May 24 · 3 min read
You just created your organization in Github. This presents an exciting opportunity, as it’s one of the leading SCM (Source Code Management) solutions, and it offers a variety of tools and features that enable you to keep scaling your organization. However, as we all know, with great power comes great responsibility, and a simple misconfiguration on your Github environment could lead to security breaches and code leakage.
So right before you get your hands dirty and commit your first precious lines of code, some precautions should be taken to keep your Github organization secured.
Two-factor authentication (2fa) is an extra layer of security when establishing access to websites or apps. It requires the user to provide two different types of information validating his identity.
As a Github organization owner, one of the most basic practices is to require two-factor authentication for your organization.
Give your members the lowest level of permissions as possible. You can do that by setting the base permissions for your organization. Basically, the best practice would be to set the base permissions to None and manage each member individually by setting repository level permissions.
Github Actions allows you to automate tasks within your software development lifecycle. Actions are standalone commands which are built by the Github community, which basically means it could be created by anyone. One of the best practices would be to define which actions are allowed to run in your organization.
You can set another layer of defense by setting a specifically-allowed IP addresses list for your organization. For example, you can restrict any access request made out of your office network.
Github apps are third-party applications developed using Github API. These apps are not developed by Github, but rather a third-party developer. These applications typically require some access to your data in order to run. Therefore, you should carefully review the permission levels for your organization installed apps and identify the third-party developer who owns them.
After setting up your Github organization, you can add verified domains associated with it. Doing so would allow you to restrict email notifications only to emails associated with the domain and prevent organization information from leaking into personal accounts.
Outside collaborators are users which are not part of the organization that have access to repositories in the organization. You should give that access to users only when it’s absolutely necessary, keep tracking them and remove them once their contribution is over. In addition, when you add an outside collaborator, give him the most minimal access as possible in order to do his work.
When forking a repository, it creates a copy of the repository on the user’s GitHub account. The act of forking can be risky for organizations. Organizations with many forks lose the ability to monitor all of its repositories, as some of them are in private user’s accounts. Another issue could be exposing copies of private repositories to the world under the user’s account.
Therefore, I highly recommend disabling forking for your organization.
To protect your organization’s data, one of the best practices would be one of the simplest as well; to disable public repositories. That could be accomplished in two ways: disable creation of public repositories and restricting repository visibility change.
If public repositories are needed for some other reasons, you could also create another organization containing all of the public repositories needed, separated from your main organization that has your confidential data.
In order to quickly keep up with the actions performed by members of your organization, Github has the organization audit log. You should recurrently review the audit log and make sure there are no suspicious activities.
Argon can help you secure your organization by automatically monitoring your Github organization’s settings which are of course mutable. Argon can help you find vulnerabilities and track anomalies in real time, tracking every commit and setting updates. Doing so, we save you the effort of scanning audit logs and let you focus on what you’re actually here for – running your business.
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…
The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery…
What is Jenkins and it’s Logo about? Jenkins is the most widely-used CI/CD tool today. As the world moves from…