GitHub is a collaborative source code management platform that plays a critical role in modern software development, providing a central repository for storing, managing, and versioning source code as well as collaborating with a community of developers. However, it also represent a potential security risk if not properly configured. In this guide, we will explore the best practices for securing GitHub, covering topics that include user authentication, access control, permissions, monitoring, logging, and integrating security tools.
This guide has been written for the:
- Maintainer who wants to improve the security posture for one or more GitHub repositories they support.
- Owner who wants to improve the security posture for one or more GitHub organizations they manage.
- Open Source Program Office (OSPO) who is typically responsible for multiple organizations and repositories.
- Operations team tasked with applying policies as part of their work managing assets on GitHub.
- GitHub Enterprise administrator who wants to improve the security posture for their enterprise.
- Workflows Should Not Be Allowed To Approve Pull Requests
- GitHub Actions Should Be Restricted To Selected Repositories
- GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions
- Default Workflow Token Permission Should Be Read Only
- Runner Group Should Be Limited to Private Repositories
- Runner Group Should Be Limited to Selected Repositories
- Two-Factor Authentication Should Be Enforced For The Enterprise
- Enterprise Should Not Allow Members To Change Repository Visibility
- Enterprise Should Not Allow Members To Create public Repositories
- Enterprise Should Not Allow Members To Invite Outside Collaborators
- Enterprise Should Use Single-Sign-On
- Enterprise Should Not Allow Members To Fork Internal And Private Repositories
- Organization Should Have Fewer Than Three Owners
- Organization Admins Should Have Activity In The Last 6 Months
- Organization Members Should Have Activity In The Last 6 Months
- Two-Factor Authentication Should Be Enforced For The Organization
- Default Member Permissions Should Be Restricted
- Only Admins Should Be Able To Create Public Repositories
- Organization Should Use Single-Sign-On
- Webhooks Should Be Configured To Use SSL
- Webhooks Should Be Configured With A Secret
- Repository Should Be Updated At Least Quarterly
- Workflows Should Not Be Allowed To Approve Pull Requests
- Default Branch Should Require Code Review
- Default Branch Should Require Linear History
- Default Workflow Token Permission Should Be Set To Read Only
- OSSF Scorecard Score Should Be Above 7
- Default Branch Should Require Code Review By At Least Two Reviewers
- Default Branch Should Require All Checks To Pass Before Merge
- Default Branch Should Require Branches To Be Up To Date Before Merge
- Default Branch Should Not Allow Force Pushes
- Default Branch Should Be Protected
- Default Branch Deletion Protection Should Be Enabled
- GitHub Advanced Security – Dependency Review Should Be Enabled For A Repository
- Vulnerability Alerts Should Be Enabled
- Forking Should Not Be Allowed for This Repository
- Default Branch Should Require All Conversations To Be Resolved Before Merge
- Webhooks Should Be Configured With A Secret
- Default Branch Should Require All Commits To Be Signed
- Default Branch Should Require New Code Changes After Approval To Be Re-Approved
- Default Branch Should Restrict Who Can Push To It
- Repository Should Have Fewer Than Three Admins
- Default Branch Should Limit Code Review to Code-Owners
- Default Branch Should Restrict Who Can Dismiss Reviews
- Webhooks Should Be Configured To Use SSL
General Recommendations
- Organization Management Should Be Consolidated Under a Central Account.
- Organization Membership Should Be Limited to Its Staff When Relevant.
- Review Security Policies and Procedures At Least Annually.
- Establish a Clear Communication and Incident Response Plan.
- Conduct Regular Security Audits and Vulnerability Assessments.
- Use Insights to Track Activity and in Repositories and Organizations.
- Use Tools Built On APIs to Automate Tasks and Avoid Needing Elevated Privileges.
- Review the Configuration Settings Before Making a Repository Public.
- Review the Configuration Settings After Transferring a Repository into the Organization.
- Provide Automated Alerts and Tooling to Ensure Ongoing Compliance.
- Review Audit Logs to Track Activity and Changes in Repositories and Organizations.
- Review Audit Events to Track Activity and Changes in Projects and Groups.
Specific Recommendations
- Two-Factor Authentication Should Be Enforced For The Organization
- Organization Should Use Single-Sign-On
- Default Member Permissions Should Be Restricted
- Only Admins Should Be Able To Create Public Repositories
- Webhooks Should Be Configured To Use SSL
- Webhooks Should Be Configured With A Secret
- Configure Security Alerts and Vulnerability Scanning at the Organization or Repository Level.
- Enable GitHub Advanced Security features for Private and Internal Repositories.