up GitHub Sponsors for your user account")
sponsored_developer_tier_description_update	Triggered when you change the description for a sponsorship tier (see "Changing your sponsorship tiers")
sponsored_developer_update_newsletter_send	Triggered when you send an email update to your sponsors (see "Contacting your sponsors")
waitlist_invite_sponsored_developer	Triggered when you are invited to join GitHub Sponsors from the waitlist (see "Setting up GitHub Sponsors for your user account")
waitlist_join	Triggered when you join the waitlist to become a sponsored developer (see "Setting up GitHub Sponsors for your user account")

The `two_factor_authentication` category

Action	Description
enabled	Triggered when two-factor authentication is enabled.
disabled	Triggered when two-factor authentication is disabled.

The `user` category

Action	Description
add_email	Triggered when you add a new email address.
create	Triggered when you create a new user account.
remove_email	Triggered when you remove an email address.
rename	Triggered when you rename your account.
change_password	Triggered when you change your password.
forgot_password	Triggered when you ask for a password reset.
login	Triggered when you log in to GitHub.
failed_login	Triggered when you failed to log in successfully.
two_factor_requested	Triggered when GitHub asks you for your two-factor authentication code.
show_private_contributions_count	Triggered when you publicize private contributions on your profile.
hide_private_contributions_count	Triggered when you hide private contributions on your profile.
report_content	Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.

The `user_status` category

Action	Description
update	Triggered when you set or change the status on your profile. For more information, see "Setting a status."
destroy	Triggered when you clear the status on your profile.

Exporting your security log

You can export the log as JSON data or a comma-separated value (CSV) file.

Export button

To filter the results in your export, search by one or more of these supported qualifiers before using the Export drop-down menu.

Qualifier	Example value
`action`	team.create
`actor`	octocat
`user`	codertocat
`org`	octo-org
`repo`	octo-org/documentation
`created`	2019-06-01

After you export the log as JSON or CSV, you'll see the following keys and values in the resulting file.

Key	Example value
`action`	team.create
`actor`	octocat
`user`	codertocat
`org`	octo-org
`repo`	octo-org/documentation
`created_at`	1429548104000 (Timestamp shows the time since Epoch with milliseconds.)
`data.hook_id`	245
`data.events`	[ "issues", "issue_comment", "pull_request", "pull_request_review_comment" ]
`data.events_were`	[ "push", "pull_request", "issues" ]
`data.target_login`	octocat
`data.old_user`	hubot
`data.team`	octo-org/engineering