Skip to main content
U.S. flag

An official website of the United States government

GitHub Repository Best Practices

April 23, 2024

Adhering to a set of best practices when it comes to managing GitHub repositories can greatly ease the maintenance burden and drastically improve the developer experience for websites hosted on cloud.gov Pages. This document should serve as a constructive conversation piece for agencies and not as an audit mechanism. But by utilizing certain code scanning tools, agencies may find it easier to identify and cover certain security controls within their respective Customer Responsibility Matrix (CRM). Here is a useful guide for you to get started with implementing some best practices regarding user permissions and security for your GitHub hosted repositories.

Public vs Private repositories

A repository does not need to be public in order for Pages to be able to build the website and there are no added website security benefits for private repositories; both public and private repositories are acceptable on Pages due to all branches, both public and private, being published publicly when built. When it comes to deciding whether to make your GitHub repository public or private you may consider the following items.

Public

Pros

  • Easy for Pages engineers to access the codebase and provide support/debug
  • Transparency/High visibility
  • Able to utilize CodeQL free of charge
  • Seamless OpenSSF Allstar integration
  • Collaboration with outside contributors
  • Compliance with open source and transparency initiatives per agency/program

Cons

  • Sensitive information inadvertently hardcoded is immediately visible

Private

Pros

  • Test/Make changes to a website without exposing commits to the public
  • Safeguard sensitive data such as API keys, access tokens or other credentials by using environment variables in the build runtime. Websites on Pages are all published publicly, user’s configuration settings and static site build engine factor into what is included in the site build output.

Cons

  • Not able to utilize CodeQL for free
  • Potentially out of compliance with agency/program transparency initiatives

Repository User Permissions

It is important to designate admin/owner access of the repository to one or more individuals who are either the persistent site owners or else federal employees with the “manager” role within the Pages organization. It is strongly recommended to not grant admin/owner privileges of the repository to any contractors or other temporary employees. This is because in certain instances where actions will need to be taken by either Pages engineers or by customers that require an active user with admin access to a website’s repository. Additionally, when adding contributors or collaborators to a private repository it should mirror the member count that your organization has within Pages. Please note that removing an organization member from an organization within Pages will not automatically remove them from the repository within GitHub. They will still retain whatever read/write access they have in GitHub until explicitly removed.

GitHub Repository Security

Dependabot

Dependabot is a useful and highly configurable automated dependency management tool which assists developers with keeping third-party dependencies up-to-date with their latest version. This can benefit smaller developer teams by reducing maintenance overhead. Dependabot scans the repository for outdated dependencies and generates pull requests against whatever branch it is enabled on to update them. Check out our knowledge base article on Dependabot to learn how to enable and configure it for your repository.

Branch Protection

Branch protection is a security feature within GitHub that limits users with write and push access the ability to push directly to any branch where branch protections are enabled. This includes but is not limited to requiring a pull request to merge code, setting the number of pull request reviews required, requiring status checks, dismissing approvals and other configuration options. With good branch protection settings you can protect your repository from an attack by a malicious actor with the stolen credentials from a single maintainer of that repository.

OpenSSF Allstar

Allstar is an open source security tool which monitors organizations and repositories within GitHub for adherence to security best practices and improves the security posture for those organizations. It achieves this by continuously scanning repositories for any breach of enabled security policies and then raising an alert for any security remediation findings. This alert can be in the form of a GitHub issue or another type of configured action. In some instances Allstar can automatically resolve the issue on the admin/owner’s behalf.

Additional Advanced Feature Settings for GitHub Repository Security

CodeQL

CodeQL, a GitHub open source security application, is a code analysis tool that automatically finds security vulnerabilities and other software bugs in codebases. Although primarily used for security analysis it can also be used for general code quality analysis as well. It is important to again note that CodeQL is only free to use on public repositories and GitHub Advanced Security must be purchased/enabled in order to utilize the tool on private repositories.

Signed Commits

In conjunction with good user permissions practices and as an added layer of security you can ensure that only commits by members of your Pages organization are made to the repository by having them signed and then verified by GitHub. This increases the authenticity and integrity of your repositories’ commit history, especially for those repositories which are public facing. There are various methods when it comes to implementing commit signing so be sure to review them in full detail.

Suggest edits

cloud.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov