The company I work for has experienced multiple security incidents related to public GitHub repos. I’m looking for what additional practices, tools, and technology we can apply in order to prevent these types of incidents from happening; what people have tried, and what has been successful or unsuccessful.
Here are the practices we have in-place today:
- All staff must create a GitHub account specifically for our organization with their corporate email address
- Organization repository creation is limited; can’t be performed by all staff members
- Staff members can’t change the visibility (public/private) of repositories, or delete them, or transfer them
- Automated scans are run on all of our organizations, all of our staff user accounts, and all of our known private staff user accounts, for any new public repos that pop up
Despite these practices, here are some examples of incidents that have occurred:
- Engineer requested our internal IT help desk team to fork a public Open Source repo for internal customization. IT did the fork to our org. The engineer then configured the repo for CI/CD with secret access keys, not realizing that the fork was automatically public.
- Engineer working on an internal project decided to publish the repo to their unrelated, unknown personal GitHub (eg. username/repo, not our-org/repo), as a public repo. Repo contained secret access keys.
We’ve tried internal communication about the risks, we’ve tried changing who can and can’t create repos, but these changes just seem like they’re shuffling around the problem, not eliminating it. Both of these incidents involve secrets management problems, which we also recognize can be improved… but it still feels like we’re missing something.
We’re considering a switch to GitHub Enterprise, and on-prem hosting within our private network only (eg. VPN access required); but even this change wouldn’t have impacted the second incident above. We’d have to also block github.com access, which would be a devastating control to have to put in place.
What else can we do? What else are other people doing?
cross-posted to reddit: https://www.reddit.com/r/github/comments/ecu855/help_me_github_public_repo_corporate_security/