There are two sides to this story: one on hand, we should do everything in our power to prevent leaks from happening and on the other, we need to have a mitigation plan to ensure proper take down of all leaked data to minimize impact.
- Transferring the repository and turning a private repository public should both be turned off by the admin.
- The admin should also consider disabling the ability to fork repositories.
- Restrict repository creation is another way to prevent accidental leaks.
- Immediately convert any public repository to private, along with alerting the repository owners of the conversion through a GitHub Issue with this GitHub App.
- These are the steps we recommend a user take to avoid accidental commits. We recommend setting the default commit email addresses along with locally signing those commits with GPG or S/MIME.
- Third-party tools can also be utilized. For example, https://github.com/dxa4481/truffleHog will scan repos for secrets and custom things.
- Leverage Token Scanning, which prevents secret tokens and keys from leaking into public repositories. This will also invalidate the exposed tokens upon verifying the endpoint.
- Confirm your organization identity by verifying your company domain and restrict email notifications to only the verified domain.
- Make sure your organization has upgraded to the Corporate ToS instead of Standard ToS. More around the upgrade process here.
- Remember, you can undo almost anything in Git!
- Once a user has committed sensitive information, he/she can remove Sensitive data from a repository on their own. But be sure to reach out to GitHub support with the commit SHA. The exact steps we take on our end to ensure all histories along with logs, are wiped clean:
- Delete PR in staff tools (this will also wipe out any related audit logs, history etc)
- Confirm the commit hasn't appeared anywhere else since our last check
- Run garbage collection
- Invalidate git cache on repo (this is also a step that users often don't realize that needs to take place)
- If you are certain about the ownership of the data, fill out a DMCA takdown notice form and let the GitHub Support team know. Inversely, if your repository has been taken down due to a false claim, please fill out this DMCA counter notice form and reach out to the GitHub Support team.
- Keep your passwords and devices safe, use SAML, SCIM and 2FA whenever possible.
- Establish an internal security policy, so users know exactly what the best practices are, who to go to and/or what to do should accidents happen.
- Pick the right tool! "Organizations that use tools to automate dependency management have 60% less security vulnerabilities than those who don’t." - IEEE/ACM International Conference on Automated Software Engineering 2017.