Hosted repositories

• Set up MFK

• Use GitHub’s search features as well as scraping tools to check your own code for potential data leaks.

• Identify, configure and audit production branches to

  • Not allow force pushes.

  • Only give commit privileges to a small set of users.

  • Enforce those restrictions on admins & owners too!

  • Require all commits to be PGP signed (keys known in advance).

• Read more recommendations by Mozilla (they learned the hard way, no need to repeat that for ourselves).

• As of November 2017, GitHub tracks reported vulnerabilities in certain dependencies and provides security alerts to affected repositories.

Related attack trees

• Poison open source supply chains