6 min read

Securing GitHub: How to Keep Your Code and Pipelines Safe from Hackers

Featured Image

GitHub is one of the most widely used software development platforms. You’d be hard-pressed to find a developer or a business that has never used or heard of GitHub. GitHub’s open-source nature makes it easy for communities of developers to collaborate, but also makes it easy for bad actors to exploit vulnerabilities in the code or the platform.

 

Why Securing your GitHub Operation Is a Must for Everyone

If you’re a GitHub user, then you are dealing with GitHub security risks whether you recognize it or not. And unfortunately, performing a periodic GitHub security audit or having an escalation/crisis response plan for GitHub security breaches isn’t nearly enough.

For example, in community-driven projects, new code is constantly being pushed and merged. Each commit may leak potentially sensitive company data, expose vulnerable sections of code that can be exploited in the wild, or even create (whether accidentally or on purpose) new vulnerabilities in the code. Trying to catch these incidents using an offline process will often result in failure to catch them in time.

Dealing with these security breaches after exposure isn’t ideal either. A publicly disclosed vulnerability affecting your code, like Log4Shell, can cause massive damage to your customers, business operations, and brand. And by the time you’ve realized that your SSH keys have been leaked for example, an attack on your company’s broader infrastructure could be well underway.

Instead, you need to take preventative measures to ensure you’re not creating or overlooking potential vulnerabilities lurking in your code. Identifying and dealing with these vulnerabilities early in the development phase by utilizing specialized security tools and correctly enforcing their usage can save you time and money and protect your reputation so your business can thrive.

Use These Essential Security Tools to Secure Your GitHub Operation

There are many types of security tools and code scanning tools in the market that you can use to accomplish this. Not all of these tools were created equal, and each caters to different areas of vulnerability in your development process and targets a different technology or programming language. Some tools, such as SAST scanners, seek to find vulnerabilities in the code you write by statically analyzing it to find vulnerable patterns. Other tools, such as SCA scanning tools, seek to map out other software dependencies within your software, such as pointing out vulnerabilities in upstream libraries that are used by your code.

A large portion of these tools could be called “point solutions”, because they focus on specific (although important) types of vulnerabilities in your codebase. Some vendors acquire a portfolio of these point solutions, aiming to be a one-stop shop for securing your development operation with the option to cover many functionalities and risk categories. Picking the right set of security tools is important to help protect you from all the security risks that developing on GitHub exposes you to. Because GitHub has a large attack surface area and keeps growing, this isn’t a trivial decision.

In this article, we’ll cover two solutions for securing your GitHub operation – GitHub Advanced Security, and the Legit Security platform.

GitHub Code Security and GitHub Advanced Security (GHAS)

GitHub Code Security is a collection of scanners, configurations, and features used by GitHub to aid the process of securing your development process in GitHub.

Some of these are included in all GitHub licensing plans, while other security features require a GitHub Advanced Security license to run on private and internal repositories. In addition, all GitHub Advanced Security features are included for public repositories.

Vulnerability Disclosure and Patching

Security policies and advisories allow you to define and publicize “rules of engagement” for reporting and patching vulnerabilities in the repository’s code, including an option to create temporary private forks of the project in order to assist with the development of patches.

Dependency Management with “Dependabot”

Dependabot utilizes open-source dependency scanning to notify you when a vulnerability has been disclosed for an upstream dependency. This is done by comparing each of the projects’ dependencies version against the GitHub Advisory Database, which documents vulnerabilities that were publicly reported for a wide range of dependencies.

Dependabot security updates generate automatic pull requests for security updates in dependencies that were reported as vulnerable. Dependabot version updates do the same, except for every version update that is released for a dependency, without checking if the current version is vulnerable first.

The Dependency graph allows you to visually see a code project’s dependencies and makes it easier to identify the usage of different packages. Finally, Dependency review can supply data about the dependency changes between subsequent commits, and optionally allows you to block merging vulnerable versions of dependencies.

Security risks in code

Secret scanning helps you remediate and deal with leaked secrets and credentials that were found in code. This is done using a partnership between GitHub and specific vendors. After using token scanning to find potential secrets, they are handed to the relevant vendor, which determines the course of action if they are indeed found valid, whether it be automatically revoking the secret or contacting you directly.

