GitHub is an extremely popular source code management system that sits at the heart of many organizations’ software supply chains. It is used by software developers globally, allowing them to better manage their source code.
GitHub is designed to streamline source code and IP management, making it a one-stop shop for developers and teams looking to store everything in one place—but that also increases your security risks. As a result, securing GitHub should be a priority for every organization that implements it.
Why Maximizing Your GitHub Security Is More Important Than Ever
As GitHub continues to grow in popularity as an industry standard SCM, it’s becoming a larger target for hackers and other cyber criminals looking to attack vulnerable organizations. Inexperienced users can easily misconfigure Github, which makes it easy for malicious actors to access your deployment, exploit your code and leak sensitive data.
GitHub has a few inherent security risks that all organizations should be aware of, such as:
- GitHub is intended to be both powerful and flexible. This wide range of options, however, opens the door to a significant risk of human error resulting in insecure GitHub configurations.
- GitHub does not provide secure default configurations for many features across the platform. This lack of heightened security can introduce a wide range of risk for less diligent or inexperienced GitHub users and administrators.
Security breaches create numerous headaches for organizations and their customers and can lead to negative press and serious consequences. Instead of dealing with security failures after the fact, you should take the necessary proactive steps to protect your software supply chain:
Key terms to know:
- Source Code Management (SCM). Software code management is the process used by organizations to manage all changes to their source code. This is sometimes done using software code management systems, like GitHub.
- Code Repository. A code repository is a library or archive that stores code, documentation, and other information relevant to your software development project. Repositories (or repos for short) can be either public or private.
- SDLC. The SDLC, or software development lifecycle, describes the process used to create new software. It has several stages, including planning, analysis, design, implementation, and maintenance.
- Data breach. A data breach is a cyber security violation that occurs when an unauthorized actor copies, transmits, views, steals, or alters sensitive, protected, or confidential data.
- Access management. Access management allows you to control who can gain access to certain applications, data or systems. Typically, software access management involves specific policies and protocols to protect critical data from unauthorized users.
- Insecure configurations. Insecure configurations are mistakes or flaws in the setup of certain software or systems. They can make your system vulnerable to bad actors, making it easier for them to compromise your data.
- Software supply chain attack. This type of attack occurs when a hacker or malicious actor compromises any component within your software supply chain. They can employ a broad range of tactics, including malware attacks, phishing, or other cybersecurity threats.
- Artifacts. An artifact is something produced as a byproduct of software development, like a database or documentation. They are used to help software developers track the development process. Other types of software artifacts describe the function and design of software.
- CI/CD. CI/CD is a coding philosophy and set of practices that introduces ongoing automation and continuous monitoring throughout an app’s lifecycle, from development to deployment. CI stands for continuous integration, while CD stands for continuous delivery and/or continuous deployment, depending on the level of automation.
- Security control tools. These tools help to protect hardware, software, networks, and data against nefarious actors and cyber threats. Security control tools include (but are not limited to) usernames and passwords, two-factor authentication, antivirus software, and firewalls.
- Forks. Forks occur when existing source code is copied and used to develop a new piece of software.
- Secrets in source code. Secrets in source code are sensitive data such as passwords, access keys, and API tokens can very easily make their way into code repositories, increasing the risk of a breach.
GitHub Security: Hackers in the Headlines
While GitHub is a valuable tool for organizations of all sizes, security needs to be prioritized—otherwise, the results can be devastating.
If organizations are not careful about how they configure GitHub, it can lead to widespread security vulnerabilities that result in damaging attacks and/or compromised data. Let’s take a look at several organizations that have suffered the consequences of these vulnerabilities.
Google & Apache
Google and Apache both had code repositories with untrusted artifacts in a GitHb environment—the type of untrusted artifact that can allow hackers to take control. Though Google and Apache were able to identify and resolve the problem, it’s an inherent risk when using GitHub.
