Skip to content

Instantly share code, notes, and snippets.

@gitstua

gitstua/github-well-architected.md

Last active May 16, 2023 02:40
Show Gist options
  • Save gitstua/d9e40e6964284887b71c212ec1c1f618 to your computer and use it in GitHub Desktop.
Save gitstua/d9e40e6964284887b71c212ec1c1f618 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
github-well-architected.md

Well Architected GitHub (Draft for info, no warranty with this information) Mar 20, 2023 Stuart Eggerton

Target audience: GitHub Enterprise Cloud customers

Security

Protecting applications and data from threats.

General

  • Limit Enterprise Owners and Organization Owners to as few as possible. For billing access only use Enterprise Billing Manager.
  • Require 2-factor authentication
  • Enable SAML SSO to the organization
  • Download SSO recovery codes somewhere safe
  • Require SAML SSO authentication to access the org content
  • Do not allow people to change the visibility of the repos
  • For PAT Tokens ensure you choose the minimum required scope. GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible.
  • With a modern approach to security perimeter for your SSO provider you can leverage advanced features such as user risk, device risk and location risk plus multi-factor authentication. Example: you can leverage Conditional Access Policies in Azure AD. You can further mitigate risk of unauthorized access by restricting network access to your GitHub Organizations.
  • Set policies on the enterprise level so it applies to all possible organizations
  • Add automations around security for the repositories (such as branch protection and permission mapping)
  • Manage and review programmatic access to your GitHub-hosted assets.
  • If you do not require public repositories and want to manage the identity lifecycle of your users most closely then consider GHE EMU.

Audit and monitoring

  • Enable streaming audit and Git events to an external SIEM or for long term archive
  • If your organization allows it then enable including source IP addresses in your audit logs - this is disabled by default for privacy reasons
  • Review and revoke any unused PAT tokens periodically
  • Review GitHub Apps

Code security

  • Leverage push protection to protect against secrets getting into repositories and to coach developers to avoid accidental pushes
  • Develop a plan to resolve secrets in code
  • Develop strategies to reduce required secrets in code
    • Actions OIDC
    • Leverage a secret store such as Azure KeyVault, HashiCorp Vault
  • Leverage Dependabot
  • Consider a forking policy for your organization

Actions

GitHub Apps and integrations

Enable OAuth App access restrictions

Reliability

The ability of a system to recover from failures and continue to function. Minimize customisations which replicate features in GHE - simplify by leveraging product features and extend where required Avoid extremely large repositories by avoiding large binary files - these can be stored in LFS or a cloud providers blob object storage e.g. Azure Blob, AWS S3

Cost Optimization

Managing costs to maximize the value delivered. GitHub hosted runners Ephemeral Larger runners may save developer wait time and reduce developer costs Reduce operational costs over deploying and patching runners yourself Offboard dormant users Leverage existing discounts through your Microsoft Enterprise Agreement When you have Visual Studio Enterprise subscriptions then assign these licenses to your users Connect your billing for Codespaces, Actions and Share Storage to your Azure Subscription Set appropriate spending limits - example and setup email notifications for 50, 75, 90, 100% Setup a billing email for general billing notifications

Operational Excellence

Operations processes that keep a system running in production. User governance https://gist.github.com/rwnfoo/3e19747f6dc2c5b9cfb0ff9c89d834b4 Do not overclassify your code - keep general code available to those across your enterprise - the value of code being visible outweighs the risk of over-sharing Classify and manage highly sensitive code with more care e.g. cryptography or trade secrets - monitor logs more carefully, restrict access and review access regularly GitHub has Enterprise policies which can help manage governance rules at lower organization and enterprise level - https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise Apply “soft” guard rails to allow autonomy to teams to develop processes which work for them to ship Apply “hard” guard rails for the non-negotiable rules which need to apply to your most important software assets

Performance Efficiency

The ability of a system to adapt to changes in load. How do we cater for increase or decrease in users? How do we manage times of increased developer activity or frequent releases versus slower times?

Other resources / references

Archetypes gist: Orgs and Teams Best Practices · GitHub Introduction to adopting GitHub Advanced Security at scale - GitHub AE Docs FastTrack docs Guru - GHEC Adoption eBook Discussing Common (Anti)Patterns on an Instance of GitHub #826 The book on GitHub Enterprise Cloud Adoption https://resources.github.com/devops/book-on-github-enterprise-adoption/ Guide on Organizations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment