Is GitHub a secure place for my repositories?

Is my code secure at GitHub?

Once you start your adventure with services like GitHub, you might wonder if GitHub is safe to upload code? For some businesses, especially those for which code as intellectual property is the most valuable asset, the security of the code hosting platform might be a decision-making aspect. No service provider can assure us with a 100% guarantee but basically, GitHub is considered a reliable and proven development platform with a number of solutions that allows you to minimize the risk. Please note that of course the configuration is on your side.

How can I protect my repository with GitHub?

Let’s start with authentication. GitHub recommends using a password manager that will create strong, secure and unique passwords. It is also recommended to use 2FA (two-factor authentication). As the second layer of security we can use a mobile application or SMS code. So if someone learns or guesses our password, they won’t be able to log into our account without a code or device.

The developers of GitHub also allow you to generate a Personal Access Token. It is used for repository integration instead of the password. Let’s check what the difference is. The token can be set for some specific period of time – for instance three hours, a week or as long as we want. We can even set a number of operations that can be performed after authorization with this token. In such a situation we don’t even have to remember to revoke the permissions after ending the job, the token will expire itself so further access will be impossible. Useful, isn’t it?

There is also the risk of communication being overheard and intercepted by crooks. Then, it is important to opt out of HTTPS communication and instead to use SSH connection which is considered more secure. Then, the connection is encrypted and the protocol is based on a combination of public and private key pair. Only if they match, the connection can be established. Pro tip: those keys can be generated independently for each device. Even if someone learns or guesses our password and takes control over our mobile device used for 2FA, the computer will not know the private key so it will be impossible to access a repository.

Can we consider GitHub as a backup?

As you see, GitHub tries its best to protect the source code hosted within its services. However, we can not treat it as a backup for many reasons. Proven third-party backup should ensure us with automation, versioning, encryption, long-term retention, and instant recovery. GitHub is our production environment and we should never treat it as a backup. A reliable GitHub backup software, like, should provide you with instant restore and disaster recovery features so you can get back to code, even if GitHub is down or any other event of failure occurs. So.. is GitHub safe? It may be, but eventually it’s up to you if you use it properly and have your repositories and metadata backup in place.