Source Code Management Platform Configuration Best Practices

by the Open Source Security Foundation (OpenSSF) Best Practices Working Group, 2023-08-29

Intro

Collaborative source code management platforms (such as GitHub and GitLab) play a critical role in modern software development, providing a central repository for storing, managing, and versioning source code as well as collaborating with a community of developers. However, they also represent a potential security risk if not properly configured. In this guide, we will explore the best practices for securing these platforms, covering topics that include user authentication, access control, permissions, monitoring, and logging. For additional guidance on selecting configurations that enable cross-organization collaboration, consider the InnerSource Commmon’s guidance section on InnerSource strategy for source code management platform configuration.

Audience

This guide has been written for the:

Tooling

Below is a non-exhaustive list of possible tools that can be used to assist in review source code repositories.

Allstar - https://github.com/ossf/allstar

An open-source project from the OpenSSF that scans GitHub organizations for “repository level” misconfigurations. Allstar detects a subset of the “repository level” policies suggested by this document. It can be configured to scan all repositories in an organization or a subset of them and is supported by the following SCMs:

Legitify - https://github.com/Legit-Labs/legitify

An open-source project from Legit Security that scans SCM assets to find misconfigurations, security issues, and unfollowed best practices. Legitify detects all policies suggested by this document and supports the following SCMs:

Scorecard - https://github.com/ossf/scorecard

An open-source project from the OpenSSF that scans repositories for security issues and provides security health metrics. Scorecard detects many of the “repository level” policies suggested by this document and supports the following SCMs:

Recommendations

Each specific recommendation below is noted to be applicable to either GitHub or GitLab by use of an appropriate icon and text, and is linked to the detailed best practice definition if available:

For recommendations only applicable to GitHub or GitLab visit one of the following pages:

Continuous Integration / Continuous Deployment

Enterprise

Members, Access Control and Permissions

Repository

Operations

General Recommendations

Specific Recommendations

Acknowledgements

The following community members helped contribute to this guidance: