DEV Community

Cover image for GitHub Security Best Practices Every Developer Should Know
Suraj Vishwakarma
Suraj Vishwakarma

Posted on • Updated on

GitHub Security Best Practices Every Developer Should Know

Introduction

GitHub has emerged as the leading platform over the years for collaboration and sharing codes with the world. Code is hosted on the platform which makes it necessary that the GitHub should be secured. As developers, safeguarding our repositories, projects, and sensitive data is not just an option but an imperative.

GitHub provides many features and functionality that can help to ensure the security of projects hosted on its platform. But for a beginner, it can get challenging to look into those security features. Navigating these tools and implementing best practices can be daunting without proper guidance.

Today, we are going to look into different best practices that you in implement to secure your GitHub account. By following these, you avoid any security vulnerabilities that can expose credentials.

So, let’s get started.

1. Enabling Two-factor Auth

2FA adds an extra layer of protection by requiring a secondary verification step. This can be receiving OTP on email/mobile phone. This is an effective method to not allow unauthorized access to your GitHub account despite any credentials leak. GitHub has made it mandatory for all the users who contribute code to enable at least one form of two-factor authentication.

You can enable the 2FA by navigating Settings→ Security→Set up two-factor authentication on the GitHub website. You can choose the method that you want to enable such as SMS or Authentication App.

2. Regularly Update Dependencies

Regularly updating dependencies in your project that are hosted on GitHub is a crucial step in achieving security and stability in your project. Most of the libraries that you install in your project update regularly to add new features, remove bugs, and also address any vulnerabilities that are present in the last update. Failing to update dependencies can leave your project susceptible to security breaches or hindered functionality due to outdated or unsupported components.

You can automate dependency checks with CI(Continuous integration) pipelines that can regularly scan for any outdated dependencies and notify you of available updates. You can also regularly schedule dependency reviewing and updating in your timeline.

3. Review pull Requests Carefully

As a beginner developer, you might neglect security when you are more excited about your contribution. If any developer made PR in your repository, especially in times of Hacktoberfest then merging it without prior checks can cause danger to your system. Thus reviewing pull requests carefully is an essential practice for ensuring the quality, security, and maintainability of code changes in your GitHub repositories.

You can consider following practices while conducting any PR reviews

  • Understand the Scope and Objectives
  • Examine Code Changes Thoroughly
  • Check whether any unnecessary piece of code or file present in the PR
  • Run on the browser if possible before running locally

4. Avoid Storing Secrets in Code

It is quite common for beginner developers to push secrets along with code to GitHub. Github regularly scans for any kind of secrets that are pushed to the platform. Storing secrets in code poses significant risks, as it increases the likelihood of accidental leakage through version control systems, code sharing, or other means.

You should not put your API keys directly in the code but should use .env file to store and access API keys. Use .gitignore file to not push unnecessary and .env files that are pushed to GitHub.

5. Rotate Personal Access Tokens

If you have generated personal access tokens for any project then you should regularly update the access token. Rotating personal access tokens is a critical security practice that helps mitigate the risk of unauthorized access and enhances the overall security posture of your GitHub account and associated repositories.

Generating Personal Access Token

You can add a schedule in your timeline to rotate the token regularly. You can automate token rotation with tools that reduce the manual overhead and ensure timely token updates.

6. Security Testing while deploying

Performing security testing while can ensure that no form of vulnerabilities should be present in code while deploying to production. Integrating security testing into the deployment process enables organizations to proactively assess the security posture of their applications, detect security flaws early in the development lifecycle, and reduce the risk of security breaches.

Security test

You can use tools that automate the testing while deploying. Automating security testing helps ensure consistent coverage and timely feedback without slowing down the deployment process.

7. Tools to Use for Security

Here is a list of some tools that you can use to enable security in your GitHub account.

  • Synk: Snyk enables developers to build securely from the start while giving security teams complete visibility and comprehensive controls. It can help in finding any vulnerabilities in your code.
  • Gitpod: It provides a Chrome extension that opens a VS Code-based IDE right in your browser. It is best for running the project in your browser without setting up and running locally.
  • Dependabot: It is an automated dependency management tool integrated with GitHub repositories. It regularly scans projects for outdated dependencies and automatically creates pull requests to update them, helping developers keep their dependencies up-to-date and secure.
  • GitGuardian: GitGuardian monitors your GitHub repositories for sensitive data leaks, such as API keys, credentials, and other secrets, helping you prevent unauthorized access and data breaches.

You can mention any other tool below that is used to ensure GitHub security.

Connect with Me

Conclusion

By implementing these best practices, you can avoid any security vulnerabilities, protect sensitive data, and foster a culture of security-conscious development. Enabling two-factor authentication adds an extra layer of protection, while regularly updating dependencies, reviewing pull requests carefully, and avoiding storing secrets in code helps maintain the integrity and stability of your projects. Additionally, rotating personal access tokens and performing security testing during deployment further enhance the security posture of your GitHub repositories.

Tools such as Snyk, Gitpod, Dependabot, and GitGuardian can provide additional layers of security and support in safeguarding your code and sensitive information.

I hope this article has helped you understand different methods through which you can protect your GitHub account. Thanks for reading the article.

Top comments (6)

Collapse
 
mattryanmtl profile image
Matt Ryan

Thanks for the article. Very informative.

Collapse
 
surajondev profile image
Suraj Vishwakarma

You're welcome! I'm glad you found the article informative.

Collapse
 
flxg profile image
Felix Garriau

aikido.dev/ is also a great option to enable security! 😉

Collapse
 
surajondev profile image
Suraj Vishwakarma

Thank you for sharing aikido.dev as another option to enhance security!

Collapse
 
ricardogesteves profile image
Ricardo Esteves

Nice articles, thank you for sharing it!

Collapse
 
vikranth3140 profile image
Vikranth U

Informative article, thanks a lot