[{"data":1,"prerenderedAt":206},["ShallowReactive",2],{"blog-checklists/github-repo-checklist":3},{"id":4,"title":5,"body":6,"category":186,"date":187,"dateModified":187,"description":188,"draft":189,"extension":190,"faq":191,"featured":189,"headerVariant":192,"image":191,"keywords":191,"meta":193,"navigation":194,"ogDescription":195,"ogTitle":191,"path":196,"readTime":191,"schemaOrg":197,"schemaType":198,"seo":199,"sitemap":200,"stem":201,"tags":202,"twitterCard":204,"__hash__":205},"blog/blog/checklists/github-repo-checklist.md","GitHub Repository Security Checklist: 15-Item Guide to Protect Your Code",{"type":7,"value":8,"toc":180},"minimark",[9,16,19,22,47,64,82,100,116,121,124,127,149,168],[10,11,12],"tldr",{},[13,14,15],"p",{},"Your GitHub repository is a security boundary. Enable secret scanning and Dependabot, review .gitignore for sensitive files, use branch protection rules, and audit collaborator access. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.",[13,17,18],{},"Most repo breaches come down to something embarrassingly simple: a leaked API key in a commit from six months ago, or a .env file that slipped past .gitignore. The good news is GitHub gives you solid built-in tools to catch this stuff automatically. Spend 30 minutes going through these items and you will close the gaps that attackers actually exploit.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Detect accidentally committed credentials","Enable secret scanning",[27,32],{"description":33,"label":34},"Block pushes containing detected secrets","Enable push protection",[27,36],{"description":37,"label":38},"Verify .env, credentials.json, *.pem are ignored","Review .gitignore",[27,40],{"description":41,"label":42},"Get notified about vulnerable dependencies","Enable Dependabot alerts",[27,44],{"description":45,"label":46},"Prevent direct pushes and require reviews","Enable branch protection on main",[23,48,51,54,57,60],{"title":49,"count":50},"Secret Protection","4",[27,52],{"description":53,"label":30},"Settings > Code security and analysis > Secret scanning: Enable. How to enable secret scanning",[27,55],{"description":56,"label":34},"Blocks pushes containing detected secrets before they enter history. How to enable push protection",[27,58],{"description":59,"label":38},"Verify .env, .env.local, credentials.json, *.pem are ignored. How to configure .gitignore",[27,61],{"description":62,"label":63},"Use git log -p | grep -i 'api_key\\|secret\\|password' to check history. How to scan git history","Search history for secrets",[23,65,67,70,74,78],{"title":66,"count":50},"Dependency Security",[27,68],{"description":69,"label":42},"Settings > Code security and analysis > Dependabot alerts: Enable. How to enable Dependabot",[27,71],{"description":72,"label":73},"Automatically creates PRs for vulnerable dependencies. How to configure Dependabot updates","Enable Dependabot security updates",[27,75],{"description":76,"label":77},"Check for outstanding security update pull requests. How to review Dependabot PRs","Review pending Dependabot PRs",[27,79],{"description":80,"label":81},"Verify private package names aren't claimable on public registries. How to prevent dependency confusion","Check for dependency confusion",[23,83,85,88,92,96],{"title":84,"count":50},"Access Control",[27,86],{"description":87,"label":46},"Settings > Branches > Add rule for main/master. How to set up branch protection",[27,89],{"description":90,"label":91},"Prevent direct pushes to main without review. How to require PR reviews","Require pull request reviews",[27,93],{"description":94,"label":95},"Settings > Collaborators: Review who has access and remove unnecessary ones. How to audit repository access","Audit collaborators",[27,97],{"description":98,"label":99},"Settings > Deploy keys: Remove unused keys. How to manage deploy keys","Review deploy keys",[23,101,104,108,112],{"title":102,"count":103},"GitHub Actions Security","3",[27,105],{"description":106,"label":107},"Settings > Actions > Workflow permissions: Use minimum required. How to configure Actions permissions","Review workflow permissions",[27,109],{"description":110,"label":111},"Use @sha instead of @v1 for third-party actions to prevent supply chain attacks. How to pin GitHub Actions","Pin third-party actions to SHA",[27,113],{"description":114,"label":115},"Never hardcode secrets in workflow files. Use ${{ secrets.NAME }}. How to use GitHub Secrets","Store secrets in GitHub Secrets",[117,118,120],"h2",{"id":119},"before-making-a-repo-public","Before Making a Repo Public",[13,122,123],{},"Before changing a private repository to public, run through this entire checklist twice. Once a secret is in public git history, consider it compromised. Even if you delete it, bots scrape public repos constantly and secrets can be captured within seconds of exposure.",[13,125,126],{},"Use tools like git-secrets or truffleHog to scan your entire git history for secrets before making a repo public.",[128,129,130,137,143],"faq-section",{},[131,132,134],"faq-item",{"question":133},"I accidentally committed a secret. What do I do?",[13,135,136],{},"First, rotate the secret immediately. The credential is compromised regardless of what you do with git history. Then, use git filter-branch or BFG Repo-Cleaner to remove it from history. Finally, force push and have all collaborators re-clone.",[131,138,140],{"question":139},"Is a private repo enough to protect secrets?",[13,141,142],{},"No. Private repos can become public accidentally. Team members change. Backups might be less secure. Always use environment variables and secrets managers, even for private repos. Treat .gitignore and secret scanning as required, not optional.",[131,144,146],{"question":145},"How do I share secrets with my team?",[13,147,148],{},"Use GitHub Secrets for CI/CD, a secrets manager (1Password, Doppler) for team access, and environment variables for local development. Never commit secrets to the repository, even in private repos.",[150,151,152,158,163],"related-articles",{},[153,154],"related-card",{"description":155,"href":156,"title":157},"Secure secrets management for GitHub","/blog/how-to/github-secrets","How to Use GitHub Secrets",[153,159],{"description":160,"href":161,"title":162},"Clean up accidentally committed secrets","/blog/how-to/remove-secrets-git-history","Remove Secrets from Git History",[153,164],{"description":165,"href":166,"title":167},"Security checklist for open source projects","/blog/checklists/open-source-checklist","Open Source Security Checklist",[169,170,173,177],"cta-box",{"href":171,"label":172},"/","Start Free Scan",[117,174,176],{"id":175},"scan-your-repository","Scan Your Repository",[13,178,179],{},"Check for exposed secrets and security misconfigurations in your codebase.",{"title":181,"searchDepth":182,"depth":182,"links":183},"",2,[184,185],{"id":119,"depth":182,"text":120},{"id":175,"depth":182,"text":176},"checklists","2026-01-27","Security checklist for GitHub repositories. Protect your code, secrets, and access controls before making a repo public or adding collaborators.",false,"md",null,"green",{},true,"GitHub repository security checklist for developers.","/blog/checklists/github-repo-checklist","[object Object]","HowTo",{"title":5,"description":188},{"loc":196},"blog/checklists/github-repo-checklist",[203],"Security Checklist","summary_large_image","ocSKU86R0Iztr9UY2FSA68FzyQ7CwFFIcylZwMq7fBA",1775843931678]