GitHub Actionsから本番デプロイまでするので、GitHubをorgレベルでセキュアにする方法を調べる。

公式ドキュメント

• GitHub Actions
• GitHub Repositories
• GitHub Organizations
• GitHub Enterprise administrators
• GitHub Code security
• GitHub Apps
• GitHub Authentication

ブログ記事

• GitHub OrganizationとEnterpriseアカウントの保護
• Security best practices for GitHub Enterprise Server
• アカウントのセキュリティとリカバリ性を高める新サービスとベストプラクティス
• オープンソースプロジェクトをサプライ チェーン攻撃から守る
• Securing GitHub organizations
• Best Practices for Organizations
• Github Enterprise Cloud Configuration
• Security Best Practices for Github
• GitHubリポジトリにおけるレビュープロセスの統制
• OPA/Regoを活用して継続的監査を実現して、楽をしよう
• 社内のソースコードをGitHub Enterprise にとりまとめてる話
• GitHubの運用を「会社」にしていく話
• GitHub Enterprise Cloud導入に向けた5つの検討ポイント
• 【個人的】チーム開発におけるGitHub Organization (Free) の設定と運用ルール
• GitHub Organizationをセキュアにするための3つのTips
• GitHub で意図せぬ Public Repository 化をお手軽に検知・防止する
• Service account standards

GitHub Actions

• Managing workflow runs
  • Reviewing deployments
• Deployment
  • Deploying with GitHub Actions
    • Using environments
    • Using concurrency
    • Viewing deployment history
    • Monitoring workflow runs
    • Tracking deployments through apps
  • About security hardening with OpenID Connect
  • Configuring OpenID Connect in Amazon Web Services
  • Using OpenID Connect with reusable workflows
  • Using environments for deployment
    • Environment protection rules
      • Required reviewers
      • Wait timer
      • Deployment branches
    • Environment secrets
• Security guides
  • Security hardening for GitHub Actions
    • Using secrets
    • Using CODEOWNERS to monitor changes
    • Understanding the risk of script injections
    • Good practices for mitigating script injection attacks
    • Using OpenID Connect to access cloud resources
    • Using third-party actions
    • Reusing third-party workflows
    • Potential impact of a compromised runner
  • Encrypted secrets
  • Automatic token authentication
    • About the GITHUB_TOKEN secret
    • Using the GITHUB_TOKEN in a workflow
    • Permissions for the GITHUB_TOKEN
      • Permissions required for GitHub Apps
      • Enforcing a policy for workflow permissions in your enterprise
      • Disabling or limiting GitHub Actions for your organization
      • Managing GitHub Actions settings for a repository
• Advanced guides
  • Storing workflow data as artifacts
• Creating actions
  • About custom actions
    • Using release management for actions
    • Creating a README file for your action
  • Creating a composite action

changelogにのみ記載？

• GitHub Actions: Prevent GitHub Actions from approving pull requests

GitHub Repositories

• Customizing your repository
  • About code owners
• Enable features
  • Disabling issues
  • Disabling project boards in a repository
  • Managing GitHub Actions settings for a repository
    • Managing GitHub Actions permissions for your repository
    • Allowing specific actions to run
    • Configuring required approval for workflows from public forks
    • Enabling workflows for private repository forks
    • Setting the permissions of the GITHUB_TOKEN for your repository
    • Configuring the retention period for GitHub Actions artifacts and logs in your repository
    • Setting the retention period for a repository
  • Enabling or disabling GitHub Discussions for a repository
  • Managing security and analysis settings for your repository
• Managing repository settings
  • Setting repository visibility
  • Managing teams and people with access to your repository
  • Managing the forking policy for your repository
  • Managing Git LFS objects in archives of your repository
  • About email notifications for pushes to your repository
  • Configuring autolinks to reference external resources
• Defining the mergeability of pull requests
  • About protected branches
    • Require pull request reviews before merging
    • Require status checks before merging
    • Require conversation resolution before merging
    • Require signed commits
    • Require linear history
    • Require merge queue
    • Include administrators
    • Restrict who can push to matching branches
    • Allow force pushes
    • Allow deletions
  • Managing a branch protection rule
  • Troubleshooting required status checks

GitHub Organizations

• Managing people's access to your organization with roles
  • Roles in an organization
    • Organization owners
    • Organization members
    • Billing managers
    • Security managers
    • GitHub App managers
    • Outside collaborators
  • Maintaining ownership continuity for your organization
  • Adding a billing manager to your organization
  • Managing security managers in your organization
• Managing access to your organization's repositories
  • Repository roles for an organization
  • Setting base permissions for an organization
• Managing access to your organization's apps
  • Adding GitHub App managers in your organization
• Managing organization settings
  • Verifying or approving a domain for your organization
  • Transferring organization ownership
  • Restricting repository creation in your organization
  • Setting permissions for deleting or transferring repositories
  • Restricting repository visibility changes in your organization
  • Managing the forking policy for your organization
  • Disabling or limiting GitHub Actions for your organization
    • Managing GitHub Actions permissions for your organization
    • Allowing specific actions to run
    • Configuring required approval for workflows from public forks
    • Enabling workflows for private repository forks
    • Setting the permissions of the GITHUB_TOKEN for your organization
  • Configuring the retention period for GitHub Actions artifacts and logs in your organization
  • Setting permissions for adding outside collaborators
  • Allowing people to delete issues in your organization
  • Managing discussion creation for repositories in your organization
  • Setting team creation permissions in your organization
  • Managing scheduled reminders for your organization
  • Managing the default branch name for repositories in your organization
  • Managing default labels for repositories in your organization
  • Changing the visibility of your organization's dependency insights
  • Managing the display of member names in your organization
  • Managing updates from accounts your organization sponsors
  • Managing the publication of GitHub Pages sites for your organization：publicは除外しておく
  • Disabling project boards in your organization
• Restricting access to your organization's data
  • About OAuth App access restrictions
  • Enabling OAuth App access restrictions for your organization
  • Denying access to a previously approved OAuth App for your organization
• Keeping your organization secure
  • Requiring two-factor authentication in your organization
  • Managing security and analysis settings for your organization
    • Enabling or disabling a feature for all existing repositories
      • Dependency graph - Your changes affect only private repositories because the feature is always enabled for public repositories.
      • Dependabot alerts - Your changes affect all repositories.
      • Dependabot security updates - Your changes affect all repositories.
    • Enabling or disabling a feature automatically when new repositories are added
  • Managing allowed IP addresses for your organization
  • Restricting email notifications for your organization
  • Reviewing the audit log for your organization
  • Reviewing your organization's installed integrations

Enterprise administrators

• Configuring GitHub Enterprise
  • Verifying or approving a domain for your enterprise
  • Configuring custom footers
• Identity and access management
  • About identity and access management for your enterprise
  • About Enterprise Managed Users
• Managing users in your enterprise
  • Roles in an enterprise
    • Managing administrators
    • Adding and removing organizations to and from the enterprise
    • Managing enterprise settings
    • Enforcing policy across organizations
    • Managing billing settings
  • Viewing people in your enterprise
• Managing organizations in your enterprise
  • Viewing the audit logs for organizations in your enterprise
  • Streaming the audit logs for organizations in your enterprise account
• Monitoring activity in your enterprise
  • Managing global webhooks
• Enforcing policies for your enterprise
  • Enforcing repository management policies in your enterprise
    • Enforcing a policy for base repository permissions
    • Enforcing a policy for repository creation
    • Enforcing a policy for forking private or internal repositories
    • Enforcing a policy for inviting outside collaborators to repositories
    • Enforcing a policy for the default branch name
    • Enforcing a policy for changes to repository visibility
    • Enforcing a policy for repository deletion and transfer
    • Enforcing a policy for deleting issues
  • Enforcing team policies in your enterprise
    • Enforcing a policy for team discussions
  • Enforcing project board policies in your enterprise
    • Enforcing a policy for organization-wide project boards
    • Enforcing a policy for repository project boards
  • Restricting email notifications for your enterprise
    • Restricting email notifications for your enterprise
  • Enforcing policies for security settings in your enterprise
    • Requiring two-factor authentication for organizations in your enterprise
    • Managing allowed IP addresses for organizations in your enterprise
    • Enable IP allow list configuration for installed GitHub Apps
    • Managing SSH certificate authorities for your enterprise
  • Enforcing policies for dependency insights in your enterprise
    • Enforcing a policy for visibility of dependency insights
  • Enforcing policies for GitHub Actions in your enterprise
    • Enforcing a policy to restrict the use of actions in your enterprise
    • Enforcing a policy for artifact and log retention in your enterprise
    • Enforcing a policy for fork pull requests in your enterprise
    • Enforcing a policy for workflow permissions in your enterprise
  • Enforcing policies for Advanced Security in your enterprise
    • Enforcing a policy for the use of GitHub Advanced Security in your enterprise
• Managing GitHub Advanced Security for your enterprise
  • Overview of GitHub Advanced Security deployment
  • Deploying GitHub Advanced Security in your enterprise

