GitHub Security Plan
Coming soon!
GitHub Misconfigurations
GitHub misconfigurations pose serious threats to both organizations and users. These threats include the potential exposure of sensitive data, theft of intellectual property, and compromised systems. Therefore, to safeguard the security of their sensitive data and to prevent misconfigurations, it is crucial that organizations and GitHub users periodically review and monitor GitHub configurations.
Jit's GitHub Security Plan runs periodic scans for GitHub misconfigurations and communicates the findings on the Backlog page.
Security Tools
Jit seamlessly integrates the following tools to provide comprehensive security coverage across your GitHub organization and repositories:
- Legitify
- Chain-bench
- Jit's MFA & Branch Protection Checkers.
Requirements
Jit requires a GitHub Personal Access Token to activate the plan items in the GitHub Security Plan.
To generate a Personal Access Token, click the Generate PAT button when integrating with GitHub Security.
The following permissions are required:
- repo
- read:enterprise
- read:org
- read:packages
- read:repo_hook
Providing a token with Read permissions
allows you to activate the following plan items:
Category | Plan Item | Description | Security Controls |
---|---|---|---|
Access Management | Enable multi-factor authentication for members | Without multi-factor authentication, your organization's accounts become an easier target for attackers using password spraying or phishing methods. Single-factor authentication offers minimal security and can compromise your entire codebase if breached. | Jit's MFA Checker, Chain-bench |
Branch Protection | Protect code changes by correctly setting branch protection | Failure to properly set branch protection rules exposes your repositories to unauthorized changes. Without these safeguards, any members, including those with malicious intentions, can alter, remove, or expose sensitive code. | Chain-bench, Legitify |
External Exposure | Limit the creation of public repos | Allowing unrestricted creation of public repositories can result in accidental exposure of proprietary or sensitive code and data. This poses a data leak risk and invites unauthorized access and tampering. | Legitify |
Access Management | There are no dormant GitHub users | Failing to review and remove inactive users regularly can turn dormant accounts into security risks. These unmonitored accounts can be hijacked and used as entry points for unauthorized activities without immediate detection. | Chain-bench |
Access Management | Limit user permissions to follow the least privilege principle | Failing to adhere to the least privilege principle can severely compromise your environment's security posture. Overly permissive settings invite operational errors and expose avenues for unauthorized or malicious activities. Limiting user permissions to only what's necessary minimizes potential points of failure and reduces the risk of data breaches or other security incidents. | Chain-bench, Legitify |
Without a Personal Access Token
The following plan item is available without a Personal Access Token:
Category | Plan Item | Description | Security Controls |
---|---|---|---|
Branch Protection | Set desired branch protection configuration | Failure to configure branch protection rules leaves your repositories vulnerable to unauthorized alterations. Setting your own rules, like a minimum number of code reviewers and mandatory status checks, provides an added layer of security against flawed or malicious changes. | Jit's Branch Protection Checker |
Updated 20 days ago