# 5 steps to enforce security on your GitHub organization's repositories

5 steps to enforce security on your GitHub organization's repositories

Published by Guillaume Meyer  a year ago, tagged as github security

We at SalesTim know you care about how your personal information is used and shared, and we take your privacy seriously by implementing the most rigorous practices for our developments.
Therefore we know that keeping your data safe is a full-time job.

Discover 5 easy to implement steps to enforce security on your GitHub organization's repositories:

Step Action Check
1 Verify your organization's domain GitHub verified domains badge
2 Require two-factor authentication GitHub 2FA badge
3 Configure protected branches GitHub protected branches
4 Enable automated security alerts GitHub Security Alerts
5 Configure automated security fixes GitHub Security fixes


# 1. Verify your organization's domain

GitHub verified domains badge

In GitHub, you can verify the domains controlled by your organization to confirm your organization's identity.

After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile. You can also define your verified domains from your organization settings.

Note: If the email address and website shown on your organization's profile use variants of the same domain, you must verify both variants. For example, if your organization's profile shows the website www.example.com and the email address info@example.com, you would need to verify both www.example.com and example.com.

Learn more about verifying your organization's domain... (opens new window)

Why switch to the Corporate Terms of Service?

The Standard Terms of Service is an agreement between GitHub and you as an individual. To enter into an agreement with GitHub on behalf of you company organization owners can upgrade to the Corporate Terms of Service.

Benefit: If your organization is on GitHub Enterprise Cloud and has agreed to the Corporate Terms of Service, organization owners will be able to verify the identity of organization members by viewing each member's email address within the verified domain.

Learn more about upgrading to the Corporate Terms of Service... (opens new window)

# 2. Require two-factor authentication

GitHub 2FA badge

Organization owners can require organization members, outside collaborators, and billing managers to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.

You can enforce 2FA from your organization settings.

Learn more about requiring two-factor authentication... (opens new window)

# 3. Configure protected branches

GitHub protected branches

Protected branches ensure that collaborators on your repository cannot make irrevocable changes to branches. You can define your branch protection rules from your repository settings.
Enabling protected branches also allows you to enable other optional checks and requirements, like required status, security checks and required reviews.

Learn more about protected branches... (opens new window)

# 4. Enable automated security alerts

GitHub Security Alerts

GitHub automatically tracks public vulnerabilities in packages from supported languages on MITRE's Common Vulnerabilities and Exposures (CVE) List, and use a combination of machine learning and human review to detect vulnerabilities that are not published in the CVE list.

When GitHub discovers or is notified of a new vulnerability, the SalesTim engineering team is notified with a security alert. Each security alert includes a severity level and a link to the affected file in our projects. When available, the alert will include further details about the vulnerability and a suggested fix.
Any alert of any severity breaks our build and deployment process until resolution.

To enable security alerts, you must enable GitHub Data Services at the repository level.

Learn more about Security Alerts... (opens new window)

# 5. Configure automated security fixes

GitHub Security fixes

Following the acquisition and integration of Dependabot, GitHub monitors our app dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

Read the announcement... (opens new window)

Automated security fixes update vulnerable dependencies to the minimum version that resolves the vulnerability. They are automatically enabled in repositories that use the dependency graph and security alerts, but you can choose to disable automatic pull requests and generate security fixes manually instead.

Automated security requests contain information about the vulnerability, such as release notes, changelog entries, and commit details, but also compatibility scores, which show developers how likely it is for the security update to cause breaking changes to their project.

Note: Automatic security fixes are available in beta. You can enable automatic security fixes for any repository that uses security alerts and the dependency graph.

Learn more about configuring automated security fixes... (opens new window)

# To go further

GitHub brings to the table a lot of options to enforce your organization and repositories security, therefore these 5 easy to implement steps are just the beginning of an epic journey.
Here are a few other areas of investment that we're currently working on that may interest you, so stay tuned for later posts.

# a. Enforce SAML single sign-on

Benefits: If you enforce SAML SSO in your organization, any members, including admins who have not authenticated via your SAML identity provider (such as Microsoft Azure AD at SalesTim), will be removed from the organization and will receive an email notifying them about the removal.
Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed.

Note: This feature is only available with GitHub Enterprise Cloud.

Learn more:

# b. Enable required commit signing

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified. Before enabling required commit signing on a branch, you must first set the branch up as a protected branch.

Learn more about required commit signing... (opens new window)

# c. Use GitHub Package Registry

GitHub Package Registry is fully integrated with GitHub, so you can use the same search, browsing, and management tools to find and publish packages as you do for your repositories.
You can also use the same user and team permissions to manage code and packages together.

Learn more about GitHub Package Registry... (opens new window)