Code security

• Getting started with code security
  • GitHub security features
    • Available for all repositories
      • Security policy
      • Security advisories
      • Dependabot alerts and security updates
      • Dependabot version updates
      • Dependency graph
    • Available with GitHub Advanced Security
      • Code scanning
      • Secret scanning
      • Dependency review
  • Securing your repository
    • Managing access to your repository
    • Setting a security policy
    • Managing the dependency graph
    • Managing Dependabot alerts
    • Managing dependency review
    • Managing Dependabot security updates
    • Managing Dependabot version updates
    • Configuring code scanning
    • Configuring secret scanning
  • Securing your organization
    • Managing access to your organization
    • Creating a default security policy
    • Managing Dependabot alerts and the dependency graph
    • Managing dependency review
    • Managing Dependabot security updates
    • Managing Dependabot version updates
    • Configuring secret scanning
    • Configuring code scanning
• Keeping secrets secure with secret scanning
  • About secret scanning
  • Secret scanning partners
• Finding security vulnerabilities and errors in your code with code scanning
  • About code scanning
  • Triaging code scanning alerts in pull requests
  • Configuring code scanning
  • Uploading a SARIF file to GitHub
• Managing security advisories for vulnerabilities in your project
  • About coordinated disclosure of security vulnerabilities
  • About GitHub Security Advisories
• Securing your software supply chain
  • About the dependency graph
  • About Dependabot version updates
  • Enabling and disabling Dependabot version updates
  • Automating Dependabot with GitHub Actions
  • Customizing dependency updates
  • Configuration options for dependency updates
  • Keeping your actions up to date with Dependabot
  • About managing vulnerable dependencies
    • Dependency graph
    • Dependency review
    • Dependabot alerts
    • Dependabot security updates
    • Dependabot version updates
• Viewing security alerts for repositories in your organization
  • About the security overview
    • At the organization-level
    • At the team-level
    • At the repository-level

GitHub Apps

• Getting started with apps
  • About apps
    • About GitHub Apps
    • About OAuth Apps
    • Personal access tokens
    • Determining which integration to build
  • Differences between GitHub Apps and OAuth Apps
• Building GitHub Apps
  • Creating a GitHub App
  • Managing allowed IP addresses for a GitHub App
  • Authenticating with GitHub Apps
  • Identifying and authorizing users for GitHub Apps
• Managing GitHub Apps
  • Installing GitHub Apps
  • Editing a GitHub App's permissions
  • Making a GitHub App public or private

Authentication

• Keeping your account and data secure
  • About authentication to GitHub
  • Creating a strong password
  • Creating a personal access token
  • Preventing unauthorized access
• Securing your account with two-factor authentication (2FA)
  • About two-factor authentication
  • Configuring two-factor authentication
• Connecting to GitHub with SSH
  • About SSH
  • Generating a new SSH key and adding it to the ssh-agent
• Managing commit signature verification
  • About commit signature verification
  • Generating a new GPG key
  • Associating an email with your GPG key

全体

二要素認証の強制

• 二要素認証をしていないユーザは強制的に追い出される

  • 後追いで導入する場合は現行ユーザのケアが必要

• Requiring two-factor authentication in your organization【Organizations】

• Requiring two-factor authentication for organizations in your enterprise【Enterprise】

ドメインの所有権確認と通知先制御

• ドメインの所有権を確認しておくと、メール通知のそのドメインのみに制限できる
  • 個人利用のメールアドレスに誤って通知が飛ばなくなり、意図せぬ情報漏えいの可能性が低減する
• ドメインの所有権確認
  • Verifying or approving a domain for your enterprise【Enterprise】
  • Verifying or approving a domain for your organization【Organizations】
• 通知先制御
  • Restricting email notifications for your enterprise【Enterprise】
  • Restricting email notifications for your organization【Organizations】

IPアドレス制限

• アクセス元をオフィスからだけに制限したりできる
  • リモート前提だとVPNが必要になる
• IPアドレス制限はGitHub AppsやGitHub Actionsにも影響が出るので注意
  • Allowing access by GitHub Apps
  • Using GitHub Actions with an IP allow list
• Managing allowed IP addresses for your organization【Organizations】
• Managing allowed IP addresses for organizations in your enterprise【Enterprise】

IAM

• IAM Role
  • Roles in an enterprise【Enterprise】
  • Roles in an organization【Organizations】
  • Repository roles for an organization【Organizations】
• Owner
  • Maintaining ownership continuity for your organization【Organizations】

Team

• 運用ポリシーがない状態で許可するとカオスになる
  • 作りっぱなしで放置されるTeamが大量に爆誕し、機能不全に陥りがち
  • 自由に作れるようにするならポリシーを定める、それができないなら禁止して少数のTeamを中央集権的に管理するほうがいい気がする
  • Setting team creation permissions in your organization【Organizations】

Outside collaborators

• たまにOutside collaboratorsが必要になるが、追加した後放置されがち
  • 定期的に棚卸しが必要
  • Setting permissions for adding outside collaborators【Organizations】
• Enforcing a policy for inviting outside collaborators to repositories【Enterprise】

SAML

• Enterprise限定だが、コレが使えるとアカウントの棚卸しとかをGitHubではやらなくてすむ
  • About identity and access management for your enterprise【Enterprise】

Monitoring

• セキュリティに関するアクティビティを見るのに必要
  • Enterprise限定だが、AuditログはストリーミングでS3などへ映像化可能
• Viewing the audit logs
  • Viewing the audit logs for organizations in your enterprise【Enterprise】
  • Reviewing the audit log for your organization【Organizations】
• Streaming the audit logs
  • Streaming the audit logs for organizations in your enterprise account【Enterprise】
• Webhooks
  • Managing global webhooks【Enterprise】

GitHub Pages

• 原則public化禁止でいい気がする
  • Managing the publication of GitHub Pages sites for your organization【Organizations】

Apps

• GitHub Appは強力な権限が持てるので、扱える人は限定する
  • OAuth AppよりGitHub App推しらしいので、OAuth Appは禁止でよいのでは
  • Enabling OAuth App access restrictions for your organization【Organizations】
• デフォルトではownerしか扱えないようになっている
  • 権限を渡すことも一応可能だが、安易に増やさないほうがよいだろう
  • Adding GitHub App managers in your organization【Organizations】

Deleting issues

• Allowing people to delete issues in your organization【Organizations】
• Enforcing a policy for deleting issues【Enterprise】

SSH certificate authorities

• よく知らない
  • Managing SSH certificate authorities for your enterprise【Enterprise】
  • Managing your organization's SSH certificate authorities【Organizations】

機能制限

• Discussions
  • Enforcing a policy for team discussions【Enterprise】
  • Managing discussion creation for repositories in your organization【Organizations】
• Project board
  • Enforcing project board policies in your enterprise【Enterprise】
• Dependency insights
  • Enforcing policies for dependency insights in your enterprise【Enterprise】
  • Changing the visibility of your organization's dependency insights【Organizations】
• Scheduled reminders
  • Managing scheduled reminders for your organization【Organizations】

リポジトリ

Base permissions

• Setting base permissions for an organization【Organizations】
• Enforcing a policy for base repository permissions【Enterprise】

Restricting repository creation

• 自由に作れたほうが便利だけど、若干リスクが増す
  • たとえば野良のGitHub Actionsの利用を禁止しても、forkしてorg内に取り込んじゃうとよく分からんヤツが入り込む可能性がある
• Restricting repository creation in your organization【Organizations】
• Enforcing a policy for repository creation【Enterprise】

Restricting repository visibility changes

• 無効化しといたほうが安全
• Restricting repository visibility changes in your organization【Organizations】
• Enforcing a policy for changes to repository visibility【Enterprise】

Managing the forking policy

• 許可する理由が浮かばない

• Managing the forking policy for your organization【Organizations】

• Enforcing a policy for forking private or internal repositories【Enterprise】

  • Configuring the retention period for GitHub Actions artifacts and logs in your organization【Organizations】

Setting permissions for deleting or transferring repositories

• 原則禁止したほうがよさそう
  • 特にtransferringがヤバい
• Setting permissions for deleting or transferring repositories【Organizations】
• Enforcing a policy for repository deletion and transfer【Enterprise】

Configuring the retention period

• 変えないと90日以上、ログを保存できなくなるので変える
  • 最大400日らしいので、とりあえず最大値にしておけばいいのでは感
• Configuring the retention period for GitHub Actions artifacts and logs in your organization【Organizations】
• Enforcing a policy for artifact and log retention in your enterprise【Enterprise】

Managing security and analysis settings

• とりあえず有効にしておけばよいのでは感
  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates
• Managing security and analysis settings for your organization【Organizations】

GitHub Advanced Security

• Enterprise限定だが、コードスキャンやシークレットスキャンができる
  • ちなみにサードパーティツールでも同様のツールは存在するので、機能的にはなくてもあまり困らない
  • 有料で提供するぐらいだから、もしかすると精度が高いのかもしれない
  • Enforcing policies for Advanced Security in your enterprise【Enterprise】

GitHub Actions for owners

Restrict the use of actions

• 「Allow select actions」に設定し、野良のActionを使えないようにしておく
  • 「Allow actions created by GitHub」にチェックを入れて、GitHubさんは信頼しておく
  • 「Allow Marketplace actions by verified creators」にチェックを入れて、主要な組織は信頼しておく
• Allowing specific actions to run【Organizations】
• Enforcing a policy to restrict the use of actions in your enterprise【Enterprise】

Setting the permissions of the GITHUB_TOKEN

• Workflow permissionsを「Read repository contents permission」に変更
  • あくまでデフォルトパーミッションなので過信はできない
  • push権限があれば事実上、GitHub Actionsの全権限を奪取可能
  • なぜか公式ドキュメントに記載がないが、GitHub Actionsによる自動approveを抑止する設定が存在する
• Setting the permissions of the GITHUB_TOKEN for your organization【Organizations】
• Enforcing a policy for workflow permissions in your enterprise【Enterprise】
• GitHub Actions: Prevent GitHub Actions from approving pull requests【Organizations】

Configuring required approval for workflows from public forks

• 「Require approval for all outside collaborators」を設定しておく
  • そもそもpublicにforkさせるべきじゃないという話はありつつ
• Configuring required approval for workflows from public forks【Organizations】
• Enforcing a policy for approval of pull requests from outside collaborators【Enterprise】

Enabling workflows for private repository forks

• 「Fork pull request workflows」のチェックは全部外す
• Enabling workflows for private repository forks【Organizations】
• Enforcing a policy for fork pull requests in private repositories【Enterprise】

GitHub Actions for developers

Deployment

• Enterprise限定でプライベートリポジトリでenvironmentsが解禁される
  • 環境単位でSecretsが定義できたり履歴が見れたりと便利そうだが財力がひつよう
• Deploying with GitHub Actions【GitHub Actions】

Environment protection rules

• 環境ごとにapproveを必須にしたり、デプロイブランチを固定できたりする
  • 最高感あるが、プライベートリポジトリはEnterprise限定である
• Environment protection rules

OpenID Connect

• クラウドプロバイダと連携するなら必須
  • アクセスキーの管理はアンチパターンになったのでOIDCを使おう
• About security hardening with OpenID Connect
  • Configuring OpenID Connect in Amazon Web Services

Secrets

• Using secrets
  • Never use structured data as a secret
  • Register all secrets used within workflows
  • Audit how secrets are handled
  • Use credentials that are minimally scoped
  • Audit and rotate registered secrets
  • Consider requiring review for access to secrets

CODEOWNERS

• Using CODEOWNERS to monitor changes
  • .github/workflows とかをちゃんとレビューしてね

Mitigating script injection attacks

• Understanding the risk of script injections
  • PRのタイトルとかがインジェクション攻撃の原因になる
• Good practices for mitigating script injection attacks
  • Using an action instead of an inline script (recommended)
  • Using an intermediate environment variable
  • Using CodeQL to analyze your code
  • Restricting permissions for tokens

サードパーティアクション

• Using third-party actions
  • Pin actions to a full length commit SHA
  • Audit the source code of the action
  • Pin actions to a tag only if you trust the creator

クロスリポジトリアクセス

• Considering cross-repository access
  • Personal access tokensとSSH keysは絶対使うな
  • どうしても必要ならGitHub App tokensを使う
  • そのうちGITHUB_TOKENでクロスリポジトリアクセスする方法はサポートされる予定（参考： https://github.com/github/roadmap/issues/74 ）

Self-hosted runners

• Hardening for self-hosted runners

Auditing

• Auditing GitHub Actions events

攻撃の種類

• Potential impact of a compromised runner
  • Accessing secrets
  • Exfiltrating data from a runner
  • Stealing the job's GITHUB_TOKEN
  • Modifying the contents of a repository

サードパーティツール

• Probot
• OPA/Rego
• Renovate
• Allstar
• Scorecard
• Checkov（GitHub configuration scanning）

プロセス

• GitHub Enterpriseを導入するため偉い人を説得する
• 人力でアカウントを棚卸しをする（SAML？知らない子ですね