GitHub hosts your source code, your CI/CD pipelines, your infrastructure-as-code, and increasingly your secrets — accidentally committed tokens, leaked API keys, environment files pushed by mistake. Yet most enterprise security programmes treat GitHub as an afterthought: cloud providers get dedicated CSPM tooling, while GitHub gets a monthly manual review that nobody actually does.
The result is predictable. Supply chain attacks exploiting weak GitHub configurations have become one of the dominant breach vectors of the last three years. The SolarWinds, Codecov, and 3CX incidents all had GitHub misconfigurations as contributing factors. And unlike cloud infrastructure, where misconfigurations tend to be isolated, a single misconfigured GitHub repository can compromise your entire software supply chain.
CloudVista adds GitHub as a first-class cloud provider — connecting via a Personal Access Token and running 13 automated security checks across every repository in your organisation, surfacing findings in the same interface as your OCI, AWS, Azure, and VMware security posture.
Why GitHub Is a Cloud Security Problem
GitHub repositories are infrastructure. They contain:
- Secrets and credentials — API keys, database connection strings, cloud provider credentials accidentally committed to history
- Infrastructure-as-code — Terraform, Ansible, Kubernetes manifests that define your production environment
- CI/CD pipeline definitions — GitHub Actions workflows that have elevated permissions to deploy to production, rotate credentials, and push to container registries
- Third-party code — dependencies with known CVEs that Dependabot can detect but nobody is reviewing
A misconfigured GitHub repository isn't just a code risk — it's a pathway to your cloud infrastructure. This is why frameworks like CIS, NIST SP 800-53, and SOC 2 now explicitly include source code management controls.
The 13 GitHub Security Checks
CloudVista's GitHub integration runs the following checks against every repository it discovers, using a single GraphQL query per page of 100 repositories (plus one REST call per repo for secret scanning) — so even organisations with thousands of repos sync efficiently.
| Check | Severity | What It Detects |
|---|---|---|
| Branch protection missing | High | Default branch has no protection rules — force pushes, direct commits, and history rewrites are possible |
| Force push allowed on protected branch | High | Branch protection exists but allows force pushes — history can still be rewritten, removing audit trail |
| No required code review | Medium | Protected branch does not require at least one approving review before merge |
| Open secret scanning alerts | Critical | GitHub has detected and confirmed a leaked secret (API key, token, credential) in this repository |
| Open Dependabot alerts | High | One or more dependencies have known CVEs; escalates to critical if >5 open alerts |
| Vulnerability alerts disabled | Medium | Dependency vulnerability scanning (Dependabot) is not enabled for this repository |
| No security policy | Low | Repository has no SECURITY.md — no documented responsible disclosure process |
| No CODEOWNERS | Low | No CODEOWNERS file — changes to sensitive paths have no automatic required reviewer |
| Stale repository | Low | No commits in 12+ months — likely abandoned, but still accessible and potentially misconfigured |
| Archived repository with alerts | Medium | Repository is archived but still has open secret scanning or Dependabot alerts |
| Public repository with secrets | Critical | Repository is public and has open secret scanning alerts — secrets are internet-exposed |
| No commit since 30 days on active repo | Low | Active repository with no recent activity — may indicate abandoned fork or unmaintained project |
| Fork with unchecked open alerts | Medium | Forked repository has Dependabot alerts that were not inherited from upstream review |
Branch Protection: The Foundation of Repository Security
Branch protection rules are the single most impactful control you can apply to a GitHub repository. Without them, any developer with write access can push directly to your main branch — overwriting history, removing audit records, and bypassing your entire CI/CD quality gate.
The three checks CloudVista runs against branch protection are layered by severity:
1. Branch Protection Missing (High)
The most common finding in enterprise GitHub audits. A repository with no branch protection on its default branch has no guardrails: direct commits, force pushes, and deletion of the branch are all possible. For production codebases, infrastructure-as-code, or repositories containing CI/CD pipeline definitions, this is an unacceptable exposure.
Impact: A disgruntled or compromised developer account can rewrite commit history, remove security controls from CI/CD pipeline definitions, or insert malicious code — and the change may not be noticed until after deployment.
2. Force Push Allowed (High)
Branch protection exists but the "Allow force pushes" option is enabled. This means the branch is protected from casual direct commits, but history can still be rewritten. From an audit and compliance perspective, this is almost as risky as no protection at all — git history is the audit trail, and if it can be rewritten, your audit trail is unreliable.
3. No Required Review (Medium)
The branch requires no approving reviews before a pull request can be merged. In a team environment this means a single developer can approve their own changes, bypassing the four-eyes principle required by SOC 2 CC8.1, PCI-DSS 6.3.2, and ISO 27001 A.8.4.
Secret Scanning: The Critical Priority
GitHub's secret scanning feature automatically detects over 200 credential patterns across all commits (including historical ones) and immediately alerts you when a secret is pushed. CloudVista surfaces the count of open secret scanning alerts as a critical finding because a confirmed leaked secret is not a potential risk — it is an active, exploitable credential exposure.
The 6-minute window: Research by GitGuardian found that the median time between a secret being pushed to a public GitHub repository and the first automated exploitation is just 6 minutes. For private repositories that later become public, or where the repository was briefly public before being set to private, exposure windows can be months or years.
The remediation for an open secret scanning alert is always the same regardless of whether the secret is still valid:
- Rotate the credential immediately — assume it has been used
- Audit access logs for the service the credential grants access to
- Remove the secret from git history using
git filter-repoor BFG Repo Cleaner - Add the secret pattern to your organisation's secret scanning push protection list
Dependabot: Vulnerability Management at Scale
Dependabot alerts notify you when a dependency in your repository has a known CVE. For organisations with hundreds of repositories, manually reviewing Dependabot alerts across all repos is not operationally feasible — they become background noise and get ignored.
CloudVista's approach is different: it surfaces the count of open Dependabot alerts per repository in the inventory view and creates findings that appear alongside your cloud security findings. This means Dependabot debt appears in the same prioritised list as your misconfigured S3 buckets and unpatched ESXi hosts — not buried in a GitHub tab that nobody checks.
Severity escalation: CloudVista escalates Dependabot findings to Critical when a repository has more than 5 open alerts. This threshold signals a repository where vulnerability management has been systematically neglected — a different risk profile to a single advisory being triaged.
Compliance Mapping
GitHub security controls map directly to the frameworks your compliance team cares about:
| Framework | Control | GitHub Checks That Evidence It |
|---|---|---|
| SOC 2 CC8.1 | Change management controls | Branch protection, required reviews, force push prevention |
| NIST SP 800-53 SA-11 | Developer security testing | Dependabot enabled, secret scanning, code scanning |
| PCI-DSS 6.3.2 | Software components inventory | Dependabot alerts open (evidence of known components) |
| ISO 27001 A.8.4 | Access to source code | Branch protection, required reviews |
| ISO 27001 A.8.8 | Management of technical vulnerabilities | Dependabot alerts, vulnerability alerts disabled |
| CIS GitHub Benchmark | Repository configuration hardening | All 13 checks map to CIS GitHub controls |
Connecting GitHub to CloudVista
GitHub connects to CloudVista via a Personal Access Token — either a classic PAT or a fine-grained token. No OAuth app installation or GitHub App configuration is required.
Required scopes for a classic PAT:
repo— read repository metadata and branch protection rulesread:org— list repositories in your organisationsecurity_events— read Dependabot and secret scanning alert counts
For fine-grained tokens, the equivalent permissions are: Repository metadata (Read), Dependabot alerts (Read), Secret scanning alerts (Read), and Administration (Read, for branch protection rules).
Once connected, CloudVista syncs all repositories using GitHub's GraphQL API — fetching 100 repositories per query with all metadata included, so even organisations with thousands of repos complete their initial sync in under a minute. Repositories appear in the inventory view alongside your cloud resources, and findings run automatically after each sync.
Note: CloudVista never stores or returns the GitHub token in API responses. Credentials are encrypted at rest using Fernet symmetric encryption and zeroed from memory at the end of each sync. The token is only decrypted for the duration of a sync operation and immediately discarded.
What Good GitHub Security Looks Like
A well-configured GitHub organisation for enterprise use has these properties:
- Every production repository has branch protection on its default branch, requiring at least one approving review and blocking force pushes
- Secret scanning push protection is enabled at the organisation level — preventing secrets from being committed in the first place, not just alerting after the fact
- Dependabot is enabled on all repositories with a patch SLA (e.g. critical CVEs remediated within 7 days)
- CODEOWNERS files define required reviewers for sensitive paths (infrastructure code, CI/CD definitions, authentication logic)
- SECURITY.md is present in all public-facing repositories with a clear responsible disclosure process
- Organisation-level 2FA is enforced — no member accounts without MFA
Running CloudVista's GitHub checks gives you a continuous, automated measure of how close your organisation is to this baseline — and surfaces the specific repositories and misconfigurations that need attention.
Audit Your GitHub Security Posture Automatically
Connect CloudVista to your GitHub organisation in under 2 minutes. Get 13 automated security checks across every repository — alongside your cloud security findings.
Start Free Trial View Pricing