У нас появился свой GitHub (пока что без блэкджека и шлюх). Для того, чтобы оценить его, все новые проекты имеет смысл заводить в нём. Разработчикам были отправлены ссылки на регистрацию, все остальные могут свободно смотреть. Аккаунты разработчиков уже созданы, можно воспользоваться восстановлением пароля.
Для полноценной и простой работы надо:
Добавить следующие строчки в C:\Windows\System32\drivers\etc\hosts :
После этого можно пользоваться GitHub через веб-интерфейс по адресу https://pos-github.payonline.ru/
Предлагаю следующую схему работы:
Кроме того, у нас есть build server, реагирующий на все изменения в репозиториях github, который может собирать ваш проект при каждой синхронизации локального репозитория на сервер. Для этого надо:
Сейчас это выглядит примерно так.
В связи с тем, что билд-сервер сейчас работает на моей машине, возможны тормоза; от синхронизации до обновления статуса на странице репозитория может проходить достаточно много времени. GitHub сейчас работает на специальной виртуалке it-online, с ним тормозов быть не должно.
Как обновить свой форк?
Перед тем, как вносить изменения в проект, над которым одновременно работает много людей, надо обновить свою версию (так, чтобы в неё пришли изменения, внесённые другими людьми), чтобы при открытии Pull Request не было конфликтов. В будущем этот функционал должен появиться одной кнопкой в GitHub for Windows. А пока что для этого надо залезть в консоль (в GitHub for Windows в правом верхнем углу шестерёнка, нажимаем на ней и выбираем Open a Git shell) и выполнить в ней следующие команды:
после принятия pull request
git checkout master (переключаемся на master-ветку)
git pull upstream master ; git push origin master (забираем изменения из master-ветки корневого репозитория в локальный репозиторий и загружаем их в свой репозиторий на сервере)
SQL инъекция в GitHub Enterprise
Ниже рассказ автора Orange Tsai о том, как он целенаправленно искал уязвимость в корпоративной версии GitHub и в итоге обнаружил возможность SQL инъекции. Тут, на хабре, ранее уже публиковался перевод другой его статьи «Как я взломал Facebook и обнаружил чужой бэкдор».
Перед началом
GitHub Enterprise это корпоративная версия GitHub.com, предназначенная для развёртывания платформы GitHub в приватной сети для разработки. Зайдя на enterprise.github.com можно скачать виртуальную машину (VM) с бесплатным пробным периодом в 45 дней.
После установки мы увидим:
Теперь, в моей VM есть полная экосистема GitHub. Это так интересно, что мне захотелось взглянуть на VM поближе :P.
Окружение
Началом всего и вся является сканирование портов. После вызова полезной утилиты Nmap, можно увидеть что в VM открыты 6 портов.
После некоторого анализа сервисов, можно сказать, что:
Используя SSH подключение к VM, мы взглянули на всю систему и по всей видимости кодовая база лежит в директории /data/.
Перейдём в /data/ и попробуем посмотреть на исходники. Кажется, они закодированы 🙁
GitHub использует собственную библиотеку для обфускации исходного кода. Если поискать в Гугле «ruby_concealer.so», то найдёте доброго человека, написавшего сниппет для деобфускации.
Сниппет получается простой заменой в ruby_concealer.so вызовов rb_f_eval на rb_f_puts и это работает.
Но нельзя называться хакером, не поняв как именно это работает. Поэтому откроем IDA Pro!
Как можно заметить, тут используется Zlib::Inflate::inflate для распаковывания и операции XOR со следующим ключом:
Значит можно легко написать свой деобфускатор!
Анализ кода
После деобфускации можно наконец начать обозревать код.
Большинство кода написано на Ruby (Ruby on Rails и Sinatra).
Уязвимость
У меня ушла, приблизительно, одна неделя чтобы найти данную уязвимость. Я не знаком с Ruby, поэтому учил на ходу, пробуя писать на нём 😛
Так, грубо говоря, прошла моя неделя.
Основная причина уязвимости кроется в строке №45 файла /data/github/current/app/model/pre_receive_hook_target.rb.
Хотя в Rails есть встроенный ORM (называемый ActiveRecord), который должен защищать от SQL инъекций, наивное его использование может таить угрозу.
Больше примеров есть на Rails-sqli.org. Думаю полезно знать о SQL инъекциях в Rails.
