Top 21 Security Best Practices for GitHub
Here are the 21 security best practices for GitHub:
#1. Never Store Credentials And Sensitive Data On Github
GitHub is a version control system, so data stored on it is there forever. Tools like git-secrets can block code containing sensitive data from being pushed to GitHub.
#2. Disable Forking
Forking makes a copy of a GitHub repository without affecting the original codebase. Disable forking to maintain control over source code and ensure that sensitive data isn’t added to and made public by an unauthorized fork.
#3. Disable Visibility Changes
GitHub supports both public and private repos, and privileged users can change the visibility of a repo. Limit the set of users who can do this by disabling the permission for all members of your organization to modify “Repository visibility change” in GitHub’s member privileges.
#4. Validate Your GitHub Applications
Organizations often work with third-party developers who have access to GitHub accounts. These external users should have limited access, and all commits should be validated before adding it to a repo.
#5. Enforce 2-Factor Authentication
GitHub allows organizations to enforce the use of two-factor authentication (2FA). Requiring 2FA for all users reduces the risk of code leakages or malicious code due to insecure accounts.
#6. Implement SSO (GitHub Enterprise Only)
GitHub Enterprise allows organizations to granularly assign permissions to various resources. Additionally, SAML single sign-on (SSO) enables integration of GitHub with an organization’s IAM solution.
#7. Limit Access to Allowed IP Addresses
IP allowlisting enables an organization to limit access to on-prem devices or corporate VPNs. This protects against repo access by former employees or unauthorized devices.
#8. Tightly Manage External Contributor Permissions
External contributors may only be part of a project for a short time, and access should be removed when their role is complete. Managing external accounts reduces security gaps and GitHub ‘per-user’ pricing.
#9. Revoke Permissions In a Timely Manner
Users may no longer need repo access after they leave the company or the project. Revoking access or switching to read-only reduces the risk associated with their account.
#10. Require Commit Signing
A user’s perceived identity can be changed on GitHub simply by modifying their git config. Code signing cryptographically signs commits to ensure authenticity and traceability.
#11. Enforce Code Review Before Commits
Code review can identify potential security vulnerabilities or malicious functionality in a commit. GitHub can be configured so that all submissions are pull requests, enabling review before merging.
#12. Add a Security.md File
The security.md file officially documents security policies for a repository. This can be used to share security requirements and means of reporting vulnerabilities.
#13. Rotate SSH Keys and Personal Access Tokens (PATs)
GitHub uses SSH keys and PATs as an alternative to passwords for authentication. These should be rotated regularly to purge potentially breached credentials.
#14. Audit All Code Uploaded to GitHub
Legacy and external codebases may be added to a GitHub repo as part of an application. This code should be audited for potential vulnerabilities before it is accepted into a codebase.
#15. Review Your GitHub Audit Logs for Suspicious Activity
GitHub offers robust logging for activity within an organization’s GitHub. Reviewing these logs regularly can help to identify potentially suspicious activity and compromised accounts.
#16. Enable Alerts for Vulnerable Dependencies
Applications can inherit vulnerabilities from their dependencies, in particular third-party and open source dependencies. GitHub offers automatic reporting of vulnerabilities in an organization’s public repos.
#17. Employ Automated Secret Scanning at Pre-Commit
Credentials hardcoded in an application are at risk of exposure, even in private repos. Automated secret scanning identifies and blocks these credentials from being included in committed code.
#18. Clear Your GitHub History
GitHub’s extensive version histories can be problematic if sensitive data is included in code. History can be rewritten using the git filter-branch command.
#19. Enable Git Branch Protection
Git branch protection prevents unauthorized modifications to specific branches. This can protect these branches against code and data loss due to accidental deletion or git squash merge.
#20. Add Sensitive Files to .gitignore
A local git repo may require access to certain SSK keys and access tokens that shouldn’t be pushed to a git repo. Including these files in .gitignore prevents them from being uploaded.
#21. Employ a “Secrets Vault” Service
A secrets vault stores sensitive information — passwords, cryptographic keys, etc. — that an application needs to access. A vault provides stronger protection than is available in GitHub.
フィードバック