5 steps to enforce security on your GitHub organization's repositories

We at SalesTim know you care about how your personal information is used and shared, and we take your privacy seriously by implementing the most rigorous practices for our developments.
Therefore we know that keeping your data safe is a full-time job.

Discover 5 easy to implement steps to enforce security on your GitHub organizationā€™s repositories:

Step Action Check
1 Verify your organizationā€™s domain GitHub verified domains badge
2 Require two-factor authentication GitHub 2FA badge
3 Configure protected branches GitHub protected branches
4 Enable automated security alerts GitHub Security Alerts
5 Configure automated security fixes GitHub Security fixes


1. Verify your organizationā€™s domain

GitHub verified domains badge

In GitHub, you can verify the domains controlled by your organization to confirm your organizationā€™s identity.

After verifying ownership of your organizationā€™s domains, a ā€œVerifiedā€ badge will display on the organizationā€™s profile:

Verified Domain

You can define your verified domains from your organization settings:

Verified Domain Settings

Note: If the email address and website shown on your organizationā€™s profile use variants of the same domain, you must verify both variants. For example, if your organizationā€™s profile shows the website www.example.com and the email address info@example.com, you would need to verify both www.example.com and example.com.

Learn more about verifying your organizationā€™s domainā€¦

Why switch to the Corporate Terms of Service?

The Standard Terms of Service is an agreement between GitHub and you as an individual. To enter into an agreement with GitHub on behalf of you company organization owners can upgrade to the Corporate Terms of Service:

Verified Domain Settings

Benefit: If your organization is on GitHub Enterprise Cloud and has agreed to the Corporate Terms of Service, organization owners will be able to verify the identity of organization members by viewing each memberā€™s email address within the verified domain.

Learn more about upgrading to the Corporate Terms of Serviceā€¦


2. Require two-factor authentication

GitHub 2FA badge

Organization owners can require organization members, outside collaborators, and billing managers to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organizationā€™s repositories and settings.

You can enforce 2FA from your organization settings:

GitHub 2FA

Learn more about requiring two-factor authenticationā€¦


3. Configure protected branches

GitHub protected branches

Protected branches ensure that collaborators on your repository cannot make irrevocable changes to branches.

You can define your branch protection rules from your repository settings:

GitHub Protected Branches

Enabling protected branches also allows you to enable other optional checks and requirements, like required status, security checks and required reviews:

GitHub Protected Branches Checks

Learn more about protected branchesā€¦


4. Enable automated security alerts

GitHub Security Alerts

GitHub automatically tracks public vulnerabilities in packages from supported languages on MITREā€™s Common Vulnerabilities and Exposures (CVE) List, and use a combination of machine learning and human review to detect vulnerabilities that are not published in the CVE list.

When GitHub discovers or is notified of a new vulnerability, the SalesTim engineering team is notified with a security alert:

GitHub Security Alerts

Each security alert includes a severity level and a link to the affected file in our projects. When available, the alert will include further details about the vulnerability and a suggested fix.

Any alert of any severity breaks our build and deployment process until resolution.

To enable security alerts, you must enable GitHub Data Services at the repository level:

GitHub Data Services

Learn more about Security Alertsā€¦


5. Configure automated security fixes

GitHub Security fixes

Following the acquisition and integration of Dependabot, GitHub monitors our app dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version.

GitHub automated security fixes

Read the announcementā€¦

Automated security fixes update vulnerable dependencies to the minimum version that resolves the vulnerability. They are automatically enabled in repositories that use the dependency graph and security alerts, but you can choose to disable automatic pull requests and generate security fixes manually instead:

GitHub automated security fix

Automated security requests contain information about the vulnerability, such as release notes, changelog entries, and commit details, but also compatibility scores, which show developers how likely it is for the security update to cause breaking changes to their project.

Note: Automatic security fixes are available in beta. You can enable automatic security fixes for any repository that uses security alerts and the dependency graph.

Learn more about configuring automated security fixesā€¦


To go further

GitHub brings to the table a lot of options to enforce your organization and repositories security, therefore these 5 easy to implement steps are just the beginning of an epic journey.

Here are a few other areas of investment that weā€™re currently working on that may interest you, so stay tuned for later posts.

b. Enforce SAML single sign-on

Benefits: If you enforce SAML SSO in your organization, any members, including admins who have not authenticated via your SAML identity provider (such as Microsoft Azure AD at SalesTim), will be removed from the organization and will receive an email notifying them about the removal.

GitHub SAML

Bots and service accounts that do not have external identities set up in your organizationā€™s IdP will also be removed.

Note: This feature is only available with GitHub Enterprise Cloud.

Learn more:

a. Enable required commit signing

Repository administrators can enforce required commit signing on a branch to block all commits that are not signed and verified.

Before enabling required commit signing on a branch, you must first set the branch up as a protected branch:

Require Commit Signing

Learn more about required commit signingā€¦

c. Use GitHub Package Registry

GitHub Package Registry is fully integrated with GitHub, so you can use the same search, browsing, and management tools to find and publish packages as you do for your repositories.
You can also use the same user and team permissions to manage code and packages together.

GitHub Package Registry

Learn more about GitHub Package Registryā€¦


Founder @ SalesTim. Entrepreneur, Learner, Speaker, Geek & Microsoft Teams / Office 365 MVP.