If you don’t follow GitHub security best practices, you put your repositories, codes, and data at risk.
A recent malware attack infected over 35,000 GitHub repositories. The attack is a great reminder of why it’s more crucial than ever to strengthen your security measures against current cyber threats.
While you can implement security plans and strategies with robust GitHub backup tools, it’s always a good idea to follow tried and tested ways to fortify your protection measures.
Follow the GitHub security tips below to level up the protection for your repositories, business-critical codes, and data.
1. Avoid storing your credentials as code or config (including confidential data) on GitHub
Keep sensitive data out of your repository to avoid compromising your sensitive information.
Use tools such as git-secrets to statistically analyze your commits (through a pre-commit Git Hook). It helps ensure you don’t push sensitive data or passwords into your GitHub repository.
The tool will reject commits that match configured regular expression patterns designed to spot sensitive information.
While it can slightly slow down pushes, it’s worth the trouble.
You can also use git-secrets in your CI/CD pipelines to actively break builds when sensitive data is found in a config file or code.
2. Implement tight access controls
Ensure your users follow practices and basic settings on GitHub and implement access controls to reduce unauthorized access to your repositories and data.
Implement these basic security and access control practices for your contributors:
- Never let users share any GitHub account details and passwords.
- Require two-factor authentication (2FA) on all contributors’ GitHub accounts.
- Ensure your administrators manage team access to your data. Provide only the necessary access to data your contributors need to do their work.
- Deploy security measures and apps on laptops, desktop computers, and other devices that have access to your source code.
- GitHub accounts are often personal, so ensure you revoke access to your repositories and GitHub backup from users no longer in your organization.
3. Remove sensitive files and confidential information stored in your GitHub history and files
If you have sensitive information in your GitHub repository, invalidate the previously public passwords and tokens.
Assume that any sensitive information that was public on the internet is already compromised, so act promptly and accordingly.
Remove the sensitive data from your GitHub repository and the changelogs that list your confidential information from the commits history.
Clearing your GitHub history when removing sensitive data from your repositories can reduce the chances of compromised information.
Ensure you do the same for your GitHub Enterprise backup.
4. Validate your GitHub apps carefully
Keep your repositories and data secure by considering these factors when choosing and installing GitHub apps:
- Validate that the organization or author behind the app is credible and legitimate before giving access to your repositories, whether the app is for automated code review or a GitHub backup service tool.
Apply a similar validation process when you bring in new committers.
- Assess why an app needs the access level it asks for and think about the potential damage it can cause if it has that level of access.
- Avoid giving applications more access rights or privileges than they require.
Mitigate the risks from third-party apps by not giving access to apps with a poor security posture.
A breach of the app’s code can give attackers access to your most sensitive assets and codes.
5. Include a SECURITY.md file
Add a SECURITY.md file to highlight the security-related information for your projects.
It gives users the necessary security information while compelling maintainers to think about the best way to handle security disclosures, general security practices, and updates.
The topics you can include in your SECURITY.md file are:
- Security update policy. Provide a well-defined process for sharing relevant information to your users, including the severity of a specific security vulnerability, its associated risks, and how users can move a fixed version of your code.
- Disclosure policy. Define the process for how users can fully disclose discovered security issues responsibly. Include information on who the users can contact and how.
- Known security gaps and future enhancements. Inform users of the security controls your project doesn’t currently have. Doing so ensures users know the whole story and make informed decisions on how they will use your project.
- Security-related configuration. Offer users suggested settings to help strengthen their security posture when deploying your project.
6. Rotate personal access tokens and SSH keys
GitHub access is usually via personal user tokens (instead of passwords when you enable 2FA) or SSH keys.
Refresh your tokens and keys regularly to secure them and mitigate potential damages that leaked or stolen keys might bring.
7. Utilize the appropriate GitHub offering that best fits your security needs
You might be restricted to software that only runs locally (depending on your organizational regulations and project).
The restrictions can also be on your source code’s storage location and the specific organizations that can access it.
As such, you’ll need a fully on-premise option, such as the GitHub Enterprise plan, to fully host repositories within your organization.
GitHub Enterprise allows you to disconnect from the internet but still have internal access to projects in your repositories while maintaining compliance with regulations.
8. Add security testing to Post Requests (PRs)
GitHub’s event-driven Git Hook framework lets you send HTTP POST requests to your preferred service when events are fired.
One of the most helpful for incremental code change testing is the pull_request event.
Static code analysis tools provide support to Git Hooks, so when a PR is created, an HTTP post gets fired to prompt testing on your latest updates.
It’s an excellent point in time to make sure the code and config changes align with your security expectations.
9. Audit codes you import into GitHub
Always perform a complete audit before importing to GitHub.
It may be a trivial task for smaller projects, but if you don’t do it before importing, it can take your DevOps teams weeks or months to do a full audit, update, and pull in everything to an open-source repository.
It can be more tedious and time-consuming once your codebase reaches a specific size.
10. Prioritize security when creating new projects
Always create your projects with security in mind.
Avoid hacking around and taking shortcuts to get your app up and running quickly since this can make you sloppy with sensitive information—whether it is stored locally in config or hardcoded.
Consider showing how you seed random numbers or relying on a secret algorithm to authorize input, even for closed-source projects.
You’ll likely write better and more secure code if others can see and potentially exploit your code.
Secure your GitHub data
Protect your GitHub codes and data and make your source code accessible and recoverable.
Robust protection measures can help secure your GitHub data and ensure your team can work seamlessly without interruptions during outages.
Also, following best practices to secure your GitHub data helps make sure you can always access your intellectual property and assets while maintaining a good reputation and customer trust.