GitHub Security Standard
Baseline security requirements for GitHub organizations and repositories.
Scope
All repositories in the organization’s GitHub organization(s).
Requirements
Organization Settings
- Require 2FA for all organization members
- Restrict repository creation to admins
- Enable Dependency Graph and Dependabot alerts
- Enable Secret Scanning (GitHub Advanced Security)
- Default repository permission: Read (not Write)
Repository Protection
- Require branch protection on
main/master:
- Require pull request reviews (minimum 1 approval)
- Require status checks to pass
- Require conversation resolution before merge
- No force pushes or deletions
- Protected branches cannot be bypassed by admins
- Enable “Require signed commits” for sensitive repos
Access Control
- Use GitHub Teams for access management (not individual invites)
- Follow least privilege: Read by default, Write when needed, Admin sparingly
- External collaborators must be approved by security team
- Quarterly access reviews of organization members
Secrets Management
- No secrets in code (enforced by pre-commit hooks and secret scanning)
- Use GitHub Actions secrets for CI/CD credentials
- Rotate secrets when team members leave
- Use environment protection rules for production deployments
CI/CD Security
- GitHub Actions:
- Pin actions to SHA (not tags)
- No secrets in PR builds from forks
- Use OIDC for cloud provider authentication (not long-lived keys)
- Require workflow approval for first-time contributors
- Third-party integrations require security review
Audit and Monitoring
- Enable audit log streaming to SIEM
- Alert on sensitive actions: member added, permissions changed, secrets accessed
- Review security advisories weekly
References
- Related controls: ACC-01, ACC-02, INF-01, OPS-01
- GitHub Security Best Practices: https://docs.github.com/en/code-security
Control Mapping
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.