10 Github Security Best Practices

Guy Ben-Aharon
May 24 · 3 min read
github security best practices

You just created your organization in Github. This presents an exciting opportunity, as it’s one of the leading SCM (Source Code Management) solutions, and it offers a variety of tools and features that enable you to keep scaling your organization. However, as we all know, with great power comes great responsibility, and a simple misconfiguration on your Github environment could lead to security breaches and code leakage.

So right before you get your hands dirty and commit your first precious lines of code, some precautions should be taken to keep your Github organization secured.

 

  • Require two-factor authentication

Two-factor authentication (2fa) is an extra layer of security when establishing access to websites or apps. It requires the user to provide two different types of information validating his identity.

As a Github organization owner, one of the most basic practices is to require two-factor authentication for your organization.

  • Restrict members permissions level

Give your members the lowest level of permissions as possible. You can do that by setting the base permissions for your organization. Basically, the best practice would be to set the base permissions to None and manage each member individually by setting repository level permissions.

 

  • Manage allowed actions in your organization 

Github Actions allows you to automate tasks within your software development lifecycle. Actions are standalone commands which are built by the Github community, which basically means it could be created by anyone. One of the best practices would be to define which actions are allowed to run in your organization.

  • Set up organization’s IP addresses whitelist

You can set another layer of defense by setting a specifically-allowed IP addresses list for your organization. For example, you can restrict any access request made out of your office network.

  • Review third-party applications access

Github apps are third-party applications developed using Github API. These apps are not developed by Github, but rather a third-party developer. These applications typically require some access to your data in order to run. Therefore, you should carefully review the permission levels for your organization installed apps and identify the third-party developer who owns them.

 

  • Restrict notifications to organization associated email

After setting up your Github organization, you can add verified domains associated with it. Doing so would allow you to restrict email notifications only to emails associated with the domain and prevent organization information from leaking into personal accounts.

  • Manage outside collaborators

Outside collaborators are users which are not part of the organization that have access to repositories in the organization. You should give that access to users only when it’s absolutely necessary, keep tracking them and remove them once their contribution is over. In addition, when you add an outside collaborator, give him the most minimal access as possible in order to do his work.

 

  • Disable forking

When forking a repository, it creates a copy of the repository on the user’s GitHub account. The act of forking can be risky for organizations. Organizations with many forks lose the ability to monitor all of its repositories, as some of them are in private user’s accounts. Another issue could be exposing copies of private repositories to the world under the user’s account.

Therefore, I highly recommend disabling forking for your organization.

 

  • Restrict public repositories

To protect your organization’s data, one of the best practices would be one of the simplest as well; to disable public repositories. That could be accomplished in two ways: disable creation of public repositories and restricting repository visibility change.

If public repositories are needed for some other reasons, you could also create another organization containing all of the public repositories needed, separated from your main organization that has your confidential data.

  • Review organization audit log

In order to quickly keep up with the actions performed by members of your organization, Github has the organization audit log. You should recurrently review the audit log and make sure there are no suspicious activities.

 

How Argon Security can help from Security Breaches & Code Leakage?

Argon can help you secure your organization by automatically monitoring your Github organization’s settings which are of course mutable. Argon can help you find vulnerabilities and track anomalies in real time, tracking every commit and setting updates. Doing so, we save you the effort of scanning audit logs and let you focus on what you’re actually here for – running your business.

Guy Ben-Aharon
May 24 · 3 min read

Related Articles

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eran Orzel
Jun 21 · 4 min read

The Future of DevSecOps: Webinar Recap

The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery…

Nurit Bielorai
Jun 14 · 4 min read

Jenkins 101: Common Misconfigurations & How to best Secure it?

What is Jenkins and it’s Logo about? Jenkins is the most widely-used CI/CD tool today. As the world moves from…

Eylam Milner
Jun 07 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner