GitHub security is and will always be a hot topic as it’s the largest source code host in the world. Over 73 million developers and 4 million organizations use GitHub, hosting over 200 million repositories.
GitHub security matters because it is a platform that stores and manages source code, which is often sensitive and confidential. Ensuring the security of this code is crucial to prevent unauthorized access or modifications that could lead to data breaches or other security incidents.
As an organization’s team grows, GitHub security can become more complicated and difficult to track. Additionally, GitHub’s security misconfigurations, public repositories, and hardcoded credentials could attract attackers.
How to secure GitHub?
Today, we’re going to talk about 10 GitHub security best practices and why we should configure them. Let’s get started together!
1. Never store credentials in GitHub
Most developers tend to store sensitive data such as:
- API keys,
- Database usernames/passwords,
- And private keys in their GitHub repositories.
This is the easiest way to deal with a functional coding problem, but the worst method in terms of security.
According to a recent study, on average, three out of every 1,000 GitHub entries leaked a secret.
GitHub repositories are meant to be shared, with your teammates, your company, and even publicly. However, not every secret needs to be shared with everyone.
For example, when a temporary developer joins the repository to solve a quick problem and then the team forgets the delete the developers’ access to the repository. A mistake like this could allow an attacker to capture developers’ passwords and steal all the secrets from the repository. Besides user credentials being captured, all company secret keys are leaked, leading to a companywide security disaster.
Additionally, there’s a risk that the source code could be leaked. Sometimes, you may create repositories accidentally to be publicly accessible and attackers seize this opportunity to steal secrets.
Besides, developers might work within a local copy of the repository, creating the possibility of a leak due to malware, hacking, or accidental disclosure. Attackers can get all secrets from local copies, leading to a disaster.
Pro tips: To prevent accidentally leaving secrets in the GitHub repository, you can use several helpful open-source tools such as git-secrets. You can audit your repositories using tools such as trufflehog for your regular checks.
2. Always use MFA
As you know, using strong passwords isn’t secure enough anymore. Attackers have developed several tested methods of stealing credentials, giving them unauthorized access to our accounts.
For this reason, it has become very important to enable MFA for all your GitHub user accounts, as it is in any account.
Besides MFA enabling, you should enforce MFA for every GitHub user in your organization. To require MFA, select Your Profile Photo → Your Organizations→ Settings → Security →Authentication Security. You can see all the details here.
Footnote: MFA stands for “multi-factor authentication,” which is a security measure used in cyber security to require more than one form of identification to access a system or account. This can include a password, a security token, or biometric identification, among others.
3. Create a SECURITY.md file
In addition to the README.md file, you need to include a SECURITY.md file that includes security information for your project. SECURITY.md file should contain:
- Disclosure Policy: You need to define the procedure for the person that found security issues, and who the contact is for them. You can configure the ‘security@’ email.
- Security Update Policy: You need to define how you intend to update users about new security vulnerabilities as they are found.
- Security-Related Configuration: This includes settings that users should consider that would impact the security posture of deploying this project.
- Known security gaps & future enhancements: This includes security improvements you haven’t implemented yet.
Worried about the current security of your cloud deployments? Check out our Cloud Security service.
4. Disable forking
Forking is a feature that allows us to create a copy of a repository that we can manage. This is useful because it enables us to make changes to a project without affecting the original repository. The forked repository becomes a separate entity from the original repository, but with its own copy of the codebase.
However, from a GitHub security perspective, forking can make tracking security issues more difficult as security vulnerabilities in the original repository might also be present in the forks. It is important to keep track of all the repositories that have been forked from the original repository.
As such, it is important to pay close attention to the forking feature and its implications, especially when it comes to security. While forking can be a useful feature, it is important to keep track of all forks, and to be aware of the risks associated with forking.
How-to: To disable/enable the forking option, select Your Profile Photo → Your Organizations→ Settings→ Member Privileges. In the repository forking section, you can see the disable/enable option.
5. Review your third-party access and GitHub applications
GitHub applications are highly useful for adding various features to our repositories. However, it is crucial to proceed with caution. Before adding a GitHub application, it is important to review the applications and their credibility.
If the application has any security issues, negative comments, or an unknown author, you should think twice before authorizing it for your GitHub organization. In addition, for each application, you should audit the permissions that it requires and make sure that it is not granted more permissions than necessary.
Pro tip: Review regularly both the “Third-party access” and “Installed GitHub Apps” to ensure that no unauthorized access is granted.
6. Disable public repository creation
If your organization does not require public repositories, it is important to take steps to ensure that your repositories remain private. One way to do this is to disable public access entirely. By disabling public access, you can help prevent the accidental creation of publicly accessible repositories, which can result in the exposure of sensitive information.
Additionally, disabling public access can help you better manage your repositories by ensuring that they are only accessible to authorized users.
How-to: Select Your Profile Photo → Your Organizations→ Settings→ Member Privileges. In the repository creation section, you can see the settings.
7. Use GitHub teams for access control
Not everyone in your organization needs access to every repository. It’s important to create teams for your organization’s workflows, such as developers, security engineers, managers, etc. You can also assign specific roles to each repository, such as read, write, or admin.
Pro tip: Always consider the principle of least privilege for each case.
8. Configure IP whitelisting
Tracking everyone’s actions is very important yet is often difficult for large organizations. When someone leaves the organization and is not deleted from the repositories, it can be very dangerous.
Additionally, when an attacker captures a GitHub user’s password with different methods, they can gain full access to the organization’s repositories. To prevent these situations, you need to use IP whitelisting for your GitHub organizations as an additional security method. You can use your VPN or office network CIDR for this.
Note: You need to use GitHub Enterprise for IP whitelisting option.
9. Scan your repositories regularly
Regular code scanning allows vulnerabilities to be easily detected and addressed as soon as possible. For your GitHub repositories, you can use the code scanning feature in GitHub or you can use third-party sources such as SonarQube.
Scanning your repositories regularly helps you to locate and fix existing security vulnerabilities. It also prevents developers from creating new security problems. This can be achieved by defining new workflows, as well as new push/pull mechanisms.
For example, when a new vulnerability is found in code, your repository would not allow the process to continue.
Pro tip: Automating code scanning and integrating it into your development process can help catch vulnerabilities early on and prevent security issues from becoming more serious down the line.
10. Review your audit logs
The GitHub audit log allows organizations to quickly review actions performed by members of their organization. It includes details such as:
- Who performed the action,
- What the action was,
- When it was performed.
Pro tip: It’s important to periodically review the audit log and make sure that there are no anomalous or suspicious activities.
Conclusion
GitHub is the world’s largest code management system, with millions of users and repositories spanning various industries. While it is a great platform to share and collaborate on code, it is important to ensure that your code is being stored securely.
That is why we have compiled a comprehensive list of 10 GitHub Security Best Practices that you can implement to safeguard your sensitive data.
We believe that following these best practices can help you establish a strong security posture on GitHub.
In addition to these best practices, we also offer DevSecOps services that can help you achieve your digital transformation goals. Our team of experts can help you develop a security strategy that aligns with your business objectives.
Take advantage of our DevSecOps services to begin your digital transformation journey.
