Help me; GitHub public repo corporate security risks?

The company I work for has experienced multiple security incidents related to public GitHub repos. I’m looking for what additional practices, tools, and technology we can apply in order to prevent these types of incidents from happening; what people have tried, and what has been successful or unsuccessful.

Here are the practices we have in-place today:

  • All staff must create a GitHub account specifically for our organization with their corporate email address
  • Organization repository creation is limited; can’t be performed by all staff members
  • Staff members can’t change the visibility (public/private) of repositories, or delete them, or transfer them
  • Automated scans are run on all of our organizations, all of our staff user accounts, and all of our known private staff user accounts, for any new public repos that pop up

Despite these practices, here are some examples of incidents that have occurred:

  • Engineer requested our internal IT help desk team to fork a public Open Source repo for internal customization. IT did the fork to our org. The engineer then configured the repo for CI/CD with secret access keys, not realizing that the fork was automatically public.
  • Engineer working on an internal project decided to publish the repo to their unrelated, unknown personal GitHub (eg. username/repo, not our-org/repo), as a public repo. Repo contained secret access keys.

We’ve tried internal communication about the risks, we’ve tried changing who can and can’t create repos, but these changes just seem like they’re shuffling around the problem, not eliminating it. Both of these incidents involve secrets management problems, which we also recognize can be improved… but it still feels like we’re missing something.

We’re considering a switch to GitHub Enterprise, and on-prem hosting within our private network only (eg. VPN access required); but even this change wouldn’t have impacted the second incident above. We’d have to also block access, which would be a devastating control to have to put in place.

What else can we do? What else are other people doing?

cross-posted to reddit:

If you have the Enterprise product, you can create policies to only allow private/internal repos and/or prevent forking, although the latter could really benefit from being more granular.

We’d have to also block access, which would be a devastating control to have to put in place.

Would that be more or less deviating than exposing your source code?

If your source code is so important that you need to control all copies, you should not be using a DVCS hosted over the internet (that lets you alter history or destroy it quite accidentally).

To prevent secrets being leaked, you can use secret scanning or use encrypted secrets in your Actions workflows.