GitHub Configuration Best Practices

Intro

GitHub is a collaborative source code management platform that plays a critical role in modern software development, providing a central repository for storing, managing, and versioning source code as well as collaborating with a community of developers. However, it also represent a potential security risk if not properly configured. In this guide, we will explore the best practices for securing GitHub, covering topics that include user authentication, access control, permissions, monitoring, logging, and integrating security tools.

Audience

This guide has been written for the:

• Maintainer who wants to improve the security posture for one or more GitHub repositories they support.
• Owner who wants to improve the security posture for one or more GitHub organizations they manage.
• Open Source Program Office (OSPO) who is typically responsible for multiple organizations and repositories.
• Operations team tasked with applying policies as part of their work managing assets on GitHub.
• GitHub Enterprise administrator who wants to improve the security posture for their enterprise.

Recommendations

Continuous Integration / Continuous Deployment

1. Workflows Should Not Be Allowed To Approve Pull Requests
2. GitHub Actions Should Be Restricted To Selected Repositories
3. GitHub Actions Should Be Limited To Verified or Explicitly Trusted Actions
4. Default Workflow Token Permission Should Be Read Only
5. Runner Group Should Be Limited to Private Repositories
6. Runner Group Should Be Limited to Selected Repositories

Enterprise

1. Two-Factor Authentication Should Be Enforced For The Enterprise
2. Enterprise Should Not Allow Members To Change Repository Visibility
3. Enterprise Should Not Allow Members To Create public Repositories
4. Enterprise Should Not Allow Members To Invite Outside Collaborators
5. Enterprise Should Use Single-Sign-On
6. Enterprise Should Not Allow Members To Fork Internal And Private Repositories

Members, Access Control and Permissions

1. Organization Should Have Fewer Than Three Owners
2. Organization Admins Should Have Activity In The Last 6 Months
3. Organization Members Should Have Activity In The Last 6 Months

Organizational Management

1. Two-Factor Authentication Should Be Enforced For The Organization
2. Default Member Permissions Should Be Restricted
3. Only Admins Should Be Able To Create Public Repositories
4. Organization Should Use Single-Sign-On
5. Webhooks Should Be Configured To Use SSL
6. Webhooks Should Be Configured With A Secret

Repository

1. Repository Should Be Updated At Least Quarterly
2. Workflows Should Not Be Allowed To Approve Pull Requests
3. Default Branch Should Require Code Review
4. Default Branch Should Require Linear History
5. Default Workflow Token Permission Should Be Set To Read Only
6. OSSF Scorecard Score Should Be Above 7
7. Default Branch Should Require Code Review By At Least Two Reviewers
8. Default Branch Should Require All Checks To Pass Before Merge
9. Default Branch Should Require Branches To Be Up To Date Before Merge
10. Default Branch Should Not Allow Force Pushes
11. Default Branch Should Be Protected
12. Default Branch Deletion Protection Should Be Enabled
13. GitHub Advanced Security – Dependency Review Should Be Enabled For A Repository
14. Vulnerability Alerts Should Be Enabled
15. Forking Should Not Be Allowed for This Repository
16. Default Branch Should Require All Conversations To Be Resolved Before Merge
17. Webhooks Should Be Configured With A Secret
18. Default Branch Should Require All Commits To Be Signed
19. Default Branch Should Require New Code Changes After Approval To Be Re-Approved
20. Default Branch Should Restrict Who Can Push To It
21. Repository Should Have Fewer Than Three Admins
22. Default Branch Should Limit Code Review to Code-Owners
23. Default Branch Should Restrict Who Can Dismiss Reviews
24. Webhooks Should Be Configured To Use SSL

Operations

General Recommendations

• Organization Management Should Be Consolidated Under a Central Account.
• Organization Membership Should Be Limited to Its Staff When Relevant.
• Review Security Policies and Procedures At Least Annually.
• Establish a Clear Communication and Incident Response Plan.
• Conduct Regular Security Audits and Vulnerability Assessments.
• Use Insights to Track Activity and in Repositories and Organizations.
• Use Tools Built On APIs to Automate Tasks and Avoid Needing Elevated Privileges.
• Review the Configuration Settings Before Making a Repository Public.
• Review the Configuration Settings After Transferring a Repository into the Organization.
• Provide Automated Alerts and Tooling to Ensure Ongoing Compliance.
• Review Audit Logs to Track Activity and Changes in Repositories and Organizations.
• Review Audit Events to Track Activity and Changes in Projects and Groups.

Specific Recommendations

• Two-Factor Authentication Should Be Enforced For The Organization
• Organization Should Use Single-Sign-On
• Default Member Permissions Should Be Restricted
• Only Admins Should Be Able To Create Public Repositories
• Webhooks Should Be Configured To Use SSL
• Webhooks Should Be Configured With A Secret
• Configure Security Alerts and Vulnerability Scanning at the Organization or Repository Level.
• Enable GitHub Advanced Security features for Private and Internal Repositories.

This site is open source. Improve this page.