GitHub Security Plan

🚀

Coming soon!

GitHub Misconfigurations

GitHub misconfigurations pose serious threats to both organizations and users. These threats include the potential exposure of sensitive data, theft of intellectual property, and compromised systems. Therefore, to safeguard the security of their sensitive data and to prevent misconfigurations, it is crucial that organizations and GitHub users periodically review and monitor GitHub configurations.

Jit's GitHub Security Plan runs periodic scans for GitHub misconfigurations and communicates the findings on the Backlog page.

Security Tools

Jit seamlessly integrates the following tools to provide comprehensive security coverage across your GitHub organization and repositories:

Requirements

Jit requires a GitHub Personal Access Token to activate the plan items in the GitHub Security Plan.

To generate a Personal Access Token, click the Generate PAT button when integrating with GitHub Security.

The following permissions are required:

  • repo
  • read:enterprise
  • read:org
  • read:packages
  • read:repo_hook

Providing a token with Read permissions allows you to activate the following plan items:

CategoryPlan ItemDescriptionSecurity Controls
Access ManagementEnable multi-factor authentication for membersWithout multi-factor authentication, your organization's accounts become an easier target for attackers using password spraying or phishing methods. Single-factor authentication offers minimal security and can compromise your entire codebase if breached.Jit's MFA Checker, Chain-bench
Branch ProtectionProtect code changes by correctly setting branch protectionFailure to properly set branch protection rules exposes your repositories to unauthorized changes. Without these safeguards, any members, including those with malicious intentions, can alter, remove, or expose sensitive code.Chain-bench, Legitify
External ExposureLimit the creation of public reposAllowing unrestricted creation of public repositories can result in accidental exposure of proprietary or sensitive code and data. This poses a data leak risk and invites unauthorized access and tampering.Legitify
Access ManagementThere are no dormant GitHub usersFailing to review and remove inactive users regularly can turn dormant accounts into security risks. These unmonitored accounts can be hijacked and used as entry points for unauthorized activities without immediate detection.Chain-bench
Access ManagementLimit user permissions to follow the least privilege principleFailing to adhere to the least privilege principle can severely compromise your environment's security posture. Overly permissive settings invite operational errors and expose avenues for unauthorized or malicious activities. Limiting user permissions to only what's necessary minimizes potential points of failure and reduces the risk of data breaches or other security incidents.Chain-bench, Legitify

Without a Personal Access Token

The following plan item is available without a Personal Access Token:

CategoryPlan ItemDescriptionSecurity Controls
Branch ProtectionSet desired branch protection configurationFailure to configure branch protection rules leaves your repositories vulnerable to unauthorized alterations. Setting your own rules, like a minimum number of code reviewers and mandatory status checks, provides an added layer of security against flawed or malicious changes.Jit's Branch Protection Checker