GitHub Security Best Practices: Protect Your Code and Account

Why GitHub Security Matters

Your GitHub account is a high-value target. If compromised, attackers gain direct access to your source code, can inject malicious code into your projects, steal API keys and credentials left in commits, and damage your professional reputation. Unlike a social media account, a breached GitHub account can give attackers access to production systems and sensitive business logic.

The good news: GitHub's security model is solid, but only if you configure it correctly. Most breaches happen because developers skip basic setup steps.

Enable Two-Factor Authentication (2FA)

This is non-negotiable. GitHub offers two types: TOTP (time-based one-time passwords via Authenticator apps) and security keys (hardware like YubiKey).

Setup steps: Go to Settings → Password and authentication → Two-factor authentication. Choose TOTP (Authenticator app) or a security key. GitHub will give you backup codes — save these in your password manager immediately. If you lose access to your authenticator, these codes are your only recovery option. Test 2FA before closing the settings page.

TOTP apps to use: Bitwarden (built-in), Microsoft Authenticator, Google Authenticator, or Authy. Security keys are more secure but require a physical device.

Use SSH Keys Instead of HTTPS Passwords

HTTPS authentication with passwords is outdated. SSH keys are cryptographically stronger and don't send your password over the network on every push.

Generate an SSH key: Open Terminal and run: ssh-keygen -t ed25519 -C "your_email@example.com". Press Enter through the prompts. This creates a public key (share this) and private key (never share this, keep it secret).

Add to GitHub: Copy your public key from ~/.ssh/id_ed25519.pub, go to GitHub Settings → SSH and GPG keys → New SSH key, paste it, and save. Test the connection: ssh -T git@github.com. You should see "Hi [username]! You've successfully authenticated."

Why SSH? No password is transmitted. The connection is cryptographically verified. If your computer is compromised but your SSH key is passphrase-protected (recommended), attackers can't push to your repos without the passphrase.

Personal Access Tokens: When You Need Passwords

Some tools and CI/CD pipelines can't use SSH. For these, use Personal Access Tokens (PATs) instead of your actual password.

Create a PAT: Settings → Developer settings → Personal access tokens → Tokens (classic). Click "Generate new token". Give it a descriptive name like "CI/CD Pipeline" or "Local Development". Choose scopes: for pushing code, select repo (full control of private repositories). Set an expiration date (90 days recommended). Generate the token and copy it immediately — you can't view it again.

Critical: Never commit tokens to Git. Never paste them in Discord or Slack. Use them only in environment variables or secrets management systems. If you accidentally commit a token, revoke it immediately in GitHub settings.

Secure Your Repository with Branch Protection

Branch protection rules prevent accidental pushes to critical branches and enforce code review. Even you can't bypass these rules without a PR review.

Setup: Go to your repository → Settings → Branches → Add rule. Protect the "main" branch. Enable "Require a pull request before merging" (require at least 1 approval from a code owner). Enable "Dismiss stale pull request approvals when new commits are pushed." Enable "Require status checks to pass before merging" if you have CI/CD (tests must pass before merge).

This prevents one person from pushing broken or malicious code directly to production. Every change requires a second set of eyes.

Audit Access and Review Active Sessions

Periodically review who has access to your repositories and what devices are logged in.

Check your authorized applications: Settings → Applications → Authorized OAuth Apps. Revoke any apps you don't recognize or no longer use (old CI/CD services, development tools you deleted, etc.).

Review active sessions: Settings → Sessions. You'll see all locations where you're currently logged in. If you see a city you weren't in or a device you don't recognize, click "Sign out" immediately.

Check repository access: For each repository, go to Settings → Collaborators and teams. Remove any users who no longer need access. Check SSH and PAT keys you've created and revoke the ones you're not using.

Keep Your Local Setup Secure

Your GitHub account is only as secure as the machine it logs in from.

Action items: Keep your operating system and all software up to date (automatic updates recommended). Use full-disk encryption (BitLocker on Windows, FileVault on Mac). Protect your SSH private key with a strong passphrase: ssh-keygen -p -f ~/.ssh/id_ed25519. Never commit credentials, API keys, or secrets to any repository — use environment variables or a secrets manager instead. Use a password manager to store your GitHub password securely and separately from your SSH key passphrase.

Security Checklist

• ☐ Enable two-factor authentication (TOTP or security key)
• ☐ Generate and use SSH keys for Git operations
• ☐ Create Personal Access Tokens for CI/CD (not passwords)
• ☐ Enable branch protection on main/production branches
• ☐ Revoke unused OAuth applications and PATs
• ☐ Review active sessions monthly
• ☐ Audit repository collaborators and remove unnecessary access
• ☐ Protect your SSH private key with a passphrase
• ☐ Never commit secrets or API keys
• ☐ Use a strong, unique password for your GitHub account (stored in a password manager)

GitHub's security is a shared responsibility. GitHub provides the tools; you provide the discipline. A few minutes of setup now can save you from a major breach later.