Skip to content

GitHub Configuration Guide

DevOps AccountsIndividual Security

Authored by:

Auditware
Auditware
Auditware

This checklist is adapted from Auditware's W3OSC standards.

Individual Account Settings

  • Account Settings:
    • Public profile > Contributions & activity > Make profile private and hide activity > On
    • Password and authentication > Two-factor authentication > Enable and configure any method other than SMS/Text message
    • Sessions > Review and revoke any unrecognized or unnecessary
    • SSH and GPG keys > Review and remove any unnecessary
    • Organizations > Review and leave any unnecessary
    • Code security > User > Push protection for yourself > Enabled
    • Applications > Review and remove any unnecessary
    • Developer settings >
      • GitHub Apps > Review and remove any unnecessary
      • OAuth Apps > Review and remove any unnecessary
      • Personal access tokens > Review and remove any unnecessary

Related: For organization-level GitHub security, see the Organization GitHub Guide. For repository hardening guidance, see DevSecOps - Repository Hardening.

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!