Prepearing for GitHub Administration certification - Manage sensitive data and security policies within GitHub
Table of Contents
- Prepearing for GitHub Administration certification - Manage sensitive data and security policies within GitHub
- Setting security policies
- Reporting and logging
- Excerise
Setting security policies
Documentation and security settings serve three broad purposes.
- Standardization: security policies ensure that everyone on your project responds in the same way to common issues, making it easier to know what is happening and why.
- Compliance: the countries where you plan to develop and publish your projects may require that you follow industry-standard practices in coding and recording security events.
- Prevention of critical failure: most importantly, solid policies defend against events that threaten continued development, like publishing trade secrets or intellectual property.
Documentation
SECURITY
-
It is a Markdown file in a repository’s root, docs, or .github folder. The SECURITY.md file should include:
- A list of supported versions of the project
- A way to report a security vulnerability
It may also include:
- Information about the project’s compliance with key privacy and security laws
- Technologies that administrators and stakeholders use to secure information
- Known risks
Other default community health files
- CODE_OF_CONDUCT.md
- CONTRIBUTING.md
- FUNDING.yml
- Issue and pull request templates and config.yml
- SECURITY.md
- SUPPORT.md
Security settings
At what levels can administrators change security settings?
You can configure security settings at the organization and enterprise level. These are also part of “organization policies” and “enterprise policies”.
Example of basic security settings you could change:
Reporting and logging
What are log records?
Events/actions that are logged:
- The repository in which the action was performed
- The user that performed the action
- The action that was performed
- Which country in which the action took place
- The date and time of the action
Access the audit log through GitHub.com, GitHub Enterprise Server, or GitHub AE to review actions from the past 90 days. However, interacting with the audit log using either the GraphQL API or the Rest API can allow easy retrieval of specific information types, with additional limitations.
The GraphQL API
The GraphQL API is available for organizations using GitHub Enterprise, and can retrieve information about actions up to 120 days old. It can monitor:
- Access to your organization or repository settings
- Changes in permissions
- Added or removed users in an organization, repository, or team
- Users being promoted to admin
- Changes to permissions of a GitHub App
It cannot provide information about Git events.
The Rest API
The Rest API is available for organizations using GitHub Enterprise Cloud, and can retrieve information about actions up to 90 days old. It can monitor the same actions as the GraphQL API, as well as Git events. However, information about Git events only remains in the log for 7 days.
Generate reports
- Audit log from the Settings sidebar in Your organizations and choosing the Export drop-down menu.
| Qualifier | Example value |
|---|---|
| action | team.create |
| actor | octocat |
| user | codertocat |
| org | octo-org |
| repo | octo-org/documentation |
| created | 2019-06-01 |
Excerise
Here is a good excerise to put the knowledge you have learned in this section to use:
