GitHub Security Plan

GitHub Misconfigurations

GitHub misconfigurations pose serious threats to both organizations and users. These threats include the potential exposure of sensitive data, theft of intellectual property and compromised systems. Therefore, to safeguard the security of their sensitive data and to prevent misconfigurations, it is crucial that organizations and GitHub users periodically review and monitor GitHub configurations.

Jit's GitHub Security Plan runs periodic scans for GitHub misconfigurations and communicates the findings on the Backlog page.

Security Tools

Jit seamlessly integrates the following tools to provide comprehensive security coverage across your GitHub organization and repositories:
Legitify, chain-bench, Jit's MFA & Branch Protection Checkers.

Required Permissions

Jit requires a GitHub Personal Access Token to activate the plan items in the GitHub Security Plan.

To generate a Personal Access Token click "Generate PAT" when integrating with GitHub Security.

The following permissions are required in the token:

  • repo
  • read:repo_hook
  • read:org
  • read:enterprise
  • read:packages


Organizations with Single Sign-On (SSO) must authorize the new token

Right after generating the token in GitHub, copy it because you won't be able to see it again. Then click the "Configure SSO" button and in the pop-up, click "Authorize" next to your organization's name.

Providing a token with the required permissions allows you to activate the following plan items:

CoveragePlan ItemDescriptionSecurity Controls
Branch ProtectionProtect code changes by properly setting branch protectionFailure to correctly set branch protection rules exposes your repositories to unauthorized changes. This leaves sensitive code vulnerable to modification, removal and exposure by any member, including those with malicious intentions. Crucial safeguards include enforcing pull request reviews, requiring status checks and ensuring branches are up to date before merging. Additional crucial safeguards are protecting the default branch, preventing forceful modifications to branch history and collectively fortifying the security and integrity of your codebase.Legitify
Access ManagementEnable multi-factor authentication for membersWithout multi-factor authentication, your organization's accounts are more vulnerable to attackers employing password spraying or phishing methods. Relying solely on single-factor authentication provides minimal security, posing a significant risk to your entire codebase if compromised. It's crucial to ensure that all organization members enable multi-factor authentication. This includes applying multi-factor authentication to access the package registry.Jit's MFA Checker, Chain Bench
External ExposureLimit the creation of public reposAllowing unrestricted creation of public repositories can result in accidental exposure of proprietary or sensitive code and data. This poses not only a data leak risk but also invites unauthorized access and tampering. Ensuring that only authorized users can create public repositories is a crucial step in protecting your organization's intellectual property and sensitive information.Legitify
Access ManagementThere are no dormant GitHub usersFailing to regularly review and remove inactive users can turn dormant accounts into security risks. These unmonitored accounts can be hijacked and used as entry points for unauthorized activities without immediate detection.Chain Bench
Access ManagementLimit user permissions to follow the least privilege principleFailing to adhere to POLP can severely compromise your environment's security posture. Overly permissive settings not only invite operational errors but also expose avenues for unauthorized or malicious activities. To minimize potential points of failure and reduce the risk of data breaches or other security incidents, limit member permissions to only what is absolutely necessary. For example, restricting default member permissions and disabling anonymous access to artifacts.Chain Bench, Legitify

Without a Personal Access Token

The following plan items are available without a Personal Access Token:

CategoryPlan ItemDescriptionSecurity Controls
Branch ProtectionSet desired branch protection configurationFailure to configure branch protection rules leaves your repositories vulnerable to unauthorized alterations. Setting your own rules, like a minimum number of code reviewers and mandatory status checks, provides an added layer of security against flawed or malicious changes.Jit's Branch Protection Checker