Monitor IAM for various best practices
Two Factor Authentication
Ensures multi-factor authentication is enabled for the default user account. GitHub MFA provides additional account security by requiring an additional login device or code. All accounts should have MFA enabled.
User Email should be Private
Checks that the primary email addresses associated with a GitHub account is set to private visibility. Email addresses added to GitHub should be set to private visibility to increase privacy and prevent account reconnaissance.
Excessive number of owners
Having too many owners of a Git organization increases the risk of a serious compromise from lost credentials.
Org Default Permissions
The default permission given to new organization users should be set to none. Read permissions risk exposing private repositories, while write or admin permissions risk sensitive access to repositories for new users.
Org MFA required
MFA should be enabled and enforced for all users of an organization.
Members MFA required
MFA should be enabled and enforced for all members of an organization.
Outside Collaborator MFA required
MFA should be enabled and enforced for all outside collaborators of an organization.
Excessive number of Repo admins
Allowing multiple users admin or push access to organization repositories places the organization at risk for contributions that can be pushed without review.
Outside Collaborator As Admin
Allowing outside collaborators admin or push access to organization repositories places the organization at risk from non-member contributions that can be pushed without review.
Repo Deployment Keys Rotated
Deploy keys can have significant access to a repository and should be rotated on a regular basis.
GPG Keys rotations
GitHub GPG keys are used to cryptographically sign code commits and should be rotated every 180 days.
Org Plan Limit
Running out of licenses will prevent developers from adding new users.
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out