GitHub Security
Welcome to the Git & GitHub Tutorial Series by CodeHarborHub. Securing your GitHub account and repositories is critical to protect your code, collaboration workflow, and sensitive data. In this guide, youโll learn essential security practices used by professional developers.
1. HTTPS vs SSH for GitHubโ
When connecting your local repository to GitHub, you have two options:
HTTPSโ
git clone https://github.com/username/repo.git
- Uses username and password / personal access token for authentication
- Easy setup, works behind firewalls
- Recommended for beginners or temporary setups
SSHโ
git clone git@github.com:username/repo.git
- Uses SSH keys instead of passwords
- More secure and convenient for frequent access
- Recommended for professional developers
Modern GitHub disables password authentication for HTTPS; you need a **personal access token (PAT)
2. Setting Up SSH Keysโ
SSH keys allow secure password-less authentication between your machine and GitHub.
Step 1: Generate SSH Keyโ
ssh-keygen -t ed25519 -C "your.email@example.com"
- Press Enter to save in default location (
~/.ssh/id_ed25519) - Set a passphrase for extra security
Step 2: Add SSH Key to GitHubโ
- Copy public key:
cat ~/.ssh/id_ed25519.pub
- Go to GitHub โ Settings โ SSH and GPG keys โ New SSH key
- Paste the key and save
Step 3: Test Connectionโ
ssh -T git@github.com
You should see a welcome message confirming your key is working.
3. Personal Access Tokens (PAT)โ
For HTTPS authentication or API access, GitHub uses personal access tokens.
Creating a PATโ
- Go to GitHub โ Settings โ Developer Settings โ Personal Access Tokens โ Tokens (classic) โ Generate new token
- Choose scopes/permissions depending on your need (e.g.,
repo,workflow,admin:repo_hook) - Copy the token (store securely โ you wonโt see it again!)
Using PAT with HTTPSโ
git clone https://github.com/username/repo.git
# Username: your GitHub username
# Password: paste your PAT
PATs replace your GitHub password for Git operations and API access.
4. Two-Factor Authentication (2FA)โ
2FA adds an extra layer of security to your GitHub account.
Enabling 2FAโ
- Go to GitHub โ Settings โ Security โ Two-factor authentication
- Choose Authenticator App or SMS
- Follow setup instructions and save recovery codes
Even if your password is compromised, attackers cannot access your account without the second factor.
5. Repository Security Best Practicesโ
Use Protected Branchesโ
- Prevent direct commits to
mainormaster - Require pull requests and code reviews before merging
Manage Collaborator Permissionsโ
- Assign roles carefully: Admin, Write, Read
- Avoid giving unnecessary write access
Enable Dependabotโ
- GitHub Dependabot automatically scans for vulnerable dependencies
- Suggests updates for safe libraries
Use .gitignore & Secretsโ
- Never commit sensitive files (
.env, API keys) - Store secrets in GitHub Actions secrets for CI/CD
Regularly Audit Accountโ
- Check authorized OAuth apps
- Review SSH keys and tokens
- Remove inactive collaborators
6. Summary of GitHub Security Measuresโ
| Feature | Purpose |
|---|---|
| HTTPS / SSH | Secure Git connections |
| SSH Keys | Password-less authentication |
| Personal Access Token | Secure HTTPS access and API usage |
| Two-Factor Authentication | Extra layer of account security |
| Protected Branches | Prevent unauthorized changes |
| Dependabot | Automatic dependency vulnerability alerts |
| Repository Secrets | Secure sensitive data for workflows |
Next Upโ
With security set, youโre ready to explore GitHub Actions โ learn how to automate workflows, CI/CD pipelines, and project automation. ๐ Next: GitHub Actions โ
๐ Additional Resourcesโ
- GitHub Docs โ SSH Keys
- GitHub Docs โ Personal Access Tokens
- GitHub Docs โ Two-Factor Authentication
- GitHub Security Best Practices
๐ This tutorial is part of the CodeHarborHub Git & GitHub series โ helping developers secure their accounts, repositories, and workflows professionally.