В данном случае, если нам удастся изменить параметр метода order, то получится внедрить вредоносный SQL запрос.
Хорошо, теперь давайте проследим вызовы! sorted_by вызывается в строке №61 файла /data/github/current/app/api/org_pre_receive_hooks.rb.
Обратите внимание, params[:sort] передается в scope.sorted_by. Значит можно осуществить инъекцию через params[:sort].
Перед тем как воспользоваться уязвимостью, понадобится действующий токен access_token с параметром admin:pre_receive_hook чтобы обращаться к API. К счастью, его можно получить с помощью команды:
После получения токена, можно воспользоваться уязвимостью так:
GitHub’s products
In this article
An overview of GitHub’s products and pricing plans.
About GitHub’s products
GitHub offers free and paid products. You can see pricing and a full list of features for each product at https://github.com/pricing. For information on planned features and products, see the GitHub public roadmap.
GitHub Free for user accounts
With GitHub Free for user accounts, you can work with unlimited collaborators on unlimited public repositories with a full feature set, and on unlimited private repositories with a limited feature set.
With GitHub Free, your user account includes:
In addition to the features available with GitHub Free for user accounts, GitHub Pro includes:
GitHub Free for organizations
With GitHub Free for organizations, you can work with unlimited collaborators on unlimited public repositories with a full feature set, or unlimited private repositories with a limited feature set.
In addition to the features available with GitHub Free for user accounts, GitHub Free for organizations includes:
In addition to the features available with GitHub Free for organizations, GitHub Team includes:
GitHub Support via email
3,000 GitHub Actions minutes
2GB GitHub Packages storage
Advanced tools and insights in private repositories:
The option to enable GitHub Codespaces
GitHub Actions usage is free for both public repositories and self-hosted runners. For private repositories, each GitHub account receives a certain amount of free minutes and storage, depending on the product used with the account. Any usage beyond the included amounts is controlled by spending limits.
GitHub Enterprise includes two deployment options: cloud-hosted and self-hosted.
In addition to the features available with GitHub Team, GitHub Enterprise includes:
GitHub Enterprise Cloud also includes:
You can set up a trial to evaluate GitHub Enterprise Cloud. For more information, see «Setting up a trial of GitHub Enterprise Cloud.»
For more information about hosting your own instance of GitHub Enterprise Server, contact GitHub’s Sales team. You can request a trial to evaluate GitHub Enterprise Server. For more information, see «Setting up a trial of GitHub Enterprise Server.»
Getting started with GitHub Enterprise
Here, you’ll find everything you need to know about using GitHub Enterprise—from improving software development practices to ensuring a smooth rollout for everyone in your organization. Let’s get started.
Not already using GitHub Enterprise?
In this guide, you’ll also learn how to:
Pro tips:
Part one: Installing GitHub
Correct installation and set up are the first steps towards making sure your organization can use GitHub effectively. We’ll walk through the installation basics, plus how to verify your account(s), configure your security settings, and get your teams ready to build.
Goals
Setting up GitHub Enterprise
To get started with GitHub Enterprise Server, you’ll need to install your organization’s instance on a virtualization platform of your choice. Using Enterprise Cloud? Log in to your Enterprise Cloud organization on GitHub.com, then jump down to step seven.
Using the Management Console
The Management Console will help you with day-to-day administrative tasks. Use the Management Console to guide you through initial setup, configure settings for your instance, schedule maintenance, and more.
Authenticating users for your GitHub Enterprise instance
Choose your authentication method: Enterprise Server’s built-in authentication or pre-existing LDAP, SAML, or CAS. Not sure which method is right for your team? You’ll be able to switch at any time.
Configuring for high availability
Give yourself maximum potential uptime. Configuring your Enterprise Server instance for high availability makes sure that any hardware failures or major network outages don’t disrupt service.
Designating backups and disaster recovery
As an extra layer of protection, set up GitHub Enterprise Server Backup Utilities. You’ll be able to backup your Enterprise Server instance on a Linux or Unix host system—ideally in a different geographical location.
Using geo-replication
If your organization has offices in multiple locations, geo-replication on GitHub Enterprise Server can help reduce latency between different hosts and locations—getting your teams the data they need, quickly. To use geo-replication, you’ll also need to use geolocation-aware DNS.
Confirming your Git and GitHub accounts
Depending on whether you’re using Enterprise Server or Enterprise Cloud, go ahead and sign in and verify your primary email address, or configure your instance to send email notifications on issue, pull request, and commit comments.
Connecting GitHub with SSH
You can use GitHub without having to supply your username and password each time. Use the SSH protocol to add a new SSH key to your GitHub account and configure an authentication agent.
Part two: Managing your team
Working together helps teams build and ship better software, faster. But successful collaboration relies on a few important factors: communication, contribution, and administration. GitHub Enterprise gives you the tools to manage them all in the way that works best for your organization.
Goals
Organizing people for successful collaboration
Your GitHub hierarchy is made up of individual users, organizations, and teams. Each play a role in how your developers collaborate and communicate on GitHub.
Start by grouping individual users within your organization into GitHub teams. Not sure where to begin? Create teams that reflect your current organizational structure or working groups. Then decide which GitHub repositories your teams will have access to. Repositories are where your teams will perform code reviews, give feedback on each other’s progress, and discuss ongoing work.
We know that teams change roles and take on new projects all the time. You can create new teams and manage repository permissions whenever you need to.
Gaining team insights
Team insights help you understand what’s happening within your organization and why. On Enterprise Server or Enterprise Cloud, you can see a summary of all repository activity through Pulse using the Insights tab. Pulse shows how often your teams are closing issues, merging pull requests, and completing work—making it easy to identify patterns (or potential problems) in your workflow.
If you’re using Enterprise Server, you can also check out your Activity dashboard to see weekly, monthly, and yearly graphs on the number of new pull requests, merged pull requests, new issues, closed issues, and more.
Getting to know admin tools
Using multiple GitHub products? Oversee all of your GitHub accounts with unified business identity, a feature of GitHub Connect. In a single interface, admins can manage overall billing, licensing, permissions, and enforce business policies—whether your organization deploys on your own server or the cloud.
You’ll find unified business identity under your account’s organization settings. Here, you can also manage user access, authentication, and other organization details.
Finding support and training help
Onboarding a new software platform is exciting—and we want you to be able to start building together from day one. Have a question that isn’t answered here? Get in touch with the GitHub Support Team. Depending on your GitHub plan, you can also contact Premium Support for on-demand help outside of typical business hours.
Looking for additional training? The GitHub Professional Services Team can connect you with the skills your organization needs to work smarter. And if you’re looking for employee education at scale, our friendly GitHub Learning Lab bot helps developers learn and apply new skills through short, hands-on projects.
Part three: Building securely
Security is a team effort, from the first line of code to shipping a new application. You can easily customize your GitHub Enterprise instance to fit your organization’s compliance standards—without compromising innovation. Set your team up to build security-first with unique permission levels, audit logs, built-in features, and more.
Goals
Setting up secure workflows
After you invite your team to collaborate as an organization, it’s time to decide who will own and help manage your organization’s account. Set permission levels for your organization based on administrative access, billing needs, and the different GitHubs Apps you plan to use. You can also add temporary employees as outside collaborators.
Read more about permission levels for your organization and repositories owned by user accounts.
Next, protect your work. Use protected branches to ensure that no one can make irrevocable changes to a repository—meaning they won’t be able to merge branches or pull requests without passing certain security checks. These checks include required status checks, which all code must pass before it can be merged into a protected branch. You can set up branch protections, required status checks, and branch restrictions in your organization’s settings.
Staying in compliance
Required status checks can also help your team stick to and enforce your organization’s compliance standards. Use these checks and others to automate your compliance workflows, verify commits before they’re accepted, and make sure your team builds using repeatable, trackable processes. Your organization’s audit log makes it easy to review your team’s work, too. Find out who performed an action, what the action was, and when it was performed.
Using Enterprise Cloud? GitHub has SOC for Service Organizations reports, and Enterprise Cloud is compliant with AICPA Service Organization Controls (SOC) 2 Type 1 and SOC 1 Type 1. Enterprise Cloud is also authorized via the FedRAMP Tailored baseline of security controls.
Using secure development features
Build securely with GitHub’s built-in secure development features, like security alerts for vulnerabilities, token scanning, and the GitHub Security Advisory API. Get notified if any of your projects have a dependency with a known vulnerability, including suggested fixes from the GitHub community. Token scanning also ensures that your tokens and keys are never accidentally committed and exposed in a public repository, while the GitHub Security Advisory API integrates the latest GitHub security updates into your own projects.
Part four: Working together
With GitHub Enterprise, your team can work together on projects from anywhere. Features like issues, branches, commits, and pull requests make it possible to discuss and review code—no matter where you are. Plus, you can manage projects and releases right inside GitHub, without using outside project management tools.
Goals
Understanding the GitHub Flow
The GitHub Flow is a lightweight, branch-based workflow that helps you make changes and deploy code quickly. Using branches, commits, and pull requests, you can suggest changes to your code, ask for feedback, leave comments, and review changes before they’re accepted. Think something needs a second look? Tag your team account or individual users anytime, and they’ll get an instant notification.
Reviewing and discussing work
Along with branches, commits, and pull requests, issues also help you track and manage work on GitHub. Create a new issue, pin important issues to the top of your projects, or collaborate using issues that have already been opened by your team. Issues (and pull requests) add up fast, so be sure to use unique labels to categorize and prioritize your work.
Planning and tracking work
Project managers and developers can coordinate, track, and update their work—all in the same place. Create project boards on GitHub with associated issues, pull requests, and notes, then use milestones to track your progress toward team goals. Once your project is ready for the world to see, package up your software, release notes, and links to binary files in a single release.
Part five: Integrating with GitHub
Chances are, your team already knows and loves GitHub, but there are other tools we know you rely on to build every day too. Whether you’re integrating legacy solutions or discovering new applications in GitHub Marketplace, it’s easy to find and connect with the tools your teams need to build at their best.
Goals
Automating with GitHub Actions
Can’t find the tool your team needs for a certain task? You don’t have to build your own app. Instead, use GitHub Actions: automated workflows that run on the GitHub platform. Actions are triggered by specific events, like a push, issue, or release. Once you’ve created an action, you can even make it available in GitHub Marketplace for others to use.
Integrating apps with GitHub
GitHub integrates with over 1,000 third-party applications, including top industry tools like CircleCI, Jenkins, Jira, and ZenHub. Build with the tools your team already relies on, or discover something new without setting up multiple accounts or payment methods. Install apps in seconds on an organization or user account, then give them access to the repositories of your choice.
Using the GitHub API
Create your own tools using the same API that we use to build GitHub. Set up your individual GitHub App with built-in webhooks, run checks against code changes, and develop all kinds of integrations using the full suite of GitHub APIs.
Part six: Contributing to open source
Open source software is everywhere. It powers more than 50 percent of all software today, including the applications and languages your teams already use. And getting involved in open source is easier than ever: your GitHub Enterprise instance automatically connects your team with innovative open source projects and top talent on GitHub.com. Learn how to find and use open source code, share projects with the world, and get the most that the GitHub open source community has to offer—all behind the safety of your firewall.
Goals
Contributing to open source
Organizations of all sizes are contributing to open source. Whether you’re using Enterprise Server or Enterprise Cloud, you can search for code, issues, and more from millions of open source projects alongside your private projects using GitHub Connect and unified search.
Connecting with the GitHub community
Over 30 million developers use GitHub—but it’s easy to find your place and stay connected. Use GitHub Explore as your guide to finding your next project, catching up with what’s trending, and checking out what’s new in the GitHub community.
Managing users
Your GitHub experience is just that: yours. Add an avatar and share your personal interests on your user profile to connect with other like-minded people on GitHub. Your teams at work can share their projects with the rest of the GitHub community too. Unified contributions, another GitHub Connect feature, allows developers to connect their open source and Enterprise profiles. With unified contributions, your team can share public and private projects they’ve worked on and get the recognition they deserve.
Part seven: Getting support
Congrats, you’re officially ready to start building on GitHub! 🎉 Before you kick off your first project, check out our top tools and resources for updates, support, and some extra inspiration. Have questions or need help? Here are all the places you can find us.
Goals
Staying connected with GitHub
Looking for the latest GitHub releases or want to know what’s happening in the GitHub universe? Find out what’s new on the general GitHub Blog or GitHub Engineering Blog, as well as our social media channels. For helpful tools and tricks on using GitHub at work, we’ve put together free ebooks, webinars, checklists, and more on the GitHub Resources hub.
Educating your team with GitHub Learning Lab
Teach your team how to use GitHub—without leaving the platform. GitHub Learning Lab helps your developers level up their skills with the help of our friendly Learning Lab bot. Build customized, private courses, improve productivity, and give everyone on your team the tools they need to build better software.
Getting help and technical training from GitHub experts
Need more hands-on training? Our Professional Services Team offers both engineering consultations and in-person classes taught by GitHub experts. We’ll guide you through every stage of your organization’s GitHub journey, from initial setup to using the GitHub API.
Using the GitHub Enterprise Support portal
Search for documentation or open a support ticket with our technical engineers anytime. Depending on whether you use Enterprise Server or Enterprise Cloud, you can open a support ticket through either the GitHub Enterprise Server Management Console or the Enterprise Support portal.
Getting started with GitHub Enterprise Cloud
In this article
Get started with setting up and managing your GitHub Enterprise Cloud organization or enterprise account.
This guide will walk you through setting up, configuring and managing your GitHub Enterprise Cloud account as an organization or enterprise owner.
Part 1: Choosing your account type
GitHub provides two types of Enterprise products:
The main difference between the products is that GitHub Enterprise Cloud is hosted by GitHub, while GitHub Enterprise Server is self-hosted.
With GitHub Enterprise Cloud, you have the option of using Enterprise Managed Users. Enterprise Managed Users is a feature of GitHub Enterprise Cloud that provides even greater control over enterprise members and resources. With Enterprise Managed Users, all members are provisioned and managed through your identity provider (IdP) instead of users creating their own accounts on GitHub. Team membership can be managed using groups on your IdP. Managed users are restricted to their enterprise and are unable to push code, collaborate, or interact with users, repositories, and organizations outside of their enterprise. For more information, see «About Enterprise Managed Users» in the GitHub Enterprise Cloud documentation.
If you choose to let your members create and manage their own user accounts instead, there are two types of accounts you can use with GitHub Enterprise Cloud:
1. Understanding the differences between an organization account and enterprise account
Both organization and enterprise accounts are available with GitHub Enterprise Cloud. An organization is a shared account where groups of people can collaborate across many projects at once, and owners and administrators can manage access to data and projects. An enterprise account enables collaboration between multiple organizations, and allows owners to centrally manage policy, billing and security for these organizations. For more information on the differences, see «Organizations and enterprise accounts.»
If you choose an enterprise account, keep in mind that some policies can be set only at an organization level, while others can be enforced for all organizations in an enterprise.
Once you choose the account type you would like, you can proceed to setting up your account. In each of the sections in this guide, proceed to either the single organization or enterprise account section based on your account type.
Part 2: Setting up your account
To get started with GitHub Enterprise Cloud, you will want to create your organization or enterprise account and set up and view billing settings, subscriptions and usage.
Setting up a single organization account with GitHub Enterprise Cloud
1. About organizations
Organizations are shared accounts where groups of people can collaborate across many projects at once. With GitHub Enterprise Cloud, owners and administrators can manage their organization with sophisticated user authentication and management, as well as escalated support and security options. For more information, see «About organizations.»
2. Creating or upgrading an organization account
To use an organization account with GitHub Enterprise Cloud, you will first need to create an organization. When prompted to choose a plan, select «Enterprise». For more information, see «Creating a new organization from scratch.»
Alternatively, if you have an existing organization account that you would like to upgrade, follow the steps in «Upgrading your GitHub subscription.»
3. Setting up and managing billing
When you choose to use an organization account with GitHub Enterprise Cloud, you’ll first have access to a 14-day trial. If you don’t purchase GitHub Enterprise or GitHub Team before your trial ends, your organization will be downgraded to GitHub Free and lose access to any advanced tooling and features that are only included with paid products. For more information, see «Finishing your trial.»
Your organization’s billing settings page allows you to manage settings like your payment method and billing cycle, view information about your subscription, and upgrade your storage and GitHub Actions minutes. For more information on managing your billing settings, see «Managing your GitHub billing settings.»
Only organization members with the owner or billing manager role can access or change billing settings for your organization. A billing manager is a user who manages the billing settings for your organization and does not use a paid license in your organization’s subscription. For more information on adding a billing manager to your organization, see «Adding a billing manager to your organization.»
Setting up an enterprise account with GitHub Enterprise Cloud
To get an enterprise account created for you, contact GitHub’s Sales team.
1. About enterprise accounts
An enterprise account allows you to centrally manage policy and settings for multiple GitHub organizations, including member access, billing and usage and security. For more information, see «About enterprise accounts.»
2. Adding organizations to your enterprise account
You can create new organizations to manage within your enterprise account. For more information, see «Adding organizations to your enterprise.»
Contact your GitHub sales account representative if you want to transfer an existing organization to your enterprise account.
3. Viewing the subscription and usage for your enterprise account
You can view your current subscription, license usage, invoices, payment history, and other billing information for your enterprise account at any time. Both enterprise owners and billing managers can access and manage billing settings for enterprise accounts. For more information, see «Viewing the subscription and usage for your enterprise account.»
Part 3: Managing your organization or enterprise members and teams with GitHub Enterprise Cloud
Managing members and teams in your organization
You can set permissions and member roles, create and manage teams, and give people access to repositories in your organization.
1. Managing members of your organization
You can invite anyone to be a member of your organization, as long as they have a personal account on GitHub. You can also remove members and reinstate former members. For more information, see «Managing membership in your organization.»
2. Organization permissions and roles
Each person in your organization has a role that defines their level of access to the organization. The member role is the default, and you can assign owner and billing manager roles as well as «team maintainer» permissions. For more information, see «Roles in an organization.»
3. About and creating teams
Teams are groups of organization members that you can create to reflect your company or group’s structure with cascading access permissions and mentions. Organization members can send notifications to a team or request reviews, and teams can be visible or secret. For more information, see «About teams.»
You can create independent teams or have multiple levels of nested teams to reflect your group or company’s hierarchy. For more information, see «Creating a team.»
4. Managing team settings
You can designate a «team maintainer» to manage team settings and discussions, among other privileges. For more information, see «Assigning the team maintainer role to a team member.»
You can manage code review assignments for your team, change team visibility, manage scheduled reminders for your team, and more in your team’s settings. For more information, see «Organizing members into teams.»
5. Giving people and teams access to repositories, project boards and apps
You can give organization members, teams, and outside collaborators different levels of access to repositories owned by your organization with repository roles. For more information, see «Repository roles for an organization.»
You can also customize access to your organization’s project boards and allow individual organization members to manage your organization’s GitHub Apps. For more information, see «Managing access to your organization’s project boards» and «Managing access to your organization’s apps.»
Managing members of an enterprise account
Managing members of an enterprise is separate from managing members or teams in an organization. It is important to note that enterprise owners or administrators cannot access organization-level settings or manage members for organizations in their enterprise unless they are made an organization owner. For more information, see the above section, «Managing members and teams in your organization.»
If your enterprise uses Enterprise Managed Users, your members are fully managed through your identity provider. Adding members, making changes to their membership, and assigning roles is all managed using your IdP. For more information, see «About Enterprise Managed Users.»
If your enterprise does not use Enterprise Managed Users, follow the steps below.
1. Assigning roles in an enterprise
By default, everyone in an enterprise is a member of the enterprise. There are also administrative roles, including enterprise owner and billing manager, that have different levels of access to enterprise settings and data. For more information, see «Roles in an enterprise.»
2. Inviting people to manage your enterprise
You can invite people to manage your enterprise as enterprise owners or billing managers, as well as remove those who no longer need access. For more information, see «Inviting people to manage your enterprise.»
You can also grant enterprise members the ability to manage support tickets in the support portal. For more information, see «Managing support entitlements for your enterprise.»
3. Viewing people in your enterprise
To audit access to enterprise-owned resources or user license usage, you can view every enterprise administrator, enterprise member, and outside collaborator in your enterprise. You can see the organizations that a member belongs to and the specific repositories that an outside collaborator has access to. For more information, see «Viewing people in your enterprise.»
Part 4: Managing security with GitHub Enterprise Cloud
Managing security for a single organization
You can help keep your organization secure by requiring two-factor authentication, configuring security features, reviewing your organization’s audit log and integrations, and enabling SAML single sign-on and team synchronization.
1. Requiring two-factor authentication
You can view whether your organization members have two-factor authentication enabled and choose to require two-factor authentication in your organization. For more information, see «Requiring two-factor authentication in your organization.»
2. Configuring security features for your organization
To keep your organization secure, you can use a variety of GitHub security features, including security policies, dependency graphs, secret scanning and Dependabot security and version updates. For more information, see «Securing your organization» and «Managing security and analysis settings for your organization.»
3. Reviewing your organization’s audit log and integrations
The audit log for your organization allows you, as an organization owner, to review the actions performed by members of the organization within the current month and previous six months. For more information, see «Reviewing the audit log for your organization.»
You can also review and configure the permission levels for your organization’s installed integrations. For more information, see «Reviewing your organization’s installed integrations.»
4. Enabling and enforcing SAML single sign-on for your organization
If you manage your applications and the identities of your organization members with an identity provider (IdP), you can configure SAML single-sign-on (SSO) to control and secure access to organization resources like repositories, issues and pull requests. When members of your organization access organization resources that use SAML SSO, GitHub will redirect them to your IdP to authenticate. For more information, see «About identity and access management with SAML single sign-on.»
Organization owners can choose to disable, enable but not enforce, or enable and enforce SAML SSO. For more information, see «Enabling and testing SAML single sign-on for your organization» and «Enforcing SAML single sign-on for your organization.»
5. Managing team synchronization for your organization
Organization owners can enable team synchronization between your identity provider (IdP) and GitHub to allow organization owners and team maintainers to connect teams in your organization with IdP groups. For more information, see «Managing team synchronization for your organization.»
Managing security for an enterprise with managed users
With Enterprise Managed Users, access and identity is managed centrally through your identity provider. Two-factor authentication and other login requirements should be enabled and enforced on your IdP.
1. Enabling and SAML single sign-on and provisioning in your enterprise with managed users
In an enterprise with managed users, all members are provisioned and managed by your identity provider. You must enable SAML SSO and SCIM provisioning before you can start using your enterprise. For more information on configuring SAML SSO and provisioning for an enterprise with managed users, see «Configuring SAML single sign-on for Enterprise Managed Users.»
2. Managing teams in your enterprise with managed users with your identity provider
You can connect teams in your organizations to security groups in your identity provider, managing membership of your teams and access to repositories through your IdP. For more information, see «Managing team memberships with identity provider groups.»
3. Managing allowed IP addresses for organizations in your enterprise with managed users
You can configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your enterprise with managed users. For more information, see «Enforcing policies for security settings in your enterprise.»
4. Enforcing policies for Advanced Security features in your enterprise with managed users
If you have a GitHub Advanced Security license for your enterprise account, you can enforce policies to manage GitHub Advanced Security features for organizations owned by an enterprise account. For more information, see «Enforcing policies for Advanced Security in your enterprise account.»
Managing security for an enterprise account without managed users
To manage security for your enterprise, you can require two-factor authentication, manage allowed IP addresses, enable SAML single sign-on and team synchronization at an enterprise level, and sign up for and enforce GitHub Advanced Security features.
1. Requiring two-factor authentication and managing allowed IP addresses for organizations in your enterprise account
Enterprise owners can require that organization members, billing managers, and outside collaborators in all organizations owned by an enterprise account use two-factor authentication to secure their personal accounts. Before doing so, we recommend notifying all who have access to organizations in your enterprise. You can also configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your enterprise account.
For more information on enforcing two-factor authentication and allowed IP address lists, see «Enforcing policies for security settings in your enterprise.»
2. Enabling and enforcing SAML single sign-on for organizations in your enterprise account
You can centrally manage access to your enterprise’s resources, organization membership and team membership using your IdP and SAM single sign-on (SSO). Enterprise owners can enable SAML SSO across all organizations owned by an enterprise account. For more information, see «About identity and access management for your enterprise.»
3. Managing team synchronization
You can enable and manage team synchronization between an identity provider (IdP) and GitHub to allow organizations owned by your enterprise account to manage team membership with IdP groups. For more information, see «Managing team synchronization for organizations in your enterprise account.»
4. Enforcing policies for Advanced Security features in your enterprise account
If you have a GitHub Advanced Security license for your enterprise account, you can enforce policies to manage GitHub Advanced Security features for organizations owned by an enterprise account. For more information, see «Enforcing policies for Advanced Security in your enterprise account.»
Part 5: Managing organization and enterprise level policies and settings
Managing settings for a single organization
To manage and moderate your organization, you can set organization policies, manage permissions for repository changes, and use organization-level community health files.
1. Managing organization policies
You can manage permissions and policies for a number of different actions and features in your organization.
For example, to protect your organization’s data and number of paid licenses, you can choose to allow only organization owners to invite outside collaborators to organization repositories. You can also choose to allow or prevent the forking of private repositories owned by your organization. For more information, see «Setting permissions for adding outside collaborators» and «Managing the forking policy for your organization.»
For the full list of settings you can configure for your organization, see «Managing organization settings.»
2. Managing repository changes
You can configure permissions for creating, transferring and deleting repositories in your organization, including which types members can create. For more information, see «Restricting repository creation in your organization» and «Setting permissions for deleting or transferring repositories.»
You can also restrict or grant the ability to change repository visibility. For more information, see «Restricting repository visibility changes in your organization.»
3. Using organization-level community health files and moderation tools
You can create default community health files, such as a CONTRIBUTING.md file, a CODE_OF_CONDUCT.md file, or even issue and pull request templates, for your organization. These default files will be used for any repository owned by your organization that does not contain its own file of that type. For more information, see «Creating a default community health file.»
GitHub offers multiple tools for moderating and managing your community. For more information, see «Tools for moderating your community.»
Managing settings for an enterprise account
To manage and moderate your enterprise, you can set policies for organizations within the enterprise, view audit logs, configure webhooks, and restrict email notifications.
1. Managing policies for organizations in your enterprise account
You can choose to enforce a number of policies for all organizations owned by your enterprise, or choose to allow these policies to be set in each organization. Types of policies you can enforce include repository management, project board, and team policies. For more information, see «Setting policies for your enterprise.»
2. Viewing audit logs, configuring webhooks, and restricting email notifications for your enterprise
You can view actions from all of the organizations owned by your enterprise account in the enterprise audit log. You can also configure webhooks to receive events from organizations owned by your enterprise account. For more information, see «Viewing the audit logs for organizations in your enterprise» and «Managing global webhooks.»
You can also restrict email notifications for your enterprise account so that enterprise members can only use an email address in a verified or approved domain to receive notifications. For more information, see «Restricting email notifications for your enterprise.»
Part 6: Customizing and automating your organization or enterprise’s work on GitHub
Members of your organization or enterprise can use tools from the GitHub Marketplace, the GitHub API, and existing GitHub features to customize and automate your work.
1. Using GitHub Marketplace
GitHub Marketplace contains integrations that add functionality and improve your workflow. You can discover, browse, and install free and paid tools, including GitHub Apps, OAuth Apps, and GitHub Actions, in GitHub Marketplace. For more information, see «About GitHub Marketplace.»
2. Using the GitHub API
There are two versions of the GitHub API: the REST API and the GraphQL API. You can use the GitHub APIs to automate common tasks, back up your data, or create integrations that extend GitHub. For more information, see «About GitHub’s APIs.»
3. Building GitHub Actions
With GitHub Actions, you can automate and customize GitHub.com’s development workflow on GitHub. You can create your own actions, and use and customize actions shared by the GitHub community. For more information, see «Learn GitHub Actions.»
4. Publishing and managing GitHub Packages
GitHub Packages is a software package hosting service that allows you to host your software packages privately or publicly and use packages as dependencies in your projects. For more information, see «Introduction to GitHub Packages.»
5. Using GitHub Pages
GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository and publishes a website. You can manage the publication of GitHub Pages sites at the organization level. For more information, see «Managing the publication of GitHub Pages sites for your organization» and «About GitHub Pages.»
Part 7: Participating in GitHub’s community
Members of your organization or enterprise can use GitHub’s learning and support resources to get the help they need. You can also support the open source community.
1. Learning with GitHub Learning Lab
Members of your organization or enterprise can learn new skills by completing fun, realistic projects in your very own GitHub repository with GitHub Learning Lab. Each course is a hands-on lesson created by the GitHub community and taught by the friendly Learning Lab bot.
2. Supporting the open source community
GitHub Sponsors allows you to make a monthly recurring payment to a developer or organization who designs, creates, or maintains open source projects you depend on. For more information, see «About GitHub Sponsors.»
3. Contacting GitHub Support
GitHub Support can help you troubleshoot issues you run into while using GitHub. For more information, see «About GitHub Support.»
GitHub Enterprise Cloud allows you to submit priority support requests with a target eight-hour response time. For more information, see «GitHub Enterprise Cloud support.»
Help us make these docs great!
All GitHub docs are open source. See something that’s wrong or unclear? Submit a pull request.
