Skip to content


This checklist is a guide for securing authorization on a website. It outlines a series of steps and best practices that should be taken to ensure that only authorized users can access sensitive information and perform certain actions on a website.

🔒 Account Security🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Multi-Factor authentication is enabled
Reason: Password leak won't have any impact because the second factor is still not compromised
High Impersonation, Credential Theft GHD-UA
2 Verify: Enable PassKeys for a passwordless authentication experience
Reason: Your device acts as an authenticator and will grant you access to your account. No need to remember passwords. Also satisfies MFA requirement
Medium Credential Theft GHD-UA
3 Verify: Periodically rotate SSH keys and Access Tokens
Reason: If they leak, an attacker won't have permanent access to your account
Medium Credential Theft GHD-UA
4 Verify: Periodically review active sessions of devices logged in to your GitHub account
Reason: To ensure that no unwanted device has access to your account
Medium Impersonation GHD-S

💻 Repository Security🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Least privilege is enforced
Reason: Minimize attack surface incase someone has unauthorized access to someone's account
High Information Leakage, Insider Threat, Privilege Escalation GHD-UA
2 Verify: Review privileges of every person who has access to your project. Revoke access if they are no longer a contributor
Reason: If they try to do anyone thing suspicious they won't have access to do so
High Information Leakage, Insider Threat, Privilege Escalation GHD-UA
3 Verify: Enable branch protection rules
Reason: Provides an essential layer of security in preventing unauthorized or accidental changes to sensitive parts of your codebase
Medium Misuse of Privileges GHD-BPR
4 Verify: Disable forking
Reason: To prevent duplication of your project
Medium Intellectual Property Theft GHD-FP
5 Verify: Inspect third party applications connected to your GitHub
Reason: Ensure that no malicious application has access to your repository
High Credential Theft, Data Exfiltration GHD-AA
6 Verify: Periodically review security logs
Reason: Detect any malicious activities that might have taken place
High Unauthorized Access, Brute Force GHD-SL
7 Verify: Don't store hardcoded secrets in your code
Reason: Anyone who has access to your repository either authorized or unauthorized, can use these secrets to gain access to other parts of your software supply chain
High Credential Theft GHD-UA
8 Verify: Enable notifications and alerts for your project
Reason: To be alerted if any malicious changes occur to your code
High Unauthorized Access, Insider Threat GHD-N
9 Verify: Enable GitHub security tools
Reason: Scan your code and third party libraries to find security vulnerabilities
High Vulnerable Dependency, Vulnerable Code, Hardcoded Secret GHD-SA
10 Verify: Require commit signing
Reason: To give other people confidence about the origin of a change you have made
Low Impersonation GHD-CS
11 Verify: Create a file
Reason: Provide guidelines on how security issues are reported and fixed.
High Zero Day GHD-SP
12 Verify: Review webhooks on your repository
Reason: Webhooks could allow an attacker to intercept pushes made to your repository
High Unauthorized Access, Intellectual Property Theft GHD-WS

🔗 Sources: