Securing a GitHub repo is a ton of work (opens in new tab)

(codeofhonor.substack.com)

57 pointsthe_jesus_villa3y ago24 comments

24 comments

17 comments · 9 top-level

A significantly complex Github repo with CI, complex permissions, Git hooks all over, is pretty much its own software system that you have to manage, just like server management via Ansible or what-have-you.

Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.

jamesfinlayson3y ago

I learned yesterday that you can use Terraform to configure GitLab: https://registry.terraform.io/providers/gitlabhq/gitlab/late...

computerfriend3y ago

You can use it for GitHub too.

https://registry.terraform.io/providers/integrations/github/...

the_jesus_villaOP3y ago

Thanks for understanding. Security engineering is growing so complex. I don't know how major corps on the scale of Boeing ever achieve compliance. And even then, they have a whole market of different compliance standards to comply with.

Phew.

throwaway8922383y ago

> I don't know how major corps on the scale of Boeing ever achieve compliance.

It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.

Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.

Can't get hacked if you can't do any work!

2 more replies

flockonus3y ago

> I don't know how major corps on the scale of Boeing ever achieve compliance.

Boring, repetitive software development processes that prioritizes closing potential holes vs. speed of development. When you stop to think about it, explains quite a bit of why big companies are so slow to release?

stoplying13y ago· 2 in thread

Not really. Just another substack think piece.

Complete with the living modal upsell popup ala Medium. Will people ever learn? (No, no they won't)

pjmlp3y ago

Yes, we replaced Medium spams with Substack spams.

Too much work to set up their own little blog, I guess.

derelicta3y ago

I wouldnt be surprised if it wasnt more about discoverability. Lotsa folks are tired to play The Google SEO Game and thus just give up on hosting their own content.

1 more reply

yosito3y ago· 1 in thread

TL;DR turn on signed commits and 2FA, don't commit secrets, and be careful with dependency vulnerabilities.

Doesn't really seem like "a ton of work".

stoplying13y ago

So much advice these days is "do what you're supposed to do instead of being lazy and it works out!".

necovek3y ago

Many of these have nothing to do with Git or GitHub in particular (dependabot, storing live credentials in the codebase...).

It'd be nicer if you managed to focus on the part of the Git/GitHub story: though, as a rant, it's perfectly fine :)

bombolo3y ago

> A crap link is one that's only superficially interesting. Stories on HN don't have to be about hacking, because good hackers aren't only interested in hacking, but they do have to be deeply interesting.

I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.

Ayesh3y ago

GitHub does a pretty good job requiring oauth or ssh key authentication, and the new finely-grained personal access are awesome, I just switched all my apps to use more locked down PATs.

The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.

Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.

Shoving all secrets in ENV isn't a clear improvement either. Sure, most CI services attempt to mask them, but it's trivially to extract the secrets. For GitHub, you have to approve incoming first-time PRs, but it's a huge vector someone determined can exploit.

the_jesus_villaOP3y ago

More of a rant than anything. I spend a lot of time doing this and there are so many little things you could harden a little bit.

Kind of a rabbithole of energy!

newman3143y ago

I've found StepSecurity's tooling helpful in getting my repos locked down.

* https://app.stepsecurity.io/securerepo * https://app.stepsecurity.io/

It also helps to go through the GitHub options to lock things down. Also, configure Dependabot to update "github-actions"

No affiliation. Just a happy user.

dubyabee23y ago

eeyup, Witness!

j / k navigate · click thread line to collapse

24 comments

17 comments · 9 top-level

xandre_maxwell3y ago· 5 in thread

jamesfinlayson3y ago

I learned yesterday that you can use Terraform to configure GitLab: https://registry.terraform.io/providers/gitlabhq/gitlab/late...

computerfriend3y ago

You can use it for GitHub too.

https://registry.terraform.io/providers/integrations/github/...

the_jesus_villaOP3y ago

Phew.

throwaway8922383y ago

> I don't know how major corps on the scale of Boeing ever achieve compliance.

It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.

Can't get hacked if you can't do any work!

2 more replies

flockonus3y ago

> I don't know how major corps on the scale of Boeing ever achieve compliance.

stoplying13y ago· 2 in thread

Not really. Just another substack think piece.

Complete with the living modal upsell popup ala Medium. Will people ever learn? (No, no they won't)

pjmlp3y ago

Yes, we replaced Medium spams with Substack spams.

Too much work to set up their own little blog, I guess.

derelicta3y ago

I wouldnt be surprised if it wasnt more about discoverability. Lotsa folks are tired to play The Google SEO Game and thus just give up on hosting their own content.

1 more reply

yosito3y ago· 1 in thread

TL;DR turn on signed commits and 2FA, don't commit secrets, and be careful with dependency vulnerabilities.

Doesn't really seem like "a ton of work".

stoplying13y ago

So much advice these days is "do what you're supposed to do instead of being lazy and it works out!".

necovek3y ago

Many of these have nothing to do with Git or GitHub in particular (dependabot, storing live credentials in the codebase...).

It'd be nicer if you managed to focus on the part of the Git/GitHub story: though, as a rant, it's perfectly fine :)

bombolo3y ago

I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.

Ayesh3y ago

GitHub does a pretty good job requiring oauth or ssh key authentication, and the new finely-grained personal access are awesome, I just switched all my apps to use more locked down PATs.

The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.

Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.

the_jesus_villaOP3y ago

More of a rant than anything. I spend a lot of time doing this and there are so many little things you could harden a little bit.

Kind of a rabbithole of energy!

newman3143y ago

I've found StepSecurity's tooling helpful in getting my repos locked down.

* https://app.stepsecurity.io/securerepo * https://app.stepsecurity.io/

It also helps to go through the GitHub options to lock things down. Also, configure Dependabot to update "github-actions"

No affiliation. Just a happy user.

dubyabee23y ago

eeyup, Witness!

j / k navigate · click thread line to collapse