DEV Community

Cover image for GitHub Repo Security: Your Easy Go-To Checklist
Vishwajeet Kondi
Vishwajeet Kondi

Posted on

GitHub Repo Security: Your Easy Go-To Checklist

#github #security #opensource #versioncontrol

Hey there! If you’re managing a GitHub repo, you know it’s more than just a place to stash code—it’s your project’s home. I’ve put together a checklist of GitHub settings to keep your repo secure and organized, sticking to the exact options you’ll see in GitHub’s interface. For each section, I’ve added a few tips to make your life easier based on what I’ve learned messing around with repos. Let’s dive in!

A. General Settings

  • Repository Visibility: Set to Public (if intended) or Private for restricted access.
  • Repository name: Keep it clear and descriptive.
  • Description: Add a brief description.
  • Topics: Add relevant topics for better discoverability.
  • Default Branch: Set to main (or another preferred default).
  • Archiving: Disable if the repo is active.

Tips:

  • For the repo name, think about future-proofing—something like project-v2 can avoid confusion if you iterate later.
  • Use topics strategically (e.g., “javascript”, “open-source”) to attract contributors searching for projects like yours.
  • If archiving, consider leaving a note in the README about why it’s archived and where to find active forks.

B. Branch Protection Rules

Go to: Settings → Branches → Branch protection rules → Add rule

Configure for main (or default branch):

  • ☑ Require a pull request before merging
  • ☑ Require approvals (at least 1-2)
  • ☑ Dismiss stale pull request approvals
  • ☑ Require review from Code Owners
  • ☑ Require status checks to pass before merging (e.g., CI/CD checks)
  • ☑ Require branches to be up to date before merging
  • ☑ Require conversation resolution before merging
  • ☑ Require linear history (optional but prevents merge commits)
  • ☑ Do not allow bypassing the above settings (even for admins)

Tips:

  • Set up a CODEOWNERS file in your repo to auto-assign reviewers for specific files or folders.
  • For status checks, integrate tools like GitHub Actions or external CI/CD platforms to catch bugs early.

C. Actions & Workflows Permissions

Go to: Settings → Actions → General

Actions permissions:

  • ☑ Allow all actions (or restrict to only verified actions if security is critical).

Workflow permissions:

  • ☑ Read repository contents and packages permissions (least privilege).

Tip:

  • If you’re restricting actions, check the GitHub Marketplace for verified actions to avoid reinventing the wheel.

D. Collaborators & Teams

Go to: Settings → Collaborators & Teams

  • Only grant Write/Admin access to trusted contributors.
  • Prefer Pull Requests (PRs) over direct commits.

Tips:

  • Create teams for different roles (e.g., “Developers”, “Maintainers”) to streamline access management.
  • If you’re open-source, clearly document how contributors can request access in your CONTRIBUTING.md.
  • Regularly review collaborator lists to remove inactive users—trust me, it’s easy to forget!

E. Security & Moderation

Go to: Settings → Advanced Security

  • ☑ Enable vulnerability alerts (Dependabot).
  • ☑ Enable Dependabot security updates.
  • ☑ Enable secret scanning (GitHub Advanced Security, if available).
  • ☑ Enable push protection (blocks commits with exposed secrets).

Tips:

  • Set up Dependabot to auto-update your dependabot.yml file for regular dependency checks.
  • If secret scanning catches something, act fast—rotate any exposed keys and check commit history for leaks.
  • Consider enabling Dependabot version updates (not just security) to keep your dependencies fresh.

F. Merge Button Behavior

Go to: Settings → General → Pull Requests

  • ☑ Allow merge commits / Squash merging / Rebase merging (choose as needed).
  • ☑ Always suggest updating pull request branches.
  • ☑ Allow auto-merge.

Tips:

  • Squash merging is great for keeping a clean history, but merge commits can help track context for bigger changes.
  • Auto-merge is a lifesaver for busy repos—just make sure your status checks are robust to avoid bad merges.
  • Encourage contributors to update their PR branches to reduce merge conflicts.

G. Issue & Discussion Settings

Go to: Settings → Features

  • ☑ Enable Issues (if needed).
  • ☑ Enable Discussions (optional).
  • ☑ Enable Projects (optional).

Tips:

  • Use issue templates (via .github/ISSUE_TEMPLATE) to guide contributors on reporting bugs or features.
  • Discussions are great for open-ended ideas—pin active threads to keep the community engaged.
  • Projects can help you visualize workflows, but keep them simple to avoid overwhelming new contributors.

Wrapping Up

That’s the rundown! These settings and tips should help you secure your GitHub repo while making it a welcoming spot for collaboration. I’m no expert, but this setup has saved me headaches on my own projects. Got questions about any of these settings or a GitHub hack you want to share? Drop them in the comments below—I’d love to hear your thoughts and help with any setup snags!

Top comments (0)