GitHub Repositories Threat Model
Scenario overview
Source code repositories are a prime target by threat actors to ultimately compromise an application or system. This threat model aims to identify and mitigate the risks associated with GitHub repositories.
The threat model is tightly scoped to the Source Integrity section of Supply Chain Security as illustrated in the left side of the diagram below. The scope informs both the threat actors and the threats themselves. The threat actors may contain threats within themselves which highlights the various ways a threat actor could gain access to a GitHub repository.
System analysis
GitHub has the role of a multifaceted platform acting not only as the sole source code repository but as something that encompasses version control, project management, CI, issue and bug tracking, automation, etc.
There are a number a ways both humans and machines authenticate and interact with GitHub
GitHub Account
Okta Session
Personal Access Tokens and SSH keys
Enterprise Apps
3rd Party Apps
Non-MFA Service Accounts
There are a number of these authentication mechanisms that reside outside of a company’s trust boundary. There is an extension of the trust boundary which is identified by having limited control mechanisms in place. For example, once an access token has been created and granted access, there is no control over the token from the customer’s organization.
There are a number of public repositories which require extra controls compared to the private repositories where anyone on the Internet can access them where it’s possible to submit a change to the code. There are a number of “types” of repositories
Repos that contain code that is shipped to a customer or pushed internally
Repos that are essential to the supply chain where they’re responsible for backporting or maintaining services
Repos that are not officially supported by the customer but are free for a customer or the community to download and run
Repos that are not products or offerings - anything else etc.
Beyond authentication there are a number of roles within a GitHub repository, there is the concept of GitHub teams which can be assigned a role, and there are outside contributors.
Methodology
The threat modeling follows the GitHub Threat Modelling Framework where at a high level the following questions are addressed:
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
The process starts with system decomposition where it is broken into components which involves producing a diagram. Then identifying assets, trust boundaries, threat actors, and existing controls that are in place. Threat enumeration is next, analyzing each threat and producing suggested mitigations against those threats.
Threat actors
TA-01 A threat actor with Internet access
TA-02 A threat actor who has a GitHub Account
TA-03 An threat actor who is an outside collaborator
TA-04 A threat actor who has gained access to an employee’s GitHub credentials
TA-05 A threat actor who has gained access to an employee’s Okta session
TA-06 A threat actor who has gained access to a GitHub token (inc. SSH keys, PAT, etc.) which is authenticated against a customer org
TA-07 A threat actor who has compromised a third-party GitHub application
TA-08 A threat actor who has exploited a misconfigured or vulnerable GitHub Enterprise application
TA-09 A threat actor who is an insider e.g. a user who makes a mistake, a disgruntled employee, or contractor
Threats
T-01 A threat actor searches public repositories with the goal of finding valid secrets e.g. password, access token, API key, etc.
T-02 A private repository is accessed by an unauthorized threat actor
T-03 A threat actor can change settings in the “Danger Zone”, unintentionally or maliciously
T-04 A threat actor modifies or deletes an important branch’s commit history, unintentionally or maliciously
T-05 A threat actor submits an unauthorized change
T-06 A threat actor approves and merges their own pull request (PR) to an important branch
T-07 A threat actor compromises a customer’s GitHub repository
T-08 A threat actor exploits a misconfigured GitHub Workflow or Action
Threat analysis and recommendations
Access controls restrict who can access the repository and what actions they can perform. This minimizes the attack surface and limits the potential for unauthorized changes.
Branch protection ensures that certain branches, especially critical ones like the main production branch, have strict controls in place. This helps prevent hasty or unauthorized merges.
Authentication measures, especially MFA and strong password policies, protect user accounts and make it more challenging for unauthorized actors to gain access in the first place.
Secret Scanning can help proactively identify exposed secrets in the repository, reducing the risk of unauthorized access.
Enabling automated Secret Scanning Push Protection mechanisms can prevent secrets from being committed to the repository; blocking before they are exposed.
T-01 A threat actor searches public repositories with the goal of finding valid secrets e.g. password, access token, API key, etc
The goal of the threat actor is usually to gain unauthorized access to systems, exfiltrate data, or misuse credentials for malicious purposes.
Analysis
Impact:
Threat actors could gain unauthorized access to customer accounts, systems, or resources.
