GitHub is perhaps the most popular repository hosting and sharing site, and it’s one of the most well-known developer tools. It’s mostly free, and anyone can host a private or public repository on it for free.
A common question that many people have is, “Is GitHub safe?” There are two parts to that question – developers and companies want to know whether GitHub is safe for storing code, while users are interested in knowing whether GitHub is safe to download programs from.
As awareness of the need for strong cybersecurity practices spreads, people are naturally becoming more cautious about what they download and the tools they use.
Reports of leaks involving GitHub have come to the forefront in recent years. There’s also been a bit of a stir regarding the infamous Octopus Scanner malware attacking the GitHub open source supply chain.
That might make GitHub sound more unsafe than it truly is.
Nevertheless, without understanding how those leaks and issues were able to happen, it’s impossible to pass judgment on how safe GitHub is by itself. The truth is that GitHub is safe to use – but it’s only as safe as you allow it to be.
I’ll explain in a minute. However, GitHub isn’t inherently unsafe; it’s the poor practices of users that can make using GitHub, either as a developer or a downloader, unsafe.
Today, I will be focusing on several aspects related to GitHub security, including:
- Whether GitHub is safe for developers and companies
- How to safeguard your project on GitHub
- How to prevent leaks of company data on GitHub
- What the Octopus Scanner malware was
- Whether GitHub is safe for downloaders
- How to download safely on GitHub
Let’s get into it.
Malware can be hidden in some programs you download. That is why it is crucial to only download from repositories you can trust.
On the developer’s side, there are additional risks to be aware of. GitHub is pretty safe, and there are a lot of security features you can use to scan your code and ensure safety – I will talk about them later.
However, if you are not careful, your repository is subject to leaks and bad code.
How can your company data be leaked on GitHub? Let’s explore several possibilities.
This isn’t a real risk. GitHub itself is pretty safe and secure, and you can trust it with the repositories you host on it.
If you have a private repository on GitHub, I wouldn’t worry about GitHub itself being hacked and your data being leaked that way.
Even if someone, or a group of hackers, could hack into GitHub, there are countless more valuable repositories they are probably after. They will go on a wild ride, enjoying their free for all, and your repository probably won’t be given a second glance.
However, while GitHub itself has top-notch security features, your repository might not.
Now, this is a real risk. While GitHub itself is secure, if you don’t safeguard your account, people can hack into it – due to vulnerabilities that you created, not GitHub.
The need for a strong password should be self-understood. Don’t use any password you have used elsewhere to protect your repository, and change your password now and then.
The same goes for any employee or developer you hire. You need to educate them about these simple safety measures.
Employees should be prohibited from reusing login credentials from elsewhere on GitHub, Otherwise, a leak elsewhere can pave the way for hackers to access GitHub login credentials.
However, you also need to enable two-factor authentication if you are serious about protecting your repository. Many hacks occurred due to the lack of proper security measures like 2FA.
Don’t know how to protect your GitHub account with 2FA? Read this guide.
The problems go beyond that. Many hacks and leaks occurred due to developer negligence.
That can be something as simple as embedding login credentials in the code or storing them in a config file, thus making them public and available to any hacker who has the willingness to find them.
Jelle Ursem, a researcher in the Netherlands, describes herself as the “lamest hacker you’ll meet.” However, she was able to quickly uncover login credentials hard-coded in GitHub repositories, from hundreds of companies in all types of industries, according to a DataBreaches report.
Those industries included healthcare, finance, and more, and those companies included Fortune 500 companies.
By using simple search phrases, as shown in the screenshot below, Jelle Ursem was able to uncover customer login credentials within minutes. She was able to use those credentials to log into accounts and reveal highly sensitive medical data, with hundreds of thousands of users having their data leaked.
Careless employees may inadvertently expose sensitive login credentials or other user data in public repositories that are not properly protected. All you need is a single user’s login credentials exposed in a public repository to wreak havoc on your brand.
In the above-mentioned report, it is described how Ursem discovered sensitive patient data from countless healthcare companies.
A common thread is the failure to properly safeguard repositories, leaving data vulnerable in public repositories, developers using personal repositories for the wrong things, and hard-coding login credentials in public code.
Preventing leaks is usually simply a matter of employing the right security practices. Fortunately, there are simple things you can do to instantly safeguard your data.
Public repositories are recipes for disaster. All it takes is one contractor to not know what they are doing and leak critical data for the world to see.
