If your security team is concerned about supply chain risk, it’s a good idea to look at your GitHub settings. GitHub describes several security features and best practices in their documentation for account security and organization security, but this post goes beyond the documentation. It’s a step-by-step process for securing your GitHub organization.
This guide is based on GitHub Enterprise Cloud — other products may have different features.
Reduce organizational owners
First, ensure your GitHub organizational owners group is well-defined. Fewer owners reduces the risk of account takeover. It’s also easier to communicate security standards and ensure people follow them. You will spend time and effort getting security settings to an ideal state. An unaware administrator can make changes that waste that time and effort. Consider all organizational GitHub roles: billing managers, security managers, and app managers.
Be warned — removing owners can break workflows and slow down the team. Send out a survey or interview each owner to see what access they need. Create manual or automated processes to delegate common GitHub owner actions. Build consensus with leadership for these changes. Communicate them to the engineering team to avoid blowback.
Setup configuration as code
Infrastructure as code tools like Terraform helps enforce safe change management. You can gate changes behind a review and approval process. You can determine who made a previous change and revert it. You can scale modules of configuration across teams and repositories. Here are a few articles about how Terraform can manage GitHub:
- Managing Github permissions with Terraform
- Using Terraform Cloud to Manage GitHub Repositories
- How to manage your GitHub Organization with Terraform
Terraform is not an all-or-nothing decision. Not all GitHub configurations need to use Terraform. Pick the riskiest and most complex areas of configuration and use Terraform. Manage the rest through the web. You’ll need to create a GitHub service account to use Terraform. I’ll discuss service accounts in more detail below.