During the course of 2020, GitHub unveiled various updates to help keep users of the platform (and their work) more secure. Here are a few of the highlights.
Five of GitHub’s 2020 Security Updates
Dependency Review is in Beta
GitHub’s dependency review empowers users to understand their dependencies – before they introduce them into their environments. Users can now review information about what is being raised, changed, or removed.
Find out more here.
GitHub has code scanning capabilities to help seek out security issues as users write. Results are integrated natively into the developer workflow. Users can also schedule security analysis on an ad hoc basis or every push or pull request.
Find out more here.
This new scan guards repositories for known secret formats. While public repos were already notified of leaked secrets, the scan has now extended to private repos to inform users when they need to rotate a secret.
Read more about secret scanning here.
Securing Dependencies with Dependabot
Dependabot version updates are pull requests that are automated to help users keep their dependencies updated (even if they don’t have vulnerabilities). This is still in beta. However, the idea is to help users update when it matters – whether responding to or actively building against vulnerabilities.
Learn all about Dependabot (and its latest updates) here.
Enabling Features is Even Easier
GitHub has made it easier to enable features across an organization. Users can enable or disable:
- the dependency graph
- Dependabot alerts
- Dependabot security updates
- secret scanning for all repositories
In just one click across an organization. Users can now also pre-set whether a feature will be disabled/enabled on newly-created repositories.
Discover how to do so here.
Security Best Practices for GitHub
While GitHub is working to make using their platform even more secure, certain habits users should be aware of to ensure their work is as safe as possible on GitHub. This includes:
Being Smart About Access
Teams and users can help protect access by following best practices such as requiring 2-factor authentication, never sharing accounts or passwords, properly securing devices with access to source code, and having managers only allow access to data to the team members doing the work.
Refresh Keys and Tokens Regularly
Sometimes users may not be aware that a token is compromised. To avoid the likelihood, regularly refreshing keys and tokens can mitigate damage caused by accidentally getting leaked.
Validate Applications with Care
GitHub uses third-party apps to extend its services. While the marketplace is a great place to find useful add-ons for specific requirements, it’s important to vet them and ensure you’re acting in your own best interest when leveraging their services. To that end:
- Check what access rights they are requesting and only give them the minimum of what they need
- Consider why an app may be asking for the level of access it’s asking for
- Validate the author or organization before granting them access to your company’s repository
Don’t Keep Sensitive Information Lying Around
The first lesson is to not leave sensitive data in your repository in the first place. However, if sensitive data is found there, consider it compromised and invalidate all tokens or passwords that were once public. Also, be mindful of the fact that GitHub is very good at maintaining a complete history of commits – including changelogs. That means you’ll have to clear your GitHub history too, to ensure a complete scrub.
You can find more tips and tricks on how to keep your organization secure in GitHub docs.
Are you interested in integrating your team’s Git with Jira to streamline project management processes? There’s an app for that! Find Bitband’s Git Integration for Jira Software here.
Want more Bitband insights? Check out: