GitHub is one of the most popular source-control systems in the world. It stores the software source code, builds IaC (Infrastructure as Code) scripts, and in some cases, is the storehouse for sensitive information. Beyond that, your SCM is one of the potentially, public-facing environments where you develop your code, and as such, it’s a potential attack surface.
Almost every developer knows how to use GitHub, but not as many know how to properly secure their code repositories and environment. You may be surprised to find out that there are a lot of things you can do to protect your account, be it private or corporate, from the kind of attacks we’ve seen in the news lately. Since reading through pages of technical documentation isn’t for everybody, we’ve built a GitHub security posture report you could use easily and freely – GitGat.
GitGat is an open-source project built by Scribe Security. It’s written in Rego utilizing OPA (Open Policy Agent). You can run the report from a docker or clone it and run it locally. All you need is a PAT (Personal Access Token) and you can run it anytime. The report GitGat produces comes as either a JSON file or an MD file, and it doesn’t just tell you what you could do better – it offers practical suggestions with links to remediate whatever you choose, too.
One of the cool things about GitGat is that we designed it to include a State – an editable definition file that allows you to pass information between different runs of the GitGat report. The State doesn’t just allow you to declare that a certain situation is acceptable to you and should no longer be mentioned in the report, it allows you to track the changes you decided to make in your account or your organization. Another advantage to the State is that you can maintain multiple State files for different repositories, or organizations you are a member of.
During Cybersecurity Awareness Month we thought it would be a good idea to make the GitGat project as accessible to the public as possible. We designed a short free course – LFD122x – designed to not only help you understand all the security features the GitGat report is talking about but also how to best utilize the report along with its State to continually monitor your GitHub account. The course even covers how to add a new module to the project if you’re so inclined.
We invite everyone to learn about GitHub’s security posture, SCM security best practices, and how to monitor them using the GitGat report. You’re invited to try out the course and, of course, visit the GitGat repository. Feel free to offer ideas, requests, or even help. This project is only getting started, and there many exciting possibilities on the horizon. We’re excited to explore the potential with you.
Contributed by Barak Brudo, Developer Advocate at Scribe.
