As an enterprise owner, you are responsible for maintaining a strong security posture, complying with regulations, mitigating risks, and protecting intellectual property, within your enterprise. GitHub has tools that can help with that.
Storing your company's code on GitHub allows easy collaboration, tracking, and deployment from a single location. While allowing people to work in repositories with as little friction as possible is important for culture and productivity, you will want to implement some controls over people's work to ensure your code stays secure and reliable.
With GitHub Enterprise, you have access to GitHub's full range of governance features, allowing you to:
- Control how people can update code
- Govern how people can use repositories
- Monitor activity
- Detect leaked secrets
- Set up an approval process for important actions
- Detect vulnerabilities or errors in code
Protecting your branches
For important branches in your enterprise's repositories, such as branches containing production code, your compliance framework should reduce the risk of errors or malicious code entering your production environments.
With rulesets, you can apply rules that govern how people can interact with specific branches. You can also give certain users the right to explicitly bypass the rules, which provides flexibility while still making the intended restrictions clear.
Many enterprises add rules that:
- Restrict deletions, so you can be confident users won't accidentally delete the branch
- Require a pull request for all changes, so you have a paper trail and can enforce reviews
- Require status checks and deployments to succeed before merging pull requests, so you can guard against errors in production
Other rules, such as requiring signed commits or a linear commit history, are more situational and depend on your compliance requirements.
To learn more, see ルールセットについて.
Governing usage of repositories
Because repositories are where your companies' code and data are stored, it's important to define how users can interact with your repositories to reduce the risk of data leaks. In your enterprise settings, you can set policies to:
- Restrict the default visibility of repositories
- Prevent non-members from being invited to repositories
- Prevent repositories from being forked or transferred outside of an organization
The goal of your policies should be to maintain your security requirements while still promoting collaboration and reducing friction for developers. For example, you could create an "open source" organization for all your enterprise's public repositories, and prevent public repositories from being created in any other organization.
To learn how to set policies, see Enterprise でリポジトリ管理ポリシーを適用する.
Monitoring activity
If something goes wrong, it's important to be able to search activity in your enterprise to investigate the cause or scope of the problem.
GitHub's audit log includes detailed events related to your enterprise account, your organizations, and, if you use Enterprise Managed Users, your managed users. You can filter the audit log for themes like billing activity or search for events associated with a compromised token.
To access the audit log, see 企業の監査ログにアクセスする.
GitHub does not retain audit log data indefinitely. We recommend streaming your audit logs to an external location, which allows you to retain the data for as long as you need and query the data with external tools. See Enterprise の監査ログのストリーミング.
Preventing sensitive information from reaching your codebase
To protect intellectual property and prevent security incidents, it's important to implement a system to keep sensitive information such as tokens out of your codebase.
Secret scanning
With secret scanning, you can scan your code to detect sensitive information such as API keys, passwords, and other credentials in the codebase, preventing unauthorized access and potential breaches. Secret scanning alerts you to sensitive information in your codebase, allowing you to respond appropriately by changing passwords or rotating tokens.
To learn more, see シークレット スキャンについて.
Secret scanning can be enabled at the enterprise, organization, and repository level. See アプライアンスのシークレットスキャンを設定する for enablement at enterprise level.
Push protection
Additionally, you can prevent sensitive data and credentials from being accidentally pushed to repositories with push protection.
Push protection acts as a safeguard by scanning for secrets in real-time and blocking pushes that contain potentially sensitive information. Organization owners can configure push protection policies at the organization level to enforce consistent security standards across all repositories. When a push is blocked, developers receive detailed guidance on how to remediate the issue, such as removing the secret from the code.
See プッシュ保護について.
Push protection can be enabled at the organization, repository, and user account level. See リポジトリのプッシュ保護の有効化.
Identifying security vulnerabilities and errors
Many industries have regulations that require regular security assessments and vulnerability management. Code scanning helps ensure compliance with industry standards by identifying and mitigating security risks in your code, such as insecure patterns.
Code scanning can be integrated to your CI/CD pipeline, providing continuous monitoring and assessment of your codebase.
To get started quickly with code scanning, we recommend you use the default setup. See コード スキャンの既定セットアップの構成.
Code scanning can be enabled at the enterprise, organization, and repository level. See アプライアンス用コードスキャンの構成 for enablement at enterprise level.