GitHub code scanning uses GitHub’s CodeQL infrastructure, based on technology from GitHub’s acquisition of Semmle, allowing analysis of a project’s source code and running custom queries against it.  This can be facilitated to detect vulnerable patterns and create security alerts if any are found.

To summarize , GitHub Code Security gives repository and organization owners a set of powerful tools that can significantly improve their security posture, albeit a large portion of them are pretty involved technically and demands a degree of expertise to operate effectively.

In addition, many GitHub security features are still managed on a per-repository basis, lacking high-level overviews, making it difficult to manage code security in larger and more complex software organizations using GitHub from a "single pane of glass".

Securing GitHub

Legit Security

The Legit Security platform also aims to help software organizations secure their broader software supply chain environment inclusive of the CI/CD pipeline, the systems and infrastructure within those pipelines, and the code and people that operate within it. The Legit Security platform includes a feature rich integration with GitHub Cloud, GitHub Enterprise Server, as well as several other Source Code Management systems (SCM), build servers, and artifact repositories.

Some features not found in GitHub Advanced Security, such as secret scanning, are included by default in Legit. Legit Security’s repository secret scanning recognizes and categorizes secrets found in code, checks their validity against the supplying vendor where applicable, and notifies you directly in order to eliminate or shorten the time of exposure.

Pull request checks are an additional option that enables running secret scanning automatically at the pull request level, blocking the merging of secrets with the main branch, where they are most exposed.

Importantly, Legit Security also aids in configuring your GitHub organizations and repositories correctly. GitHub includes many configuration options to tailor a secure development policy that is right for you. However, building and enforcing this properly can prove difficult and requires intimate knowledge of GitHub. Accordingly, Legit Security comes with a pre-baked set of optimal security policies and tracks enforcement of these policies individually, or using calculated aggregate scores to understand the overall security posture of your repository or organization immediately.

Legit Security also includes descriptions and remediation suggestions for each potential security flaw, helping you resolve incidents without the need to research additional technical material and instructions. This applies not just to GitHub, but to all of the other systems and infrastructure that Legit Security supports spanning SCMs, build servers, and artifact repos. In this regard, Legit Security is providing security coverage across the broader supply chain and not just the SCM. 

Another layer of protection included with Legit Security is supply chain pipeline scanning. Legit Security scans to find code patterns that expose you to software supply chain risks, such as using mutable image tags. Safe development pipeline patterns can protect you from falling victim to major supply chain security incidents, such as the Codecov incident. Legit Security also scans for other security controls across pipelines, such as SAST and SCA tools, and reports on their placement and any associated gaps in coverage.  

Lastly, as mentioned above, one of the difficulties in managing security features in GitHub is that many of them are applied on a per-repository basis. Legit Security provides dashboards and organization-wide overviews, allowing you to quickly identify which repositories are not covered by Dependabot, for example, or to track the number of open Dependabot alerts.

Overall, Legit Security is a boarder and more complimentary solution to your usage of GitHub code security, giving you a layer of governance over the use of GitHub security features and adding a broader range of missing capabilities to assure a safe software supply chain environment.

Don’t Wait to Secure Your Infrastructure with Legit Security’s GitHub Integration

GitHub is one of the most widely used and easily accessible development platforms that enables developers around the globe to collaborate effectively and quickly. However, this flexibility and freedom does not come for free, as many unchecked development practices will exposes you to security risks that can damage operations, open the door to embed vulnerabilities in your source code, and cost your organization valuable time, money, and brand damage.

Fortunately, there has been significant development of repository security tooling and code scanning tools and that can help you stay one step ahead of the bad guys.

GitHub comes pre-loaded with many valuable security controls, customizable policies and scanners, some of which are available free-of-charge, and some of which require purchasing an additional license.

Implementing GitHub code security effectively across your organization takes time and effort but is a must for modern development. Legit Security can help make this process easier for GitHub and a range of other SCMs, build servers, and artifact repositories in your software supply chain.

Secure Your Code & Infrastructure Today!

Related Blogs

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...

Read More

Top Software Supply Chain Security Solution Approaches: Pros and Cons

What are different solution approaches to software supply chain security and what are the Pros and Cons for your organization? What is the modern...

Read More

1 min read

Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

Update: On November 1st the OpenSSL project maintainers released their fix for the vulnerabilities. There were two vulnerabilities discovered. After...

Read More