Github Security Guide

What is GitHub security?

GitHub, the world’s leading platform for software development and version control, plays a crucial role in how developers collaborate on projects. As such, securing the code, repositories, and user data stored on GitHub is of paramount importance.
With millions of developers contributing to open-source projects and private repositories, GitHub has implemented a variety of security features designed to protect both individual developers and organizations from vulnerabilities, unauthorized access, and other cybersecurity threats.

Authentication and Access Control

GitHub offers several layers of authentication to ensure that only authorized users can access repositories. Two-factor authentication (2FA) is one of the most crucial security measures. By requiring users to provide two forms of verification, GitHub makes it significantly harder for malicious actors to gain access to accounts. For organizations, GitHub also supports Single Sign-On (SSO), integrating with identity providers to manage access across teams more securely.

Branch Protection and Code Review

To prevent unauthorized changes to critical parts of a codebase, GitHub supports branch protection rules. These rules require that certain conditions be met before code can be merged into the main branch, such as requiring reviews from multiple team members or passing automated tests. This ensures that only validated and peer-reviewed changes are incorporated, reducing the likelihood of introducing security vulnerabilities into the project.

Dependabot and Vulnerability Scanning

GitHub integrates with Dependabot, a tool that automatically scans a project’s dependencies for known vulnerabilities. If any are discovered, Dependabot sends pull requests with updated versions of the affected dependencies, helping developers quickly patch potential security risks.

Additionally, GitHub offers automated vulnerability alerts and security advisories for open-source projects, helping maintainers stay informed about issues that may affect their codebase.

Private Repositories and Encryption

GitHub provides private repositories for users and organizations who require a higher level of security for proprietary code. These repositories are protected by robust encryption at rest and in transit, ensuring that data is secure both when stored and during transmission.

Through a combination of authentication, code review practices, and automated tools, GitHub maintains a strong security posture that helps protect developers’ work and ensures that projects are less vulnerable to malicious activity.

What happens if my GitHub account is compromised?

Attacks can all have different outcomes depending on the goal of the attacker. In many cases, attackers wish to either steal your code, hijack your application’s credentials, or inject their malicious backdoors into your codebase.

A recent strategy for cybercriminals is to steal the code and delete all of the commits. This leaves your GitHub repository essentially empty. The attacker then reaches out with a bitcoin address demanding payment in exchange for your code back.

Some attacks can be more subtle than others. For example, attackers can slowly steal code with a compromised GitHub account and implement it into their tools. In some cases, privileged credentials are stolen and used to send spam or malware from your app to its users.

In any case, none of this is good. So let’s take a look at strategies you can use to improve your GitHub security.

How to improve your GitHub security

While most GitHub security techniques involve changes on GitHub itself, some include policies and procedures outside of the platform. These policies can take time to fully implement and audit, especially if you’re working with a larger development team.

Make your GitHub credentials unique

It should go without saying that your GitHub credentials should be unique and not include any form of credentials used elsewhere. Unfortunately, however, many attacks against GitHub accounts still leverage account credentials that are stolen elsewhere.

When websites are compromised, their data is often dumped or sold online. Then, attackers use bots to sift through stolen usernames and passwords and try them on other sites, hoping to get lucky.

Use unique credentials combined with two-factor authentication to lock down your account.

Have a local copy of your repository

Having multiple backups of your repository is key to recovering from a breach or stolen data. For example, having a local backup of your code can allow you to quickly recover from an attack by force pushing your local copy to your GitHub repository.

This saves your time by eliminating the need to audit your code and completely keep projects if held for ransom. In addition, while you can use many tools and techniques to compare your local code to your GitHub code, running a local recovery is often more accessible and more efficient.

Avoid storing passwords as code

Avid storing credentials in your repository. It may sound obvious, but more significant projects can often contain sensitive information that gets included accidentally.

There are some great tools you can use to scan your code for sensitive data automatically. Git-secrets analyses your commits and checks for credentials and other forms of sensitive data. You can also audit your reports with tools like GitRob, which uses pattern matching to identify sensitive information and pattern recognition.

Implement strong policies among your dev team and perform regular audits of your code for usernames, passwords, and other sensitive information before commits are pushed. Strong internal policies combined with tools like git-secrets can help improve your teams’ workflow and the overall security of your GitHub environment.

Lockdown access to your repository

Locking down access has many different layers and is best implemented through policies and procedures over time. You can have a unique set of credentials for your GitHub account, but that does little good if those credentials are sticky-noted to your monitor. We often rush to patch complicated attack vectors while not seeing the lower-hanging fruit opportunities for attackers or internal abuse.

Have strict account security controls in place can help prevent breaches that start from within the company. For example, make revoking account access a part of the termination process. GitHub accounts can still be accessed, even when that user leaves the company. Creating similar procedures for all IT systems falls in line with best practices.

GitHub accounts should not be shared and should be generic, such as having a single account for the entire QA team. Password sharing leads to a lot of problems, specifically around auditing. Shared accounts create a blindspot where that account cannot be adequately audited and causes problems when one person with that account access is terminated. Additionally, each account should have a single owner.

Hardware access policies can also help keep your GitHub repository secure. Mandate that any hardware that is accessing company source code must be a company machine or secured correctly. Doing this ensures that malware can’t steal GitHub credentials from a staff member’s device.

Laptops and other tablets can also be easily lost or stolen. If these devices are accessing your codebase, ensure that they are adequately secured. Enabling Bitlocker on Windows devices automatically encrypts all of the contents on the device, providing information that cannot be stolen if the device is lost.

Company devices can be secured easier through group policies, Active Directory authentication, and your flavor of endpoint security. All of these more minor security policies play a significant role in your overall GitHub security posture.

Validate permissions on your application

GitHub applications can quickly and conveniently add additional features to your repository, but these same applications can cause a breach in security. Avoid adding too many unnecessary applications to your repository, and vet each installation carefully.

Review the author of the application and their credibility. Are they used widely among other projects? Have they been in the space for a while? Do they have any negative reviews or comments about them?

For each application, audit exactly what permissions they require and ensure they do not have more permissions than they need. For example, sloppy plugins and applications may request bulk access to operate but only need narrow permission to function in reality.

Once you’ve narrowed down exactly what permissions the application needs, consider why it needs those permissions in the first place. Review what this application could access or damage given its level of access to your repository.

Rotate authentication keys

Access to your repository can be secured through personal access tokens or SSH keys. But this is all in vain if those tokens are stolen. So consider changing out your security keys from time to time to prevent stolen keys from being used for unauthorized access.

Other policies such as enforcing company devices for GitHub access can also help prevent keys from being stolen. However, even with rigid policies in place, it is still best practice to refresh these keys every few months.

Use the right GitHub solutions

GitHub has several different product offerings that can be used to fit other organizational and security needs. This is common for projects that must adhere to compliance regulations or governmental policies.

If security is the main priority, GitHub Enterprise offers teams the ability to run GitHub entirely on-premises. This gives your more control over your infrastructure and doesn’t place your code in the crosshairs or attackers looking to compromise GitHub,

GitHub also now offers unlimited free private repositories with up to three collaborators per repository. Private repositories detach public forks and give you more control over your project’s visibility.

Collect GitHub logs

GitHub logs are a trove of security information that can telegraph malicious activity is taking place. If your logging isn’t enabled, consider turning it on and implementing a plan to monitor its contents.

Larger organizations can implement a SIEM solution such as SolarWinds Security Event Manager to scan and identify indications of compromise automatically. These tools can also be configured to fire off automated alerts and remediation steps when a threat is discovered, making it a highly scalable security solution.

Includes a SECURITY.md file in your repository

A SECURITY.md file is like readme documents, but for outlining security procedures. This file is great for small and large projects and helps users understand how they should proceed with updates and general security practices.

Information about security disclosures is often included in the documentation, giving clear and concise information about how vulnerabilities and bugs can be disclosed and who they should contact. This helps make sure the right project maintainers get the correct information regarding their roles.

Configuration-related security information is also included to help others tailor your project to their unique environment. Default and suggested settings are often outlined in this section of the file and best security practices for the application.

Security update policies within the file help users understand how you disseminate information to them if a vulnerability is discovered. This is important, especially for popular projects where a bug could impact thousands of users that rely on your application. It’s best practice to update users as soon as you have known a bug has been discovered and outline precisely how they can receive the latest patches from you.

Audit your Git/GitHub configurations

Misconfigurations can be either accidental or intentional, depending on the nature of the threat. Consider auditing your GitHub configurations to ensure shared assets and user accounts all have the proper permissions. In addition, automated configuration monitoring tools can be used to monitor your Git environment. Many of these tools leverage SNMP integrations to collect data and monitor different environments.

Leverage real-time code scanning

You don’t have to wait until your code is finished to scan it for vulnerabilities or data leaks. Tools like CodeQL can collect information as the code is entered into the repository and review before every push.

The CodeQL engine works by analyzing data flows through an application to find vulnerabilities. This helps uncover bugs like SQL injections, remote code executions, and cross-site scripting attacks.

Scan for secrets

Secret scanning is a part of GitHub Advanced Security and works to detect well-known secrets automatically. It works by automatically scanning repositories that get pushed for credentials or other sensitive information. If secrets are found, the provider of the mystery is notified. This allows them to validate the unknown and then revoke or renew access.

Enable security alerts for critical assets

For dependencies and other areas of your GitHub account, you can enable security alerts for your repository. This is beneficial for all repositories but is especially useful for larger projects where a dependency vulnerability or outage could cause significant downtime.

The security alerts also tap into the National Vulnerability Database (NVD), which provides a constant source of up-to-date vulnerability information that compares your project to the latest known vulnerabilities and threats.

Perform regular code/security audits

Before importing any projects or large pieces of code into GitHub, consider thoroughly auditing the code. While this might not be necessary for smaller projects, larger repositories should audit new code imports before adding them.

Conclusion

It can be tough to secure such a collaborative environment as GitHub, but it can come as second nature with the correct procedures and mindset. So, above anything else, take the time to incorporate these best practices into policies and procedures your team must follow.

This will create a culture of security over time, and bake GitHub best security practices right into the core of your application development process.

GitHub security FAQs

How do I secure my GitHub?

To keep your GitHub repository secure, follow these steps:

  1. Make your GitHub credentials unique
  2. Have a local copy of your repository
  3. Avoid storing passwords as code
  4. Lockdown access to your repository
  5. Validate permissions on your application
  6. Rotate authentication keys
  7. Use the right GitHub solutions
  8. Collect GitHub logs
  9. Includes a SECURITY.md file in your repository
  10. Audit your Git/GitHub configurations
  11. Leverage real-time code scanning
  12. Scan for secrets
  13. Enable security alerts for critical assets
  14. Perform regular code/security audits

Is GitHub safe and secure?

By default, GitHub is not very secure. However, there are security features available within the GitHub system that can improve your repository’s security. It is particularly difficult to keep your programs safe if you set up a public repository. Private repositories are more secure.

How secure is private GitHub?

A private GitHub repository is more secure than a public repository. Not only do you control who has access to your private area but you can implement deeper security for specific files and utilities, such as SSH keys and proprietary code.