To protect against this same vulnerability, restrict GitHub permissions, using Actions output parameters, double-check that the triggering workflow isn’t part of a forked repository, and never write untrusted input data to the environment file.
OAuth Tokens
In April 2022, GitHub Security announced that Oauth access tokens issued to Heroku and Travis-CI were compromised. The compromised user tokens were used to download the private repositories of several organizations using OAuth applications.
GitHub discovered the attack and revoked the access tokens, also disclosing the information to the appropriate parties. This type of attack, however, can compromise an organization’s entire software supply chain, and organizations must be vigilant about how they use and secure GitHub to prevent vulnerabilities.
Enabling OAuth App access restrictions, regularly reviewing authorized applications, and maintaining a secrets-free codebase can help you mitigate unnecessary risks and keep your organization protected.
Attempted Attacks & Vulnerabilities
GitHub has also been the victim of several high-profile almost-hacks. In August 2022, 35,000 of GitHub’s most popular repositories were cloned—with malicious code inserted. Though none of that code ended up in the original repositories, it was a potentially disastrous situation that would have had a huge impact if left unnoticed.
Previously, GitHub’s required reviewers' capability could be bypassed during code review. It allowed any code reviewer to submit potentially malicious code during the review process. Though GitHub has since resolved this issue, it showcases that vigilance and added security measures should be put in place to help avoid cyber attacks that may be discovered in the future.
Key terms to know:
- Malicious code injection. This type of cyber attack occurs when a hacker identifies and exploits an input validation flaw, like a user input field, to inject malicious code into an application.
- Source code theft. If a hacker gains access to your source code through theft or a leak, it allows them to modify the code. They can then expose your proprietary code, exploit sensitive data, or compromise your application.
- Environment variables. GitHub environmental variables allow you to customize GitHub Actions with different information, which makes it possible to set up secretswithin your repository.
- Spoofing. Spoofing is a type of cyber attack that involves providing fake information, like an email or personal information, that prompts a user to reveal sensitive data. For example, a hacker can pretend to be someone the victim knows, leading them to provide passwords or other secrets.
- Untrusted data. Publically available data that has not been verified as secure and can be manipulated, like from a database or online service, is considered untrusted data.
- Branch protection. According to GitHub, their branch protection rules “disable force pushes to the matching branches and prevent the matching branches from being deleted.”
- Pull request hijacking. This type of cyber attack occurs when code reviewers insert malicious code into pull requests made during the code review process.
- OAuth access tokens. OAuth access tokens allow users to prove their identity and make API requests to the server. They are used in place of passwords.
GitHub Security Basics
Although GitHub has known vulnerabilities, it can still be configured to be secure. Adjusting your repository’s settings and implementing certain procedures and protocols can help you protect your GitHub deployment against hacks and leaks.
Access Management
Controlling who has access to your repository is the first integral step to keeping it secure. You can determine who can view code by clicking “Change visibility,” and can manage access permissions by clicking “Manage access.” You should follow the principle of least privilege to keep your repository as secure as possible, and you should also regularly rotate through passwords or personal access tokens.
Code Scanning
In GitHub, you can set up code scanning to help you identify any vulnerabilities in your code repository using either CodeQL or a third-party tool. On your repository homepage, click Settings, and then “Code security and analysis” and use the default settings. If you want a more sophisticated setup, you can customize your code scanning as well.
Monitor for Sensitive Data
Because of GitHub’s existing vulnerabilities, you should never store sensitive data or secrets in your repository. Regularly perform audits to determine if anything slipped through the cracks and if it has, be sure to take the proper steps to remediate. For example, invalidate all tokens and passwords, remove the info from both the repository and the history, and determine if any other data was compromised.
Security Policies
Implementing security measures is the first step—but creating a security policy SECURITY.md file for your repository is a must to keep security measures in place. You can create a file in your repository that details your policy and allows users to report any vulnerabilities they uncover. In GitHub, click “Security” from the main repository page, then select “Security policy.” Click “Start setup,” and add all of your relevant information.
Monitor Apps from the GitHub Marketplace
The GitHub marketplace is filled with useful apps—but keep in mind that these are all third-party applications not created by GitHub. Validate all applications before sharing access to your repository to ensure that only trusted users can access your code.
Despite GitHub’s vulnerabilities, taking these steps can help you protect your code against malicious actors and ensure your data remains secure.
Key terms to know:
- First-time contributor. A first-time contributor is someone who has never before made a pull request on GitHub. First-time contributors should review the First Contributions tutorial before getting started.
- Crawlers. The GitHub Crawler is useful for collecting information about an organizations GitHub repositories, particularly those that have moved to a microservices architecture and have seen their number of repositories grow significantly. According to GitHub, their crawler “aims at automating the information gathering, by crawling an organization’s repositories through GitHub API.”
- Branch protection rule: A branch protection rule protects important branches in a repository by enforcing certain workflows or requirements that a collaborator must act upon/meet before pushing a change.
- Personal branch. A personal branch is a cloned line of development that exists independently from the repository. According to GitHub, branches allow you to safely develop new features, fix bugs, and safely experiment with new ideas.
- SAST. SAST, or static application security testing, is a method of identifying security vulnerabilities within an application’s source code.
- SCA. SCA, or software composition analysis, allows you to identify an application’s open-source code. SCA tools are designed to help you manage the open-source components and assess any associated security risks.
- Vulnerability scanner. A vulnerability scanner is a program that allows you to monitor your networks and applications for any security risks.
- Third-party code. Third-party code is open-source or commercial code that is written outside of your organization. It is usually available via an open-source license or through an OEM or licensing agreement with a vendor.
- Git hooks. Git hooks are scripts that are triggered by particular actions within a Git repository. There are two types of git hooks: client-side hooks and server-side hooks.
GitHub Security (Advanced) Best Practices
Why stop with the basics? Once you have your GitHub security foundation in place, take a few additional steps to protect your organization even further.
Restrict Access. Access management is an integral part of any SSDLC, and it’s no different when it comes to GitHub. Keeping track of who has access to what is vital to help prevent security breaches. To keep GitHub more secure, use 2-factor authentication across your organization, and limit the number of repository admins. You should also only allow contributors to have access to the information they need—and nothing more—to complete their tasks.
Protect Code Branches. GitHub has branch protection rules that help prevent unwanted code from being published. Enabling these settings can help you add extra precautions to ensure code merges are more controlled.
Implement Security Control Tools. Security testing can help you identify any weaknesses or vulnerabilities in your code. Using SAST or SCA, you can scan for security flaws and detect vulnerabilities in code dependencies. GitHub also has an advanced security feature with an internal dependencies vulnerability scanner.
Avoid Sensitive Data or Secrets in Code. Keeping sensitive data out of GitHub is a must to keep secrets protected. When secrets like passwords or tokens are added to repositories, they become available to anyone with access—which increases the chance for them to fall into the wrong hands. Even if they’re added and deleted, they’ll remain in the GitHub history, so be sure to keep them protected from the start.
Watch Out For Forks. Forks are a valuable tool for developers—but they can cause problems with secrets being mistakenly or carelessly included in code. When a repository is forked, all sensitive data goes with it. If passwords, tokens, or other secrets are included in that repository, they’ll be duplicated along with the rest of the code. You can disallow forking in GitHub to keep your data more secure.
Taking these extra steps allows you to leverage GitHub’s robust security measures to protect against malicious actors. Arm your organization with the knowledge they need to properly use the tool and also implement these measures to amp up security as much as possible. To take it a step further, you can also leverage a software security platform to help identify and protect against vulnerabilities in the GitHub workflow.
Key terms to know:
- 2-Factor authentication. This security protocol requires a user to verify their identity using at least two factors. These can include factors like passwords, pins, and one-time security codes.
- Principle of least privilege (POLP). This security protocol involves giving users access to only the data or information they need to effectively do their jobs—and nothing more.
- Repository admin. Repository administrators manage and control the access and organization of a repository and its assets.
- SSH keys. SSH keys, or secure shell keys, act as access credentials for remote communication between computers or other machines over insecure networks.
- Personal access tokens. Personal access tokens are used to authenticate your identity on GitHub. They are made up of a string of characters that are used in place of a password.
- Signed commits. Signed commits allow users to indicate that they made a particular change. This allows other users to trust the authenticity and origin of the changes being made.
The Future of GitHub Security
While GitHub is a powerful tool for development teams, it also comes with risks. The flexible nature of the platform empowers organizations with many options—many of which, however, expose them to security risks.
To take advantage of all GitHub has to offer, while also protecting sensitive data, it’s important to stay informed about what the future of GitHub may hold.
More Vulnerabilities Will Be Exposed
In the future, GitHub will likely continue to expand its functionality into other areas of software development. Historically, GitHub has been known to embrace platform flexibility, which often leads to complexity—but many platform configurations are insecure and the responsibility falls onto the user or administrator to modify these defaults for added security.
As a result, more and more vulnerabilities will likely be exposed. This, however, doesn’t mean that GitHub can’t be made secure. GitHub can be configured to have robust security features, but that's dependent on organizations learning how to use them to keep their data protected.
To keep their software supply chain secure, users and administrators must stay informed about the latest GitHub security risks that could lead to breaches to prevent exposing sensitive data to malicious actors. You also should routinely review GitHub best practices and advanced features to help prevent devastating cyber attacks.
Attacks Against GitHub Will Rise
GitHub has become today’s defacto standard SCM choice for the open-source development community—and that’s not going to change any time soon. But because it’s so popular, it’s an easy target for cybercriminals looking for weaknesses.
As GitHub continues to grow, cybercriminals will likely spend even more time looking for vulnerabilities. Spurred on by successful attacks, they’re eager for opportunities to impact so many victims in one attack. As a result, organizations need to be even more vigilant about their security protocols to help protect themselves as much as possible.
GitHub isn’t oblivious to these vulnerabilities. They’re taking steps to help minimize security risks, like moving away from passwords and new security-minded integrations. Tools like Legitify are another way for Security, Dev, and DevOps engineers to better manage their GitHub configurations to put security first. When combined with GitHub best practices, these changes can help make GitHub a tool that’s as powerful as it is secure.
Key terms to know:
- Denial of service attacks. This is a type of cyber attack where malicious actors block access to your systems or devices.
- GitHub misconfiguration. Misconfiguration occurs when you have security settings that are turned off or have been set up in an insecure configuration. This often creates vulnerabilities that hackers can easily exploit.
- CLI tool. A CLI, or command-line interface, is an interface that uses text inputs to run applications and execute different functions. Though CLIs originated in the 1960s, it is still widely used today thanks to its fast, near-immediate results.
- OSSF scorecard. According to GitHub, an OSSF scorecard is “an automated tool that assesses the number of important heuristics associated with software security and assigns each check a score of 0-10.”
- Automatic remediation: An automated process of problem resolution, automatic remediation allows teams to address and fix issues more quickly, consistently, and efficiently. It ranges from basic alerting mechanisms to more complicated automations that perform specific actions.
- Secure repository. A secure Git repository has restricted and controlled access, protected code branches, and one without exposed secrets or vulnerable forks.
- OpenAI Codex. OpenAI Codex is an AI model created by OpenAI that turns English and other natural languages into more than a dozen programming languages.
- Continuous threat modeling. Threat modeling allows you to predict any potential risks and vulnerabilities within your application.
- Data exfiltration. Data exfiltration occurs when malware or an unauthorized user copies, transfers, or removes a company’s data. The most common data exfiltration methods experienced by organizations include database leaks, network traffic, file shares, and corporate email.