Git & GitHub - GitHub Security

Security features and best practices on GitHub

GitHub provides various security features and best practices to help protect your code and manage vulnerabilities. This guide covers the essential security features and best practices you should follow to ensure your projects are secure.

Enabling Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your GitHub account. To enable 2FA:

• Go to your GitHub account settings.
• Select "Security" from the left sidebar.
• Click "Enable two-factor authentication."
• Follow the prompts to set up 2FA using an authentication app or SMS.

Dependency Management

GitHub provides tools to help you manage dependencies and identify vulnerabilities:

Dependabot Alerts

Dependabot alerts notify you of vulnerabilities in your dependencies. To enable Dependabot alerts:

• Go to the "Security" tab of your repository.
• Click on "Enable Dependabot alerts."

Dependency Graph

The dependency graph provides an overview of your project's dependencies and any known vulnerabilities. To view the dependency graph:

• Go to the "Insights" tab of your repository.
• Select "Dependency graph" from the left sidebar.

Code Scanning

Code scanning helps you find and fix potential security issues in your code. To set up code scanning:

Step 1: Add a CodeQL Analysis Workflow

CodeQL is GitHub's static analysis engine for code scanning. To add a CodeQL analysis workflow:

• Go to the "Security" tab of your repository.
• Click on "Set up code scanning."
• Select the "CodeQL Analysis" template and configure it as needed.
• Commit the workflow file to your repository.

# Example CodeQL analysis workflow
name: "CodeQL"
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '00:00 every day'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'python', 'go' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1
    

Secret Scanning

Secret scanning detects sensitive data such as passwords, API keys, and tokens in your repository. To enable secret scanning:

• Go to the "Security" tab of your repository.
• Click on "Enable secret scanning."

Managing Sensitive Data

Follow these best practices to manage sensitive data:

• Use .gitignore: Exclude sensitive files from your repository using a .gitignore file.
• Environment Variables: Store sensitive information in environment variables instead of hardcoding them in your code.
• Secrets Management: Use GitHub Secrets to store and manage sensitive data securely for GitHub Actions workflows.

# Example .gitignore entry to exclude sensitive files
.env
config/secrets.yml
                

Access Control and Permissions

Properly managing access control and permissions helps protect your repository from unauthorized access:

• Repository Roles: Assign appropriate roles (e.g., read, write, admin) to collaborators based on their responsibilities.
• Branch Protection Rules: Set up branch protection rules to require pull request reviews and status checks before merging changes.
• Teams: Organize users into teams and manage permissions at the team level for better access control.

Summary

This guide covered GitHub's security features and best practices, including enabling two-factor authentication, managing dependencies, setting up code and secret scanning, managing sensitive data, and implementing access control and permissions. Following these practices helps ensure your projects are secure and protected from vulnerabilities.