{"id":20249626,"url":"https://github.com/jonico/github_security_and_scalability_overview","last_synced_at":"2026-03-07T01:35:15.911Z","repository":{"id":147879254,"uuid":"74122733","full_name":"jonico/github_security_and_scalability_overview","owner":"jonico","description":"My thoughts on GitHub's security and scalability","archived":false,"fork":false,"pushed_at":"2018-10-11T17:09:12.000Z","size":1144,"stargazers_count":1,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-03T16:15:41.518Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jonico.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-18T11:08:47.000Z","updated_at":"2020-02-04T12:45:11.000Z","dependencies_parsed_at":"2023-05-27T19:00:34.670Z","dependency_job_id":null,"html_url":"https://github.com/jonico/github_security_and_scalability_overview","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jonico/github_security_and_scalability_overview","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonico%2Fgithub_security_and_scalability_overview","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonico%2Fgithub_security_and_scalability_overview/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonico%2Fgithub_security_and_scalability_overview/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonico%2Fgithub_security_and_scalability_overview/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jonico","download_url":"https://codeload.github.com/jonico/github_security_and_scalability_overview/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jonico%2Fgithub_security_and_scalability_overview/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30205210,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T19:07:06.838Z","status":"ssl_error","status_checked_at":"2026-03-06T18:57:34.882Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T09:54:40.771Z","updated_at":"2026-03-07T01:35:15.882Z","avatar_url":"https://github.com/jonico.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"## How secure is our solution\n\nGitHub is taking security very seriously as it protects the assets of more than 70000 companies and the majority of all Open Source projects.\n\nIt has [recently been classified](https://pokeinthe.io/2016/04/15/state-of-security-alexa-one-top-million-2016-04/) with a security A+ rating by the Mozilla Observatory which only applied to .003% of the top 1 million sites.\n\n![image alt text](image_0.png)\n\nGitHub probably employs more people dedicated to security as all competitors combined.\n\nAs GitHub Enterprise uses the same code base as GitHub.com, it benefits from the same experienced gained by successfully securing the source code of more than 14 million users -[ even if under massive attacks](http://fortune.com/2015/04/03/github-ddos-china/).\n\nGitHub Enterprise security features in a nutshell are shown on [https://enterprise.github.com/security](https://enterprise.github.com/security)\n\nGitHub Security best practices are shown in this [blog post](https://github.com/blog/2077-github-enterprise-security-best-practices).\n\nLast but not least, GitHub is running a large [**Bug Bounty program**](https://bounty.github.com/), rewarding anybody finding security vulnerabilities.\n\nSome highlights (not common at most of our competitors):\n\n* Branch permissions on team and individual level\n\n![image alt text](image_1.png)\n\n* Read, Write, Admin permissions on Repository and Organization level\n\n* GPG commit and tag signature verification: [https://help.github.com/categories/gpg/](https://help.github.com/categories/gpg/)\n\n![image alt text](image_2.png)\n\n* Ability to use a central PKI to issue and validate X.509 certificates for S/MIME Git commit signing\n\n* 2 factor authentication including hardware security keys (FIDO U2F)\n\n![image alt text](image_3.png)\n\n* SAML, LDAP, CAS authentication working out of the box\n\n![image alt text](image_4.png)\n\n* Security patches for entire appliance managed by GitHub, no need to manually patch any components of the appliance\n\n* Audit log fully searchable including geography from where actions were performed\n\n![image alt text](image_5.png)\n\n![image alt text](image_6.png)\n\n* Out of the box audits on public keys\n\n![image alt text](image_7.png)\n\n* See which users have not turned on 2 factor authentication yet\n\n![image alt text](image_8.png)\n\n* Intuitive UI showing access for every individual user to every repository and over which concept (team, org membership, default permission) access was granted and how to remove it\n\n![image alt text](image_9.png)\n\n![image alt text](image_10.png)\n\n* Self guided tours built into GitHub Enterprise to teach new users about security mechanisms\n\n![image alt text](image_11.png)\n\n* Disable force pushes on instance, org or repo level\n\n![image alt text](image_12.png)\n\n* Detailed reports where a user’s account was used on which device\n\n![image alt text](image_13.png)\n\n* Detailed reports which external applications have accessed GitHub’s APIs\n\n![image alt text](image_14.png)\n\n* Ability to revoke access for individual applications or users\n\n![image alt text](image_15.png)\n\n## How easy and how far does GitHub Enterprise scale?\n\nGitHub Enterprise benefits from the experience of scaling GitHub.com as it runs on the same code base. It has been highly optimized for thousands of multiple user web UI interactions and Git clone and push operations.\n\nGit operations have been heavily optimized by processing Git operations in the same process that received the operation (as opposed to spawning git helper processes in the background as many other solutions are doing). Our engineering team has shared its experience on how they optimized GitHub Enterprise for performance in [this blog post](http://githubengineering.com/benchmarking-github-enterprise/) where the following diagrams have been taken from.\n\n![image alt text](image_16.png)\n\n![image alt text](image_17.png)\n\nA single instance with default settings scales very well to at least 5000 users (as long as CI is integrated using web hooks and an [appropriate](https://help.github.com/enterprise/2.7/admin/guides/installation/installing-github-enterprise-on-aws/#hardware) machine is used). \n\n![image alt text](image_18.png)\n\nGitHub Enterprise supports [clustering](https://help.github.com/enterprise/2.7/admin/guides/clustering/) for any of its services (Git, Web interface, pages, search) if any scaling issues with more than 5000 users should arise. Clustering can be added when it is actually needed (no need to plan for a cluster upfront).\n\n## How cheap will it be to implement GitHub Enterprise?\n\n## How cheap will it be to operate and maintain GitHub Enterprise - upgrade, patches, provisioning and so on?\n\nGitHub Enterprise can be \n\n* installed in literally 20 minutes\n\n* updates can complete within literally 3 minutes\n\n* high availability setup, incremental, zero-downtime backup, monitoring and log forwarding are working out of the box (no professional services engagements needed)\n\n![image alt text](image_19.png)\n\n![image alt text](image_20.png)\n\n![image alt text](image_21.png)\n\nThis is all realized by shipping GitHub Enterprise in a virtual appliance that can be hosted on public clouds (AWS, Azure) and on many hypervisors (VMWare, OpenStack KVM, Hyper-V, XenServer) in a private data center.\n\nBy having a single approach of how to deliver GitHub Enterprise,  updates, security patches, backups, monitoring are guaranteed to work out of the box without any \"it-depends on your environment\" documentation.\n\nThis is a huge contrast to most competitors that have dozens of approaches how to ship their software which leads to an explosion of configuration permutations (three different supported OSes with two major versions each, three different data bases, three install topologies leads to 3 x 2 x 3 x 3 = 54 different combinations) that are impossible to support equally.\n\nScaling, clustering, HA setup, updates are often only vaguely described and contain many manual steps whereas it is fully automated in GitHub Enterprise.\n\nAll administration related tasks are accessible over the [web based administration console](https://help.github.com/enterprise/2.7/admin/guides/installation/web-based-management-console/) as well as over dedicated GitHub Enterprise [support commands](https://help.github.com/enterprise/2.7/admin/articles/command-line-utilities/) in the [ssh console](https://help.github.com/enterprise/2.7/admin/guides/installation/administrative-shell-ssh-access/).\n\n![image alt text](image_22.png)\n\nMore info under [https://help.github.com/enterprise/2.7/admin/guides/installation/](https://help.github.com/enterprise/2.7/admin/guides/installation/)\n\nShould any help be needed, our support folks are all \"real software engineers\", often contributing to the infrastructure and application development on GitHub.com. They will do their very best to make sure you have the same contact in support from the moment you entered a ticket to case resolution to have a consistent experience.\n\n## Export and import commands\n\nDocumentation: [https://help.github.com/enterprise/2.7/admin/guides/migrations/](https://help.github.com/enterprise/2.7/admin/guides/migrations/)\n\nBlog post: [https://github.com/blog/2171-migrate-your-repositories-using-ghe-migrator](https://github.com/blog/2171-migrate-your-repositories-using-ghe-migrator)\n\nTested commands (have to run on virtual appliance)\n\n# Exporting\n\nexport USERNAME=\u003cuser with permissions to export and import\u003e\n\nexport GITHUB_TOKEN=\u003cpersonal access token with repo and admin:org permissions\u003e\n\n# ... add all repositories to export\n\nghe-migrator add \u003crepo url\u003e -u $USERNAME -p $GITHUB_TOKEN\n\n# ...\n\nexport EXPORT_UID=\u003cdisplayed migration uid\u003e\n\nghe-migrator export -g $EXPORT_UID -u $USERNAME -p $GITHUB_TOKEN\n\n# Importing\n\nexport MIGRATION_ARCHIVE=\u003cpath to displayed migration archive\u003e\n\nghe-migrator prepare $MIGRATION_ARCHIVE\n\nexport IMPORT_UID=\u003cdisplayed migration uid\u003e\n\n# ... run as often as there are still conflicts to resolve\n\nghe-migrator conflicts -g $IMPORT_UID \u003e conflicts.csv\n\nghe-migrator map -i conflicts.csv -g $IMPORT_UID\n\n# ...\n\nghe-migrator import $MIGRATION_ARCHIVE -u $USERNAME -p $GITHUB_TOKEN -g $IMPORT_UID\n\nghe-migrator audit -g $IMPORT_UID\n\nghe-migrator unlock -g $IMPORT_UID -u $USERNAME -p $GITHUB_TOKEN\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonico%2Fgithub_security_and_scalability_overview","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjonico%2Fgithub_security_and_scalability_overview","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjonico%2Fgithub_security_and_scalability_overview/lists"}