Hosted repositories

  • Set up MFK

  • Use GitHub’s search features as well as scraping tools to check your own code for potential data leaks.

  • Identify, configure and audit production branches to

    • Not allow force pushes.

    • Only give commit privileges to a small set of users.

    • Enforce those restrictions on admins & owners too!

    • Require all commits to be PGP signed (keys known in advance).

  • Read more recommendations by Mozilla (they learned the hard way, no need to repeat that for ourselves).

  • As of November 2017, GitHub tracks reported vulnerabilities in certain dependencies and provides security alerts to affected repositories.