/github-security-checklist

A list of important security checks for GitHub individual and organization accounts

github-security-checklist

A list of important security checks for GitHub individual and organization accounts. List items which are considered required are bolded. Liste items which are considered recommended are italicized.

Individual settings

  • Set a strong password: Set a strong, random password generated by a password manager. A good benchmark to hit is 20 characters of mixed case letters and numbers.
    Personal settings → Account → Change password
  • Enable 2FA: Turn on 2FA. The strongest form of 2FA is a hardware-based U2F security key.
    Personal settings → Security → Two-factor authentication
  • Back up your 2FA Recovery codes: You should put your recovery codes in a safe place or else you may get locked out of your GitHub account permanently.
    Personal settings → Security → Two-factor authentication
  • Enable Vulnerability Alerts
    Personal settings → Notifications → Vulnerability alerts (check both "Email" and "Web")
  • Audit SSH keys regularly: SSH keys are an alternative to username/password authentication to your GitHub account. An attacker with temporary access to your account could add an SSH key to your account as a backdoor. You should check the list of keys on your account at least monthly and review the last time they were used. Revoke any not in regular use.
    Personal settings → SSH and GPG keys
  • Securely store your SSH keys: You should only store your GitHub-related SSH keys on computers you consider reasonably secure. Avoid reusing SSH keys for both GitHub authentication and other purposes. Each SSH key should be secured with a strong password. You should regularly review the SSH keys listed on your account and revoke them if they are not in regular use. An attacker who compromises one of your listed SSH keys can access your GitHub account without further authentication secrets.
    Personal settings → SSH and GPG keys
  • Add a dedicated GPG key for signing commits: All users should have a GPG key to cryptographically sign commits. Keys should be stored securely.

    References:
    Adding a new key to your GitHub account
    Advanced guide

    Personal settings → SSH and GPG keys
  • Do not set a Fallback SMS number: Most SMS providers are prone to number porting attacks.
    Personal settings → Security → Two-factor authentication
  • Only install OAuth apps you trust: Only install OAuth apps which you trust for the minimum amount of time you need them. Remove apps no longer in use. You should review their permissions to make sure they are appropriate; OAuth apps can Read or Write account data including commit status, deployments, gists, webhooks, notifications, etc. A full list of the kinds of data that can be accessed is available here. Rogue apps can exfiltrate inappropriate data and modify account data. Note: Many apps only need to identify your GitHub account, and thus require merely read-only access to your email address. More documentation
    Personal settings → Applications → Authorized OAuth Apps
  • Utilize a secure email provider for their primary email address: Your primary email address can be part of an account recovery/reset process, and so it’s important this address is secure. Email providers such as GMail and ProtonMail provided secure service with 2FA options. A personal account with Enhanced Protection set up for GMail is best; consider creating a GMail account for this dedicated purpose, e.g. myname-github@gmail.com
    Personal settings → Emails
  • Make email addresses private: It is recommended you set all email addresses for better protection against social engineering.
    Personal settings → Emails
  • Allow exposing email via command line: Although it would be desirable to avoid disclosing your email via command line commands for better protection against social engineering, you won’t be able to publish changes to public repos without this allowed.
    Personal settings → Emails

Organization settings

  • Organization admins must restrict Third-party application access: Without this setting, all applications authorized by organization members have access to the organization’s data, potentially allowing rogue applications access to organization data such as private repos.
    Organization settings → Third-party application access
  • Organization admins must require 2FA for members
    Organization settings → Security → Two-factor authentication
  • Restrict membership to least-privilege: Membership in the organization is organized by teams. Team members of projects are given the least privileges to specific repositories that they require. Write access to repositories should be restricted where possible.
    People / Team settings
  • Organization admins must remove unwanted users: Admins should regularly audit membership lists to make sure permissions are appropriate, and unwanted members are removed. Timely revocation of access to the organization should be part of the organization’s exit process for contributors.
    People / Team settings
  • Organization admins should restrict default member privileges: Admins can set member privileges to create, delete, fork, and modify organization repositories; these privileges should be restricted to administrators. The default repository permission for users should be set to “None.”
    Organization settings → Member privileges
  • Organization admins should audit webhooks: Admins should review the list of organization webhooks for suspicious signs of exfiltration.
    Organization settings → Webhooks

About this doc

Securing your GitHub account helps keep users of your repositories safe, as well as protecting any GitHub organizations you belong to.

Please provide feedback! https://github.com/kristovatlas/github-security-checklist/issues