from Hacker News

Securing a GitHub repo is a ton of work

by the_jesus_villa on 10/21/22, 4:55 AM with 24 comments

  • by xandre_maxwell on 10/21/22, 5:00 AM

    A significantly complex Github repo with CI, complex permissions, Git hooks all over, is pretty much its own software system that you have to manage, just like server management via Ansible or what-have-you.

    Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.

  • by necovek on 10/21/22, 5:38 AM

    Many of these have nothing to do with Git or GitHub in particular (dependabot, storing live credentials in the codebase...).

    It'd be nicer if you managed to focus on the part of the Git/GitHub story: though, as a rant, it's perfectly fine :)

  • by bombolo on 10/21/22, 5:55 AM

    > A crap link is one that's only superficially interesting. Stories on HN don't have to be about hacking, because good hackers aren't only interested in hacking, but they do have to be deeply interesting.

    I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.

  • by Ayesh on 10/21/22, 6:50 AM

    GitHub does a pretty good job requiring oauth or ssh key authentication, and the new finely-grained personal access are awesome, I just switched all my apps to use more locked down PATs.

    The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.

    Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.

    Shoving all secrets in ENV isn't a clear improvement either. Sure, most CI services attempt to mask them, but it's trivially to extract the secrets. For GitHub, you have to approve incoming first-time PRs, but it's a huge vector someone determined can exploit.

  • by the_jesus_villa on 10/21/22, 4:55 AM

    More of a rant than anything. I spend a lot of time doing this and there are so many little things you could harden a little bit.

    Kind of a rabbithole of energy!

  • by yosito on 10/21/22, 5:40 AM

    TL;DR turn on signed commits and 2FA, don't commit secrets, and be careful with dependency vulnerabilities.

    Doesn't really seem like "a ton of work".

  • by newman314 on 10/21/22, 5:43 AM

    I've found StepSecurity's tooling helpful in getting my repos locked down.

    * https://app.stepsecurity.io/securerepo * https://app.stepsecurity.io/

    It also helps to go through the GitHub options to lock things down. Also, configure Dependabot to update "github-actions"

    No affiliation. Just a happy user.

  • by stoplying1 on 10/21/22, 5:49 AM

    Not really. Just another substack think piece.

    Complete with the living modal upsell popup ala Medium. Will people ever learn? (No, no they won't)

  • by dubyabee2 on 10/21/22, 5:04 AM

    eeyup, Witness!