GitHub Enterprise Security Overview

GitHub Enterprise operates on your infrastructure, which means it is governed by your existing information security controls: from firewalls and VPNs, to IAM and monitoring systems. This on-premises solution can help you avoid the regulatory compliance issues that arise when you use cloud-based solutions. Below is an overview of the security features built into the appliance, along with information about GitHub's development practices for application security.

GitHub Enterprise provides a Linux user administration account and two types of application users.

• VM Administrator: A Linux user account that provides controlled access to the underlying Linux operating system, including direct file system and database access. It is intended to be granted to a small set of trusted administrators. Access is granted over SSH (Secure Shell).
• Standard User: An application account that has full access to its own data, but which must be granted access to data owned by other users or organizations.
• Site Administrators: An application account that has been granted the "staff" role. Staff can manage high-level application and VM settings, all user and organization account settings, and repository data.

Organizations and teams provide the granularity necessary to assign permissions or access rights to specific users and groups of users.

Organizations are a core concept in GitHub Enterprise. They allow you to create as many logical containers as you need for your business units, and even for your projects. Each organization account functions as the owner of one or more repositories, and the organization owners can add users to the teams they create.

Inside organizations, you can manage access to repositories using teams. Teams are made up of members and repositories. When you add a repository to a team, you can choose one of three permission levels to grant team members:

• Read: view and fork code, open issues and pull requests
• Write: edit code, close issues and merge pull requests
• Admin: change repository settings

GitHub Enterprise provides four primary authentication methods.

These include:

• SSH for both OS level systems administration and Git protocol access. SSH access is only allowed using public key authentication.
• Username / password and HTTP cookies for web application authentication and session management.
• Users can optionally enable two-factor authentication (2FA) on their accounts using TOTP applications and FIDO U2F.
• External LDAP, SAML, or CAS authentication using your Active Directory, SAML Identity Provider, or other compatible service.
• OAuth and Personal Access Tokens for API and external service authentication.

GitHub Enterprise is designed to run behind your corporate firewall. To secure communications over the wire, we encourage you to run GitHub Enterprise over SSL. An administrator can add 2048-bit or higher commercial SSL certificates for HTTPS traffic. Additionally, SSH for virtual machine administration and repository access using Git is enabled by default on GitHub Enterprise.

Having an accurate record of all user and system activity is a core requirement for many customers. GitHub Enterprise has detailed audit records, accessible to the site administrators, that capture relevant security information. The system also provides traditional operating system and application access logs.

While not an exhaustive list, the following are some examples of the audit and logging information available:

Audit logs:

• User logins, password resets, 2FA requests, email settings changes, and changes to authorized applications and APIs.
• Site Administrator actions, including unlocking of user accounts and repositories.
• Repository push events, access grants, transfers, and renames.
• Organization membership changes, including team creation and destruction.

Access logs

• Full web server access logs for browser-based and API-based access.
• Full logs for access to repository data over Git, SSH, and HTTPS.
• Administrative access logs over SSH and HTTPS.

Audit logs are permanently stored on the system, and both types of logs can be exported from the system in real-time using the standard syslog protocol. You can also specify multiple log forwarding destinations. This enables you to integrate this data with remote systems, such as an IDS/IPS, for analysis and notification.

GitHub Enterprise is built on a customized Linux based operating system. Only necessary services and applications have been installed, and only services necessary for the appliance to function are exposed to the network and access is controlled through an internal firewall.

GitHub's application security team focuses full-time on vulnerability assessment, penetration testing, and code review for GitHub products. GitHub also contracts with outside security firms to provide point-in-time security assessments of GitHub products.

Patching of the core operating system, and running services to address security concerns, is managed by GitHub as part of its standard product release cycle. This includes patches for functionality, stability, and non-critical security issues for GitHub applications. Critical security patches are provided as needed outside of the regular release cycle, to improve time to resolution and also limit changes to the system.

Security-only patches are announced on our Enterprise customer portal, and also with email notifications.

By design, GitHub Enterprise is able to operate without any egress access from your network to outside services. The system administrator can optionally enable the integration of external services including SMTP, Syslog, and Gravatar.

The system does not attempt to communicate with GitHub's own servers; however, your system administrator can collect data helpful for troubleshooting any issues, and manually deliver that data to the GitHub Enterprise Support Team.