Guardrails for GitHub

Cloud teams prioritize securing infrastructure ecosystems like AWS, Azure, GCP, and Kubernetes. These are foundational layers of the cloud, where misconfigurations often arise and can have severe consequences if left unaddressed. However, infrastructure security is only part of the story.

Every change to your cloud infrastructure flows through your development pipeline in GitHub. A compromised repository, workflow, or credential provides attackers direct access to modify your cloud infrastructure. Bringing your cloud and GitHub configurations under Guardrails delivers complete governance from pipeline to cloud.

Securing the Software Supply Chain with Guardrails

Turbot Guardrails provides cloud teams with real-time detection, compliance, and remediation capabilities across AWS, Azure, GCP, Kubernetes, and ServiceNow. By continuously monitoring configurations, Guardrails ensures cloud services remain secure, compliant, and operationally optimized.

Adding GitHub to its scope, Guardrails extends these same governance capabilities to your development environment:

• Inventory: Continuously update asset inventory of your GitHub organizations
• Audit Trail: Track changes to organization and repository configurations.
• SecOps Alerting: Identify and alert on unprotected branches, exposed secrets, etc.
• Continuous Compliance: Automatically correct misconfigurations in real-time.

By securing both layers—cloud infrastructure and development pipelines, Guardrails ensures your organization’s entire ecosystem remains secure from pipeline to runtime configurations.

How to Enable GitHub Guardrails

Install the GitHub Mod

To get started, install the @turbot/github mod.

Connect Your First GitHub Organization

Once the mod is installed, your Connect page will now have an option to connect your GitHub organization(s) to Turbot Guardrails.

Guardrails will immediately discover all GitHub organization configurations and repositories. This instantly updates the Guardrails Configuration Management Database (CMDB) with real-time configurations. Guardrails also sets up event handlers to automatically receive real-time events as changes occur, allowing instant updates to inventory, audit trail, and control execution based on your governance posture.

GitHub Guardrail Policy Pack Examples

The GitHub mod includes several pre-built organization and repository guardrail policies ready to use.

At the Organization level, you can control member access and permissions, manage Deploy Keys, configure security settings, and enforce consistent policies across all repositories.

At the Repository level, you can standardize security configurations, manage Dependabot settings, enforce pull request requirements, and ensure consistent repository settings.

Here are some of the most commonly used GitHub guardrails our customers implement through policy packs available on the Guardrails Hub:

Repository Visibility

Ensuring that GitHub repositories are private protects your codebases from accidental exposure, protecting sensitive information from unauthorized access.

In most use cases, you would consider all your repositories are set to Private. Where by exception you may want to ensure some intended repositories are made Public to be accessible where applicable.

The inverse could be true for your organization; at Turbot, we manage hundreds of open-source repositories intended to be public for our community. In our use case, we have a few repos intended to be Private, while the majority are Public supporting our Steampipe, Powerpipe, and Flowpipe open-source projects. Ensuring our intended Public repos remain available is essential to our user community.

Enable Dependabot Alerts

Enabling Dependabot alerts for GitHub repositories is essential for identifying and addressing vulnerabilities in dependencies. This helps maintain the security and integrity of the codebase by providing timely notifications about potential risks and ensuring compliance with best practices for code dependency management.

While the alerts can be noisy, it's the nature of maintaining an up-to-date code base. Having Guardrails ensure Dependabot alerts remain enabled across all repositories helps teams stay ahead of potential vulnerabilities and makes it easier to identify, prioritize and action.

Enforce Secret Scanning

Enforcing GitHub repositories having secret scanning enabled detects sensitive information, such as API keys, tokens, passwords, and other credentials, that may accidentally be committed to the repository.

There are countless examples over time, even just recently Toyota Suffered a Data Breach by Accidentally Exposing A Secret Key Publicly On GitHub, highlighting the critical importance of automated secret detection and remediation.

Auto-remediation of a GitHub misconfiguration

One of the unique aspects of using Guardrails for GitHub is its ability to not only instantly alert when there is a misconfiguration in GitHub, but also its ability to auto-correct the misconfiguration as soon as it occurs.

After you have installed the Secret Scanning Enabled policy pack from the Guardrails Hub, you can attach it to your GitHub Organization in Guardrails.

The policy pack defaults to Check: Enabled, which means all your repositories will alarm if the repository does not have secret scanning enabled.

To enforce all public repositories have secret scanning enabled, you can flip the policy to Enforce: Enabled. This will instantly enable secret scanning on all applicable repositories. Ongoing, Guardrails will continuously monitor any changes to this configuration.

If an administrator disables secret scanning, Guardrails will immediately alert and auto-correct the misconfiguration in real-time.

See it in Action

Watch this demo to see how Turbot Guardrails manages GitHub organization and repository guardrails in real time:

Elevate Your GitHub Security with Guardrails

Guardrails for GitHub brings enterprise-grade governance to your repositories, helping you maintain secure GitHub configurations at all times.

Get started with a 14-day free trial of Guardrails for GitHub today.