GitHub is one of the most popular source-control systems in the world hosting over 83 million developers, 4 million organizations, and more than 200 million code repositories. Yet, for all its versatility and strengths, it was not initially built with securing code in mind – its main objective is to help facilitate collaboration and cooperation between developers, both in the same organization and between different organizations. That said, you definitely can secure your projects on GitHub, but this will require some awareness, and a little more elbow grease on your behalf.
There are several platform functions that you want to be aware of as you assess the security of your code on GitHub:
Public repositories – sometimes we unintentionally place secret information (likes keys, secrets, or proprietary code) in a public repository. We need to remember that anyone on the internet can clone and fork such a repository so you might be inadvertently hosting other people on your AWS S3. And paying for it.
Unprotected branches – GitHub has a feature that allows you to add various protections to selected (usually your main) branches. These protections range from mandating signed commits to maintaining linear commit history. It’s a useful tool that makes your main branch much more resilient to potential attacks.
Signed commits – It is shockingly easy to impersonate a person on GitHub. All you need is their email and user handle. With this, anyone can pretend to be anyone when pushing a commit to your repository. Signed commits include – you guessed it – an electronic signature that helps determine if the committer is verified. That means that you can follow the commit history with more certainty that what you see is real and not a smokescreen put in place to obfuscate the truth of a malicious commit.
Two-factor authentication – you can require that all members of an organization use 2FA. It’s a helpful security measure designed to make it harder to steal accounts and infiltrate an organization with it.
SSH and Deploy keys – both these types of keys are there to make it easier to connect to your GitHub account. Unfortunately what is meant to be easy for you is also easy for cybercriminals. It’s much too easy to forget to rotate your keys or to share them with the wrong people. Remember that these keys represent almost unfettered access to your account and you should protect them just like any other Secret.
Having too many Admins – Admin permission on GitHub is considered by a lot of people to be a sort of silver bullet to handle almost any access issue. The problem is that you end up with teams in which almost every member is an Admin. Since Admins have almost full access to the account and can usually make far-reaching (not always welcome) changes, you should pick and choose your Admins with more care. Also, be sure to revoke Admin access if it is no longer required.
The bottom line is that your code on GitHub is only as secure as you make it. Do not trust the platform to do it for you. Invest some time and energy in to reading the GitHub documentation before you decide what steps, if any, you need to take in order to protect your repositories.
Contributed by Barak Brudo, Developer Advocate at Scribe.