(Back)
This document outlines the compliance and security features of the platform.
The following table maps the features of the GitHub Foundations Toolkit to the PBMM Controls
| Item | What | Where | Controls | Open-Source Alternative |
|---|---|---|---|---|
| Encrypted Secrets | Uses GitHub public key to encrypt secrets. Secrets must be encrypted to be used. |
|
IA-5(c)(e)(h)(i), IA-5(1)(c),IA-5(6), IA-5(7), SC-8(1), SC-12, SC-13, SC-17 | |
| Vulnerability Alerts |
|
|
SI-4(5), SI-4(7), SI-10 | |
| Secret Scanning | Scanning of the repo for secrets |
|
AC-22, IA-5(7), IR-9, SI-4(5), SI-4(7), SI-10 | |
| Advanced Security |
|
|
SI-4(5), SI-4(7), SI-10 | |
| Protected Branches Ruleset - Pull Requests |
|
|
CM-3, CM-4, CM-5, SI-10, SI-12 | |
| Protected Branches Ruleset - Signed Commits TODO - Not currently validated |
|
|
IA-2, IA-2(11), IA-8, IA-8(100), SC-8, SC-8(1), SC-13 | |
| Export Audit Material |
Audit material is exported in JSON format, or there are instructions on how to obtain logs by other means. See here. | GH Action | AC-2(4), AC-6(9), AC-17(1), AU-2, AU-6, SI-4 | |
| Delete branches on merge | Branches are configured to be deleted after a PR is merged |
|
SI-12 | |
| Repository Creation Restrictions | Users can:
|
|
AC-20(3), AC-22 | |
| Predefined Roles | Predefined roles include:
|
|
AC-2, AC-16(2) | |
| Drift Detection | Tool used to detect if the terraform state has drifted from what's stored in source control |
|
CM-2, CM-3(f)(g), CM-5, CM-6(c)(d), CM-9(d) | |
| Resource Deletion Protection | An action that forces a user to acknowledge Terraform plan deletions, before performing them |
|
AC-16(2), CM-3, CM-4, CM-5, CM-6(D), CM-9, SI-10 | |
| Detect whether GHAS enabled | For public repositories, and repos with GHAS purchased, we recommend that it be turned on. This GH Action runs daily at 2am to check that the setting is enabled in all eligible repos | GH Action | IA-5(7), SI-4(5), SI-4(7), SI-10 | |
| Documentation - Creating resources | The documentation for the GHF toolkit includes the relevant documentation that describes authentication methods for users signing into your enterprise, how to create organizations and teams for repository access and collaboration, and suggested best practices for user security | READMEs | AC-5, AC-6 |
|
The following controls are met by GitHub by default and are not explicitly implemented in the toolkit:
| Item | What | Where | Controls | Open-Source Alternative |
|---|---|---|---|---|
| Account dormancy policy | GitHub accounts are marked dormant, and made inactive after 90 days of inactivity for Enterprise accounts | Managing Dormant Accounts | AC-2(3) | |
| HTTPS and SSH access | GitHub enforces the use of HTTPS and/or SSH for committing and pulling code | GitHub Docs | AC-17(2), SC-8, SC-8(1), SC-12, SC-13, SC-17 | |
Inside the toolkit, we strive to provide the most up-to-date security features that GitHub has to offer. Below is a table that shows the status of the features that we support in the toolkit.
- The Status column is the status of implementing the GitHub feature in the toolkit.
- The _Provider Status_ column is the status of the feature in Terraform GitHub Provider, and
- the GH API Status column is the status of the feature in the GitHub API.
| Feature | Status | Provider Status | GH API Status | Side Notes |
|---|---|---|---|---|
| Encrypted secrets | ✅ | ✅ | ✅ | We don't handle encryption directly, but secrets are encrypted with github private keys |
| Vulnerability alerts | ✅ | ✅ | ✅ | |
| Private vulnerability reporting | ❌ | ❌ | ✅ | |
| Secret scanning | ✅ | ✅ | ✅ | |
| Secret scanning push protection | ✅ | ✅ | ✅ | |
| CodeQL codescanning | ❌ | ❌ | ✅ | |
| Rulesets | ✅ | ✅ | ✅ | Although the GitHub Documentation lists it as a capability in the api there are some limitations. For example: Organization rulesets can define workflows that must be completed for the ruleset to be considered passed, but it is not possible for repository rulesets. |
| Commit signing enforcement | ✅ | ✅ | ✅ | |
| Delete branches on merge | ✅ | ✅ | ✅ | |
| Repository creation restrictions | ✅ | ✅ | ✅ | |
| Custom Repository Roles | ✅ | ✅ | ✅ | |
| Custom Organization Roles | ❌ | ❌ | ✅ | Confusing because there is a terraform resource named github_organization_custom_role but this resource actually makes custom repository roles. Custom organization roles have not been implemented. But the GH api does support it. |
| Deploy Keys | ❌ | ✅ | ✅ | |
| Organization Member Base Permissions | ✅ | ✅ | ✅ | |
| Custom Properties | ❌ | ❌ | ❌ | |
| 2FA | ❌ | ❌ | ❌ | Not exposed by the API. This setting is completely manual |
| SAML SSO | ❌ | ❌ | ❌ | Not exposed by the API. This setting is completely manual |
| Team Synchronization | ❌ | ✅ | ✅ | |
Learn how to enable audit logs for your GitHub Enterprise account to track user activity and changes made to your organization.
- For GitHub Enterprise Audit logs, see GitHub's documentation.
- To query the audit log API for your GitHub Enterprise, see GitHub's documentation.
- For Organization Audit logs, see GitHub's documentation.
A GitHub Workflow is run daily to export the audit logs to a JSON file. The JSON file is then uploaded to the action's output artifacts. The JSON file can be downloaded from the artifacts tab in the GitHub Actions page.
To export GitHub Enterprise audit logs to Azure Sentinel, follow the steps found here.
The Azure Marketplace offers the Microsoft Sentinel - Continuous Threat Monitoring for GitHub (Preview) connector to help you get started.
GitHub supports the streaming of audit logs to other platforms. The list of currently supported platforms is: