GitHub

This checklist is a guide for securing authorization on a website. It outlines a series of steps and best practices that should be taken to ensure that only authorized users can access sensitive information and perform certain actions on a website.

🔒 Account Security🔗

#️⃣	✅Items	⚠️Severity	☠️Vulnerabilities	🔗Sources
1	Verify: Multi-Factor authentication is enabled Reason: Password leak won't have any impact because the second factor is still not compromised	High	`Impersonation`, `Credential Theft`	GHD-UA
2	Verify: Enable PassKeys for a passwordless authentication experience Reason: Your device acts as an authenticator and will grant you access to your account. No need to remember passwords. Also satisfies MFA requirement	Medium	`Credential Theft`	GHD-UA
3	Verify: Periodically rotate SSH keys and Access Tokens Reason: If they leak, an attacker won't have permanent access to your account	Medium	`Credential Theft`	GHD-UA
4	Verify: Periodically review active sessions of devices logged in to your GitHub account Reason: To ensure that no unwanted device has access to your account	Medium	`Impersonation`	GHD-S

💻 Repository Security🔗

#️⃣	✅Items	⚠️Severity	☠️Vulnerabilities	🔗Sources
1	Verify: Least privilege is enforced Reason: Minimize attack surface incase someone has unauthorized access to someone's account	High	`Information Leakage`, `Insider Threat`, `Privilege Escalation`	GHD-UA
2	Verify: Review privileges of every person who has access to your project. Revoke access if they are no longer a contributor Reason: If they try to do anyone thing suspicious they won't have access to do so	High	`Information Leakage`, `Insider Threat`, `Privilege Escalation`	GHD-UA
3	Verify: Enable branch protection rules Reason: Provides an essential layer of security in preventing unauthorized or accidental changes to sensitive parts of your codebase	Medium	`Misuse of Privileges`	GHD-BPR
4	Verify: Disable forking Reason: To prevent duplication of your project	Medium	`Intellectual Property Theft`	GHD-FP
5	Verify: Inspect third party applications connected to your GitHub Reason: Ensure that no malicious application has access to your repository	High	`Credential Theft`, `Data Exfiltration`	GHD-AA
6	Verify: Periodically review security logs Reason: Detect any malicious activities that might have taken place	High	`Unauthorized Access`, `Brute Force`	GHD-SL
7	Verify: Don't store hardcoded secrets in your code Reason: Anyone who has access to your repository either authorized or unauthorized, can use these secrets to gain access to other parts of your software supply chain	High	`Credential Theft`	GHD-UA
8	Verify: Enable notifications and alerts for your project Reason: To be alerted if any malicious changes occur to your code	High	`Unauthorized Access`, `Insider Threat`	GHD-N
9	Verify: Enable GitHub security tools Reason: Scan your code and third party libraries to find security vulnerabilities	High	`Vulnerable Dependency`, `Vulnerable Code`, `Hardcoded Secret`	GHD-SA
10	Verify: Require commit signing Reason: To give other people confidence about the origin of a change you have made	Low	`Impersonation`	GHD-CS
11	Verify: Create a Security.md file Reason: Provide guidelines on how security issues are reported and fixed.	High	`Zero Day`	GHD-SP
12	Verify: Review webhooks on your repository Reason: Webhooks could allow an attacker to intercept pushes made to your repository	High	`Unauthorized Access`, `Intellectual Property Theft`	GHD-WS

🔗 Sources:

GitHub: