GitHub Security
Welcome to the Git & GitHub Tutorial Series by CodeHarborHub. Securing your GitHub account and repositories is critical to protect your code, collaboration workflow, and sensitive data. In this guide, youβll learn essential security practices used by professional developers.
1. HTTPS vs SSH for GitHubβ
When connecting your local repository to GitHub, you have two options:
HTTPSβ
git clone https://github.com/username/repo.git
- Uses username and password / personal access token for authentication
- Easy setup, works behind firewalls
- Recommended for beginners or temporary setups
SSHβ
git clone git@github.com:username/repo.git
- Uses SSH keys instead of passwords
- More secure and convenient for frequent access
- Recommended for professional developers
Modern GitHub disables password authentication for HTTPS; you need a **personal access token (PAT)
2. Setting Up SSH Keysβ
SSH keys allow secure password-less authentication between your machine and GitHub.
Step 1: Generate SSH Keyβ
ssh-keygen -t ed25519 -C "your.email@example.com"
- Press Enter to save in default location (
~/.ssh/id_ed25519) - Set a passphrase for extra security
Step 2: Add SSH Key to GitHubβ
- Copy public key:
cat ~/.ssh/id_ed25519.pub
- Go to GitHub β Settings β SSH and GPG keys β New SSH key
- Paste the key and save
Step 3: Test Connectionβ
ssh -T git@github.com
You should see a welcome message confirming your key is working.
3. Personal Access Tokens (PAT)β
For HTTPS authentication or API access, GitHub uses personal access tokens.
Creating a PATβ
- Go to GitHub β Settings β Developer Settings β Personal Access Tokens β Tokens (classic) β Generate new token
- Choose scopes/permissions depending on your need (e.g.,
repo,workflow,admin:repo_hook) - Copy the token (store securely β you wonβt see it again!)
Using PAT with HTTPSβ
git clone https://github.com/username/repo.git
# Username: your GitHub username
# Password: paste your PAT
PATs replace your GitHub password for Git operations and API access.
4. Two-Factor Authentication (2FA)β
2FA adds an extra layer of security to your GitHub account.
Enabling 2FAβ
- Go to GitHub β Settings β Security β Two-factor authentication
- Choose Authenticator App or SMS
- Follow setup instructions and save recovery codes
Even if your password is compromised, attackers cannot access your account without the second factor.
5. Repository Security Best Practicesβ
Use Protected Branchesβ
- Prevent direct commits to
mainormaster - Require pull requests and code reviews before merging
Manage Collaborator Permissionsβ
- Assign roles carefully: Admin, Write, Read
- Avoid giving unnecessary write access
Enable Dependabotβ
- GitHub Dependabot automatically scans for vulnerable dependencies
- Suggests updates for safe libraries
Use .gitignore & Secretsβ
- Never commit sensitive files (
.env, API keys) - Store secrets in GitHub Actions secrets for CI/CD
Regularly Audit Accountβ
- Check authorized OAuth apps
- Review SSH keys and tokens
- Remove inactive collaborators
6. Summary of GitHub Security Measuresβ
| Feature | Purpose |
|---|---|
| HTTPS / SSH | Secure Git connections |
| SSH Keys | Password-less authentication |
| Personal Access Token | Secure HTTPS access and API usage |
| Two-Factor Authentication | Extra layer of account security |
| Protected Branches | Prevent unauthorized changes |
| Dependabot | Automatic dependency vulnerability alerts |
| Repository Secrets | Secure sensitive data for workflows |
Next Upβ
With security set, youβre ready to explore GitHub Actions β learn how to automate workflows, CI/CD pipelines, and project automation. π Next: GitHub Actions β
π Additional Resourcesβ
- GitHub Docs β SSH Keys
- GitHub Docs β Personal Access Tokens
- GitHub Docs β Two-Factor Authentication
- GitHub Security Best Practices
π This tutorial is part of the CodeHarborHub Git & GitHub series β helping developers secure their accounts, repositories, and workflows professionally.