Unauthorized access could lead to data breaches, further malicious activity within customer systems, financial losses, and damage to a customer’s reputation.
Targets:
Secrets like API keys, access tokens, and credentials stored within code
Configuration files, hard-coded values and documentation may inadvertently contain secrets.
Attack Vectors:
Automated scanning tools and scripts to search for secrets within code and the commit history.
These secrets may be exposed due to oversight from the person committing a change or an inadvertent inclusion in code.
Mitigations
Education and Awareness:
Educate contributors about the importance of not including secrets in code and how to safely store and share secrets.
Ensure teams are aware of the robust secret management systems available to them, e.g. HashiCorp Vault, GitHub Action Secrets
Security Scanning
Deploy automated scanning tools to proactively search for and detect exposed secrets
If exposed secrets are identified, have a response plan in place where the secrets are immediately rotated
Secret Policy:
Establish and enforce clear security policies and guidelines for secret management and access controls.
These guidelines should include an overall secret management lifecycle, from creation to utilization to rotation and revocation.
Code Reviews:
Include checks for secrets and sensitive information during code reviews to catch inadvertent commits / exposure
Anything found within a code review should be revoked and rotated
T-02 A private repository is accessed by an unauthorized threat actor
This change can expose close source code, and data to a threat actor who could publicly expose it or expose it to a limited number of threat actors e.g. sell it.
Analysis
Impact:
- Could expose sensitive proprietary information, proprietary algorithms, internal tools, and/or confidential data. This could trigger severe financial, legal, and reputational consequences for the customer.
Targets
The customer’s GitHub organizations that contain private GitHub repositories
The customer’s user’s sessions or credentials
Token’s that have access to the customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
An employee unintentionally making a repository public without understanding the consequences
Mitigations
Access Controls and Permissions:
Only authorized personnel should have the ability to modify visibility settings where strong access controls and permissions are set for all repositories.
Role-based access controls should be in place following the principle of least privilege. Limit the number of individuals who can modify settings to reduce the likelihood of unauthorized or unintentional changes.
MFA & Fine-grained tokens:
Require MFA for all access to repositories.
In the case of bots and programmatically adjusting settings the use of fine-grained access tokens should be favored. For the majority of these cases they should not have access to adjust the visibility settings so if a token was exposed it can be revoked by the customer and the scope of the functionality it can perform is reduced.
Monitor and Audit Settings:
Monitor for changes and ensure alerts are in place for any changes to visibility settings.
Have regular auditing in place against repository settings to ensure that the visibility of the repository has not changed.
Incident Response Plan:
- Ensure teams are aware of the ways they can report a security incident
Education and Training
Ensure employees’s are educated in the many forms of social engineering
How to manage secrets
Modern attack vectors e.g. Evilginx
T-03 A threat actor can change settings in the “Danger Zone”, unintentionally or maliciously
These actions include
Change repository visibility
Disable branch protection rules
Transfer ownership
Achieve this repository
Delete this repository
Analysis
Impact:
Change Repository Visibility:
Could expose sensitive proprietary information, proprietary algorithms, internal tools, and/or confidential data. This could trigger severe financial, legal, and reputational consequences for the customer.
Changing from public to private could limit community collaboration.
Disable Branch Protection Rules:
- Could allow unauthorized changes to important branches, compromising data integrity and code quality.
Transfer Ownership:
- Could result in the repository being controlled by an unauthorized entity, potentially exposing sensitive proprietary information, proprietary algorithms, internal tools, and/or confidential data. Also reputation damage.
Archive the Repository:
- This would make the repository read-only and could disrupt development and usage.
Delete the Repository:
There might be a loss of code, version history, documentation, and other project-related data. However, data can be recovered up to 90 days so a period of distribution to productivity is more likely in the case of deletion.
This can disrupt software development, potentially result in financial losses, and damage an organization’s reputation.
Targets
User’s sessions or credentials
Token’s that have access to the customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
An employee unintentionally changing one of these settings
A machine user unintentionally changing one of these settings
Mitigations
Define a Policy
Have a GitHub Security Best Practice Policy
Ensure every GitHub repository can adhere to the policy
Access Controls and Permissions:
Only authorized personnel should have the ability to modify visibility settings where strong access controls and permissions are set for all repositories.
Role-based access controls should be in place following the principle of least privilege. Limit the number of individuals who can modify settings to reduce the likelihood of unauthorized or unintentional changes.
Ensure modification of these setting is not possible through automation (at least in most cases) where a human always needs to confirm
MFA & Fine-grained tokens:
Require MFA for all access to repositories.
In the case of bots and programmatically adjusting settings the use of fine-grained access tokens should be favored. For the majority of these cases they should not have access to adjust the visibility settings so if a token was exposed it can be revoked and the scope of the functionality it can perform is reduced.
Monitor and Audit Settings:
Monitor for changes and ensure alerts are in place for any changes to visibility settings.
Have regular auditing in place against repository settings to ensure that the visibility of the repository has not changed.
Incident Response Plan:
- Ensure teams are aware of the ways they can report a security incident
Education and Training
Ensure employees’s are educated in the many forms of social engineering
How to manage secrets
Modern attack vectors e.g. Evilginx
T-04 A threat actor modifies or deletes an important branch’s commit history, unintentionally or maliciously
Analysis
Impact:
Could lead to a failure of data integrity
Could lead to disruption of software development
Could lead to disruption, downtime for customers, and breaking SLAs for cloud production systems
Targets
Customer’s GitHub important branches within both public + private repositories
Customer’s ability to develop and release code
Employees’s sessions or credentials
Token’s that have access to the customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
An employee unintentionally overriding the commit history of an important branch
A misconfiguration issue within the repository or a security setting has not been applied
Mitigations
Have a GitHub Security Best Practice Policy
Ensure every customer’s GitHub repository can adhere to the policy
Access Controls and Permissions:
Only authorized personnel should have the ability to modify visibility settings where strong access controls and permissions are set for all repositories.
Role-based access controls should be in place following the principle of least privilege. Limit the number of individuals who can modify settings to reduce the likelihood of unauthorized or unintentional changes.
Ensure modification of these setting is not possible through automation (at least in most cases) where a human always needs to confirm.
MFA & Fine-grained tokens:
Require MFA for all access to repositories.
In the case of bots and programmatically adjusting settings the use of fine-grained access tokens should be favored. For the majority of these cases they should not have access to adjust the visibility settings so if a token was exposed it can be revoked by the customer and the scope of the functionality it can perform is reduced.
Monitor and Audit Settings:
Monitor for changes and ensure alerts are in place for any changes to visibility settings.
Have regular auditing in place against repository settings to ensure that the visibility of the repository has not changed.
Incident Response Plan:
- Ensure teams are aware of the ways they can report a security incident
Education and Training
Ensure employee’s are educated in the many forms of social engineering
How to manage secrets
Modern attack vectors e.g. Evilginx
T-05 A threat actor submits an unauthorized change to an important branch
Analysis
Impact:
Could lead to a failure of data integrity
Could lead to disruption of software development
Could lead to disruption, downtime for customers, and breaking SLAs for cloud production systems
Targets
Customer’s GitHub important branches within both public + private repositories
Customer’s ability to develop and release code
Customers’s production systems on cloud e.g. Serverless
Customer’s sessions or credentials
Token’s that have access to Customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
A customer’s employee unintentionally submitting a change
A misconfiguration issue within the repository or a security setting has not been applied
Mitigations
Access Controls
Role-Based Access: Assigning roles and permissions to users based on their responsibilities. Only authorized personnel should have elevated privileges (admin, maintain, write) to repositories while others may have read-only access in most cases.
Least Privilege: Implement the principle of least privilege, ensuring that users only have access to the specific repositories and branches necessary for their tasks.
User and Group Management: Regularly review and manage user accounts and groups ensuring access is done through groups only. Also to revoke access for teams who no longer require it.
Outside Collaborators: Should never be added to a repository
Audit Access: audit both non-MFA service accounts and Enterprise Apps that have access to repositories ensuring the conform least privilege.
Branch Protection:
Require a pull request before merging as to prevent arbitrary code changes where someone or a machine can push directly to a protected branch. The PR must undergo a code review by an employee (preferably 2) before being merged.
Require approvals to prevent arbitrary commits reaching a protected branch and can prevent unintentional security vulnerability being introduced. Ideally this involved 3 people. 1 person to submit the PR and 2 people to review it.
Dismiss stale pull request approvals when new commits are pushed to prevent a review approving a PR where the PR has been modified after the approval. The review will be dismissed and the PR will need re-approval.
Require review from Code Owners: Sets ownership and accountability for files within the repository where a team will need to approve a PR against their files before code can be merged into a protected branch.
Require approval of the most recent reviewable push: This protects against when a reviewer applies some suggestions to the code enabling them to approve and merge code without someone reviewing those changes.
Prevent Allow force pushes
Prevent Allow deletions
Authentication:
Multi-Factor Authentication (MFA): Require MFA for all users accessing source code repositories which adds an additional layer of security and makes it more difficult for threat actors to compromise user accounts.
Trust Boundary Authentication: Use authentication mechanisms that reside within the customer’s trust boundary and avoid any that are outside the control of the customer’s Org.
Non-MFA Service Accounts: Switch from using non-MFA service accounts to GitHub Apps which utilize authentication mechanisms within the customer’s Org trust boundary
T-06 A threat actor approves and merges their own pull request (PR) to an important branch
Analysis
Impact:
Could lead to a failure of data integrity
Could lead to disruption of software development
Could lead to disruption, downtime for customers, and breaking SLAs for cloud production systems
Targets
Customer’s GitHub important branches within both public + private repositories
Customer’s ability to develop and release code
Customer’s production systems on cloud e.g. Serverless
Customer’s sessions or credentials
Token’s that have access to customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
An employee unintentionally submitting a change
A misconfiguration issue within the repository or a security setting has not been applied
Mitigations
Access Controls
Role-Based Access: Assigning roles and permissions to users based on their responsibilities. Only authorized personnel should have elevated privileges (admin, maintain, write) to repositories while others may have read-only access in most cases.
Least Privilege: Implement the principle of least privilege, ensuring that users only have access to the specific repositories and branches necessary for their tasks.
User and Group Management: Regularly review and manage user accounts and groups ensuring access is done through groups only. Also to revoke access for teams who no longer require it.
Outside Collaborators: Should never be added to a repository
Audit Access: audit both non-MFA service accounts and Enterprise Apps that have access to repositories ensuring the conform least privilege.
Branch Protection:
Require a pull request before merging as to prevent arbitrary code changes where someone or a machine can push directly to a protected branch. The PR must undergo a code review by an employee (preferably 2) before being merged.
Require approvals to prevent arbitrary commits reaching a protected branch and can prevent unintentional security vulnerability being introduced. Ideally this involved 3 people. 1 person to submit the PR and 2 people to review it.
Dismiss stale pull request approvals when new commits are pushed to prevent a review approving a PR where the PR has been modified after the approval. The review will be dismissed and the PR will need re-approval.
Require review from Code Owners: Sets ownership and accountability for files within the repository where a team will need to approve a PR against their files before code can be merged into a protected branch.
Require approval of the most recent reviewable push: This protects against when a reviewer applies some suggestions to the code enabling them to approve and merge code without someone reviewing those changes.
Require signed commits: adds an additional layer of authentication for every local commit before being pushed to GitHub.
Prevent Allow force pushes
Prevent Allow deletions
Authentication:
Multi-Factor Authentication (MFA): Require MFA for all users accessing source code repositories which adds an additional layer of security and makes it more difficult for threat actors to compromise user accounts.
Trust Boundary Authentication: Use authentication mechanisms that reside within the customer’s trust boundary and avoid any that are outside the control of the customer’s Org.
Non-MFA Service Accounts: Switch from using non-MFA service accounts to GitHub Apps which utilize authentication mechanisms within the customer’s Org trust boundary
T-07 A threat actor compromises a customer’s GitHub repository
The threat actor could gain elevated access (e.g. write or admin) or exploit a misconfiguration to comprise the repository
Analysis
Impact:
Could expose sensitive proprietary information, proprietary algorithms, internal tools, and/or confidential data. This could trigger severe financial, legal, and reputational consequences for the customer.
Could lead to a failure of data integrity
Could lead to disruption of software development
Could lead to disruption, downtime for customers, and breaking SLAs for cloud production systems
Targets
Customer’s GitHub public and private repositories
Customer’s ability to develop and release code
Customer’s production systems on cloud e.g. Serverless
Customer’s sessions or credentials
Token’s that have access to customer’s GitHub organizations
Access to another system that would lead to gaining access to GitHub e.g. Vault
Attack Vectors
Social engineering, tools to steal sessions, secret scanning tools run against source code repositories, unintentional leaks through video walkthroughs or documentation, leaked dumps of databases and other systems on the black market and generally exposed secrets
A misconfiguration issue within the repository or a security setting has not been applied
Mitigations
Define a GitHub Security Best Practice Policy
Ensure every customer’s GitHub repository can adhere to the policy
Access Controls and Permissions:
Only authorized personnel should have the ability to modify visibility settings where strong access controls and permissions are set for all repositories.
Role-based access controls should be in place following the principle of least privilege. Limit the number of individuals who can modify settings to reduce the likelihood of unauthorized or unintentional changes.
Ensure modification of these setting is not possible through automation (at least in most cases) where a human always needs to confirm
MFA & Fine-grained tokens:
Require MFA for all access to repositories.
In the case of bots and programmatically adjusting settings the use of fine-grained access tokens should be favored. For the majority of these cases they should not have access to adjust the visibility settings so if a token was exposed it can be revoked by the customer and the scope of the functionality it can perform is reduced.
Monitor and Audit Settings:
Monitor for changes and ensure alerts are in place for any changes to visibility settings.
Have regular auditing in place against repository settings to ensure that the visibility of the repository has not changed.
Incident Response Plan:
- Ensure teams are aware of the ways they can report a security incident
Education and Training
Ensure employees are educated in the many forms of social engineering
How to securely configure a GitHub repository
T-08 A threat actor exploits a misconfigured GitHub Workflow or Action
A threat actor could exploit a script injection or echo out secrets
Analysis
Impact:
Access secrets, deployment / release keys, SSH keys, PATs etc.
Exfiltrate sensitive information like secrets and circumnavigate the secret redaction feature
Access the GITHUB_TOKEN
Modify the contents of the repository through the GitHub API
Possible cross-repository access
Targets
Customer’s GitHub public repositories that contain GitHub workflows
Sensitive data or secrets within used within the workflow including the GITHUB_TOKEN
Another customer’s GitHub repository (possible if the GITHUB_TOKEN from one repo has been given access to another repo)
Commit malicious code by exploiting a race condition
Attack Vectors
Script injection
Exploit race condition
Through a 3rd-party Action
Emerging threats against software supply chain
Mitigations
Best Practice Documentation
- Create a set of best practices around GitHub Workflows & Actions
SAST
- Employ security static analysis tools to run against Workflow code and alert on security issues
Security Training
- Educate developers about security best practices when creating Workflows
Incident Response Plan
- Ensure there is a response plan in place if a Workflow is compromised / reported by HackerOne
Prevent Script Injection
- Threat input to the Workflow the same way as you would with an application - don’t trust user input
Properly scope access
- Set default permission for GITHUB_TOKEN
Secrets
Ensure secrets are being stored and used securely
Have a secret management policy that is followed, creation, use, revoke, rotate, and delete
Control Changes
CODEOWNERS for the Workflow files
Ensure a PR is required to change Workflows
Ensure code reviews are in place when creating Workflows and using Actions within the Workflows
The code reviews should take into account the best practices
Race conditions
- Use pull_request_review which associates with a particular Git SHA When triggering a GitHub Workflow using a comment on a pull request
Seeking further assistance
GitHub Support
Visit the GitHub Support Portal for a comprehensive collection of articles, tutorials, and guides on using GitHub features and services.
Can’t find what you’re looking for? You can contact GitHub Support by opening a ticket.
GitHub Expert Services
GitHub’s Expert Services Team is here to help you architect, implement, and optimize a solution that meets your unique needs. Contact us to learn more about how we can help you.
GitHub Partners
GitHub partners with the world’s leading technology and service providers to help our customers achieve their end-to-end business objectives. Find a GitHub Partner that can help you with your specific needs here.
GitHub Community
Join the GitHub Community Forum to ask questions, share knowledge, and connect with other GitHub users. It’s a great place to get advice and solutions from experienced users.
Related links
GitHub Documentation
For more details about GitHub’s features and services, check out GitHub Documentation.
External Resources
Linux hypocrite commits: Researcher attempted to intentionally introduce vulnerabilities into the Linux kernel via patches on the mailing list.
PHP: Attacker compromised PHP’s self-hosted git server and injected two malicious commits.