Don’t let employees reuse passwords. All passwords should be strong, and you should change them frequently.
Furthermore, employ two-factor authentication. Even if you have a private repository, a hacker could use brute force to get into your account.
While SMS authentication is a possibility, I don’t recommend it. It leaves you vulnerable to sim swapping, especially if you are in countries where sim swapping is easier.
Instead, use a TOTP app. If you are familiar with Google Authenticator, you will know how this works.
In either case, you can use special security codes as a backup method, but keep them in a safe place.
Don’t leave old repositories up on GitHub. Take them down, and delete old repositories and accounts from people who left your company.
Secrets and credentials can be leaked on the repositories of former developers, who left the credentials there, left the company, and promptly forgot about the whole thing. You may have forgotten about them, too, until someone comes across the sensitive data left there months or years later.
Don’t embed user credentials in the code of even private repositories. Maintain them as configuration options on the server the code is running on.
Often, companies will outsource important jobs to contractors and developers who don’t really know what they are doing or simply do not care enough about your company’s privacy to take the proper security measures. Be careful with whom you hire, and vet their expertise and track record properly.
Similarly, be careful with your accessibility settings. If someone leaves your team, revoke their access.
You can block users at any time and prevent them from creating new public repositories.
You will need to secure the laptops and computers that have access to the source code. Install an antivirus and restrict physical access to approved employees.
This is more of a general tip, but it’s critical. Use a tool like BackHub to backup your GitHub repository daily, so you don’t lose your data.
Malware may creep into software, including software you download on GitHub or even create, without you knowing. Of course, you would never intentionally import malware into your code, but if you are not careful, that could easily happen.
A case in point is the infamous Octopus Scanner malware, which infected the open-source supply chain, embedding itself into multiple open-source software programs.
Here’s how it worked.
Octopus Scanner was malware that was embedded in repositories on GitHub. Developers downloaded code from those repositories to create software projects using that code.
How exactly Octopus Scanner first came into existence is still unknown.
Most repositories hosting code infected with Octopus Scanner were unaware that they had malware embedded in their repositories. However, GitHub Security Lab scanned repositories on GitHub and found Octopus in over two dozen repositories, but with a low detection rate of just 4/60, making it hard to detect.
Octopus Scanner’s creators weren’t targeting random users downloading programs. Rather, they were attacking the open source supply chain, targeting developers so they could take over projects those developers created using the infected code.
Octopus only activated when it detected the presence of NetBeans on the device, a development environment based on Java. Not using NetBeans can prevent you from getting harmed by Octopus, but let’s step back and look at the bigger picture for a moment.
What can we learn from that story? When importing code you download from GitHub or creating software with it, you need to make sure the code is trustworthy.
It’s not just that there is a possibility of using code infected with malware. The code may be old and outdated, and using it may lead to security flaws that can be exploited by malicious actors.
Even if the code was maintained in a closed environment, it is still worth auditing the code completely before you import it. Auditing the source code will take time, but it will allow you to detect vulnerabilities.
When you give an application access to your repository, it is critical to ensure that the application is safe. Research the developer and make sure they are trustworthy before granting access.
Also, make sure they are using top-notch security practices to protect themselves (and your project, as an extension). Finally, give as little access as possible – the more access you give each application, the more you increase the chances of something going wrong.
All of the above security practices are important. However, it is also a good idea to use the following security tools to detect problems and help you keep your repository safe.
Let me go over some of the best tools you should be using or at least know about.
Did you know that GitHub offers security features to developers? Here are some of the things you can and should be doing:
Secrets, such as tokens and authentication keys for services like Azure and Amazon Web Services, can be leaked in public or private repositories, just like user credentials.
GitHub will automatically scan public repositories for secrets and inform the issuer of the key when it detects a secret, who can then inform you or revoke the token.
If you enable secret scanning on private repositories (it is not enabled by default), GitHub will inform you via email if a secret is detected.
You want to keep your code free of vulnerabilities, and GitHub can help you do that by scanning your code for issues you need to fix. It will display an alert in the repository if it detects a vulnerability.
You can schedule scans to take place at specific times.
From securing your supply chain by automatically monitoring your dependencies to issuing security advisories to your team, GitHub Security has a lot of other features, which you can learn about here.
The Vault Project allows you to authenticate user access, encrypt data, and store and deploy secrets while keeping them safe.
Bolt, from WhiteSource, is a free tool you can use to scan your repository for security vulnerabilities. It works on both public and private repositories, giving you real-time updates that help keep your community safe.
Snyk is an app that is free for open-source projects. It will scan your repository and alert you when it detects vulnerabilities.
Hundreds of thousands of open source projects use Snyk, and the vast majority of them have found vulnerabilities thanks to Snyk.
If you are merely a software user and not a developer, you should still exercise caution when using GitHub. It’s not that GitHub is inherently unsafe, it’s that being a generally accessible library, people can upload sketchy software to their repositories.
If a sketchy developer hides viruses or malware inside their code, it might not be detectable at first glance.
So, how can you protect yourself when downloading software from GitHub? There are some simple principles you can abide by that will help you avoid most of the risks of using GitHub for your software downloads, either for personal use or for your company.
This is the most important advice I can give you if you download software often from GitHub. If you don’t know if you can trust the developer of a specific program, it might be worth looking for an alternative you can trust a bit more.
There are many awesome open source projects on GitHub that have strong communities behind them. Those communities make sure the code stays safe and that bugs get fixed.
You can generally trust strong open source projects like that.
The more contributors there are to a project, the better. It’s unlikely for there to be a conspiracy involving hundreds of contributors, all trying to trick you into thinking you are downloading a legitimate program that actually contains malware.
Bad actors tend to operate alone or in small groups. So, projects maintained by a single developer or just a couple of people might not be as safe.
You can also check the number of people who have “starred” the project to save it to their favorites, as well as the number of forks created from the project. You can see that information in the top-right corner.
The more people that have starred in a project, the more likely it is to be good.
Why is all this important? The reality is that you can never really be 100 percent sure any software you download is safe.
It’s a lot easier to verify that software is unsafe than it is to verify that it is safe. Even if you audit the code or scan it with some type of antivirus or vulnerability checker, some malware is very hard to detect and may remain hidden.
Open source projects that have a lot of contributors tend to be safer. On the other hand, there is a flip side, a dark side, to know about.
If there is a program that is maintained by a single developer who you absolutely trust, you can download any updates or patches without really worrying about whether the new update is safe.
On the other hand, if a lot of people are contributing to the project, you should wait a bit before downloading an update. If you can’t inspect the code yourself, see what others are saying.
Many GitHub projects have subreddits dedicated to them. Others may have Discord channels, Telegram groups, and so on.
Other users who are more technically inclined than you will be able to help you understand whether to download an update or not.
If you do download an update, always scan it with an antivirus program.
A good project is updated frequently. On the repository, you will be able to see the history of updates.
If the last update was several years ago, avoid the program. There might be nothing malicious about it – but programs need to be updated to fix bugs and vulnerabilities that are bound to crop up.
Furthermore, using old, outdated software is never a good idea, as it can leave your computer open to attacks.
You should also check the “Issues” tab. Having issues is not abnormal; in fact, it points to a community that cares about discovering and fixing such issues.
What you do want to do is make sure that issues are addressed and eventually closed.
Scanning all programs and files you download with your antivirus or antimalware software is always a good idea. It’s important to have a good antivirus program installed anyway, which should be running automatically and constantly monitoring your computer for malware and malicious activity.
A good firewall or network monitor will also be able to detect when programs are trying to access the internet without your knowledge. They can make it easier to discover shady programs.
GitHub can be an excellent tool for collaboration and software development. It’s perfectly safe – you just have to be smart with how you use it.
If you are downloading open-source software from GitHub for your business, you should have a meticulous code review process to ensure you are only using safe programs.
There are other options, too. For example, developers can use Gitea to self-host a git server. GitLab is another option, and it is open-source, unlike GitHub.
In the past, GitLab allowed people to create private repositories for free, while GitHub did not. However, GitHub has made private repositories free as well, but the company is owned by Microsoft now, which turns some people off.
Yes, GitHub itself is safe and secure. However, when downloading programs from GitHub, you should always exercise caution and only download those created by developers you can trust.
Similarly, if you are a developer or company using GitHub, you should pay attention to the security measures discussed above, such as using strong passwords and inspecting code before you import it.
Benjamin Levin is a digital marketing professional with 4+ years of experience with inbound and outbound marketing. He helps small businesses reach their content creation, social media marketing, email marketing, and paid advertising goals. His hobbies include reading and traveling.