As an enterprise owner, you are responsible for maintaining a strong security posture, complying with regulations, mitigating risks, and protecting intellectual property, within your enterprise. GitHub has tools that can help with that.
Storing your company's code on GitHub allows easy collaboration, tracking, and deployment from a single location. While allowing people to work in repositories with as little friction as possible is important for culture and productivity, you will want to implement some controls over people's work to ensure your code stays secure and reliable.
With GitHub Enterprise, you have access to GitHub's full range of governance features, allowing you to:
- Control how people can update code
- Govern how people can use repositories
- Monitor activity
- Detect leaked secrets
- Set up an approval process for important actions
- Detect vulnerabilities or errors in code
Protecting your branches
For important branches in your enterprise's repositories, such as branches containing production code, your compliance framework should reduce the risk of errors or malicious code entering your production environments.
With rulesets, you can apply rules that govern how people can interact with specific branches. You can also give certain users the right to explicitly bypass the rules, which provides flexibility while still making the intended restrictions clear.
Many enterprises add rules that:
- Restrict deletions, so you can be confident users won't accidentally delete the branch
- Require a pull request for all changes, so you have a paper trail and can enforce reviews
- Require status checks and deployments to succeed before merging pull requests, so you can guard against errors in production
Other rules, such as requiring signed commits or a linear commit history, are more situational and depend on your compliance requirements.
To learn more, see 关于规则集.
Governing usage of repositories
Because repositories are where your companies' code and data are stored, it's important to define how users can interact with your repositories to reduce the risk of data leaks. In your enterprise settings, you can set policies to:
- Restrict the default visibility of repositories
- Prevent non-members from being invited to repositories
- Prevent repositories from being forked or transferred outside of an organization
The goal of your policies should be to maintain your security requirements while still promoting collaboration and reducing friction for developers. For example, you could create an "open source" organization for all your enterprise's public repositories, and prevent public repositories from being created in any other organization.
To learn how to set policies, see 在企业中实施仓库管理策略.
Monitoring activity
If something goes wrong, it's important to be able to search activity in your enterprise to investigate the cause or scope of the problem.
GitHub's audit log includes detailed events related to your enterprise account, your organizations, and, if you use Enterprise Managed Users, your managed users. You can filter the audit log for themes like billing activity or search for events associated with a compromised token.
To access the audit log, see 访问企业的审核日志.
GitHub does not retain audit log data indefinitely. We recommend streaming your audit logs to an external location, which allows you to retain the data for as long as you need and query the data with external tools. See 流式处理企业审核日志.
Preventing sensitive information from reaching your codebase
To protect intellectual property and prevent security incidents, it's important to implement a system to keep sensitive information such as tokens out of your codebase.
Secret scanning
With secret scanning, you can scan your code to detect sensitive information such as API keys, passwords, and other credentials in the codebase, preventing unauthorized access and potential breaches. Secret scanning alerts you to sensitive information in your codebase, allowing you to respond appropriately by changing passwords or rotating tokens.
To learn more, see 关于机密扫描.
Secret scanning can be enabled at the enterprise, organization, and repository level. See 为设备配置密码扫描 for enablement at enterprise level.
Push protection
Additionally, you can prevent sensitive data and credentials from being accidentally pushed to repositories with push protection.
Push protection acts as a safeguard by scanning for secrets in real-time and blocking pushes that contain potentially sensitive information. Organization owners can configure push protection policies at the organization level to enforce consistent security standards across all repositories. When a push is blocked, developers receive detailed guidance on how to remediate the issue, such as removing the secret from the code.
See 关于推送保护.
Push protection can be enabled at the organization, repository, and user account level. See 为存储库启用推送保护.
Setting up an approval process for sensitive actions
You may want to set up an approval process for better control over who in your enterprise can perform sensitive actions. An approval process helps mitigate the risk of unauthorized or malicious changes, and can provide a record of who used the bypass and why, ensuring that all actions are traceable and accountable.
Note
The implementation of these approval processes can potentially cause some friction, so it's important to ensure that your security management team has adequate coverage before proceeding.
Approval processes are available for:
- Bypasses of push protection—You can choose who is allowed to bypass push protection, and add a review and approval cycle for pushes containing secrets from all other contributors. For more information about delegated bypass for push protection, see 关于推送保护委派绕过.
Identifying security vulnerabilities and errors
Many industries have regulations that require regular security assessments and vulnerability management. Code scanning helps ensure compliance with industry standards by identifying and mitigating security risks in your code, such as insecure patterns.
Code scanning can be integrated to your CI/CD pipeline, providing continuous monitoring and assessment of your codebase.
To get started quickly with code scanning, we recommend you use the default setup. See 配置代码扫描的默认设置.
Code scanning can be enabled at the enterprise, organization, and repository level. See 为设备配置代码扫描 for enablement at enterprise level.