System Security

How to protect your GitHub repositories and prevent credential leaks

LAST EDITED:
PUBLISHED:
31/8/2023

We've compiled a comprehensive checklist to help your organisation protect its GitHub repositories.

Unfortunately, some developers may leave plain-text passwords in plain sight or hardcode credentials during testing for convenience, leading to inadvertent leaks when the code is committed. In fact, an audit of GitHub found six million such exposed credentials and secrets.

With an increasing number of public GitHub repositories unprotected, it's crucial to ensure your company's code and secrets aren't up for grabs. Data breaches can have serious consequences, from reputational damage to significant financial loss. The well-known identity management company, Okta, faced such a situation in 2021 when bad actors copied and stole its source code by obtaining repository credentials.

Given the significance of this issue, we've compiled a comprehensive checklist to help your organisation protect its GitHub repositories. From identifying and cataloguing repositories, checking for hardcoded secrets, to setting up an effective response plan, this guide provides actionable steps to safeguard your digital assets. Prioritise your organisation's cyber security by following these best practices and prevent your keys from being left out in the open.

Checklist

Identify and catalogue repositories

  • Make a list of all your organisation's public Github repositories.
  • Identify repositories that should be decommissioned or made private.
  • Review each repository for any existing information that could help attackers, such as mail server details, internal code, web container data, or head office application descriptions.

Check for hardcoded secrets

  • Use tools like GitSecrets to scan your repositories for hardcoded secrets, such as tokens or credentials. These can often be unintentionally left in the code during testing.
  • Prioritise repositories that have been publicly exposed for a long time and thus have higher chances of being compromised.

Act on findings

  • Decommission, make private, or thoroughly clean repositories containing sensitive information.
  • Rotate credentials that have been exposed. This includes API keys, tokens, passwords, and other forms of access control.

Implement best practices

  • Establish a policy against hardcoding secrets into code, especially for testing purposes.
  • Enforce the use of environment variables, secret management services, or other secure methods for managing secrets.
  • Set up automatic scanning for secrets in code before it's committed to a repository.\

Review and secure supply chain

  • Identify third-party contractors and partners with access to your repositories.
  • Ensure they adhere to the same security policies and best practices.
  • Implement measures to secure your software supply chain, such as additional access controls, regular audits, and incident response plans.

Protect your organisation's communication integrity by understanding and implementing secure coding practices.

System Security
Checklist
Expert

Related articles

Compromised Assets

How to respond to ransomware

How your company can protect itself from ransomware and what to do in the event of an attack. ​

System Security

How to perform a compromise assessment

Here is what Blackpanda experts do to find latent threats in your network.

Web Security

Secure your website experience: understanding cookie HTTP options

As you set your cookie preferences on a website, it is important to know that some methods used for communication between your browser and the server can pose a security risk. While some methods are safe, others can be exploited to launch an attack on the web server.

View all

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cybersecurity news that helps you stay informed. Test it today, you can always unsubscribe. 

Let’s talk
System Security
Expert