10 GitHub Security Best Practices
This blog post was published on PurpleBox website on April 25th, 2022.
GitHub is the largest source code host in the world and is used by over 73 million developers, and 4 million organizations and hosts over 200 million repositories.
While the organizations’ teams are growing, GitHub security can be more complicated and challenging to track. Also, GitHub’s security misconfigurations, public repositories, and hardcoded credentials could attract attackers. Today, we’re going to talk about 10 GitHub security best practices and why we should configure these. Let’s start together!
1. Never store credentials in GitHub
Lots of developers tend to store secrets such as API keys, database username/password, and private keys in their GitHub repositories. This is the easiest way to deal with a functional coding problem, but the worst idea for the security side. In a recent research, on average, three out of every 1,000 commits to GitHub leaked a secret.
GitHub repositories are meant to be shared, with your teammates, your company, or publicly. However, every secrets key and credentials do not need to be shared with everyone. For example, when a temporary developer joins the repository to solve a quick problem and then the team forgets the delete the developers from the repository. After that, an attacker can capture developers’ password and gets all the secrets from the repository. Besides user credentials being captured, all company secret keys are leaked, leading to a disaster.
Additionally, there’s a risk that source code is leaked. Sometimes repositories are created publicly accessible accidentally and attackers love the public repositories to get secrets. Also, developers work in a local copy of the repository and this may leak due to malware, hacking or accidental disclosure. Attackers get all secrets from local copies, that’s also a disaster.
To prevent accidentally pushing secrets to the GitHub repository, you can use some open source tools such as git-secrets. You need an audit to your repositories with some tools such as truffleHog for your regular checks.
2. Always use MFA
As you know, only using strong passwords isn’t secure enough anymore. Attackers have developed lots of tested methods of stealing credentials such to gain unauthorized access to our accounts. For this reason, it has become very important to enable MFA in our GitHub user accounts, as it is in any account. Besides MFA enabling, you should enforce MFA for every GitHub user in your organization. To enforce, select Your Profile Photo → Your Organizations→ Settings → Security →Authentication Security. You can see all the details here.
3. Create a SECURITY.md file
In addition to the README.md file, you need to include a SECURITY.md file that includes security information for your project. SECURITY.md file should contain:
- Disclosure policy: You need to define the procedure for who is the person that found security issues, and who is the contact person for these. You can configure the ‘security@’ email.
- Security Update policy: You need to define how you intend to update users about new security vulnerabilities as they are found.
- Security-related configuration: This part includes settings that users should consider that would impact the security posture of deploying this project.
- Known security gaps & future enhancements. This part includes security improvements you haven’t implemented yet.
4. Disable forking
Forking means creating a copy of a repository that we manage. The fork option is very useful in such cases because we can make changes to a project without affecting the original repository. However, from a GitHub security perspective, forking causes the harder tracking of security issues. Also, repository users can fork all code repositories to their private accounts. To disable/enable the forking option, select Your Profile Photo → Your Organizations→ Settings→ Member Privileges. In the repository forking part, you can see the disable/enable option.
5. Review your third-party access and GitHub applications
GitHub applications are very useful to add lots of features to our repositories, but we need to be careful. Before adding a GitHub application, you need to review the applications and their credibility. If applications have any security issues, negative comments, or unknown authors, you need to think twice before authorizing your GitHub organization. Also, for each application, you need to audit the permissions they require and you need to be sure they do not have more permissions than they need. You should review both the “Third-party access” and “Installed Github Apps” regularly to make sure no unauthorized access is granted.
6. Disable public repository creation
If your organization does not need public repositories, you need to disable public access to prevent the accidental creation of publicly accessible repositories. To do this, Your Profile Photo → Your Organizations→ Settings→ Member Privileges. In the repository creation part, you can see the settings.
7. Use GitHub teams for access control
Everyone in your organization does not need access to every repository. You need to create teams for your organization’s workflows such as developers, security engineers, managers, etc. You can also set a role for every repository like read, write, and admin. Always think of the least privilege principle for every case.
8. Configure IP whitelisting
Tracking everyone’s actions is very important and hard for large organizations. When someone leaves the organization and is not deleted from the repositories, it can be very risky.
Also when an attacker captures a GitHub user’s password with different methods, they can get full access to the organization’s repositories. To prevent these situations, you need to use IP whitelisting for your GitHub organizations as an additional method. You can use your VPN or office network CIDR for this.
Note: You need to use GitHub Enterprise for IP whitelisting option.
9. Scan your repositories regularly
Regular code scanning provides vulnerabilities to be detected and remediate as soon as possible. For your GitHub repositories, you can use the code scanning feature in GitHub or you can use third-party sources such as SonarQube. Scanning your repositories regularly helps you to find and prioritize fixes for existing security vulnerabilities. It also prevents developers from creating new security problems. You can do this by defining new workflows, and new push/pull mechanisms. For example, when a new vulnerability is founded in code, your repository does not allow the committing.
10. Review your audit logs
GitHub audit log allows organizations to quickly review the actions performed by members of their organization. It includes details such as who performed the action, what the action was, and when it was performed. You should periodically review the audit log and make sure that there are no anomalous or suspicious activities.
GitHub is the world’s largest code management system, but still, are you sure if your code is being stored securely? In this blog, we’ve summarized 10 GitHub Security Best Practices for you. We also share some useful steps that you can use in these best practices. We hope you enjoyed it! You can start to implement these today to stay secure in GitHub!
Check out our Devops services to stay secure!
If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.