Skip to content

GitHub

The GitHub integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated GitHub Organization that could leave you and your organization vulnerable.

Integration prerequisites

  • A GitHub account with a Free, Pro, or Enterprise plan
  • Membership to a GitHub Organization with Owner or GitHub App manager permissions

Integration permissions

For the GitHub integration to function, Cloudflare CASB requires the following GitHub API permissions:

PermissionAccessDescription
AdministrationRead-onlyView basic administrative information from the account.
MembersRead-onlyView metadata on organization members
MetadataRead-onlyView metadata surrounding an organization's assets, excluding sensitive private repository information.
Organization administrationRead-onlyView information on organization settings

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the GitHub App permissions reference.

Security findings

The GitHub integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by severity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed.

Branches and merges

Finding typeFindingTypeIDSeverityDescription
GitHub: Repository has no Default Branch Protection5a0428fa-5c13-44b8-a028-9351c1d10a91MediumA repository's default branch does not have any branch protection rules enabled.
GitHub: Repository Default Branch Protection does not have PR Review Requirededd3f193-af01-421d-9a50-cb1d147bf3a6MediumA repository's default branch does not have a Require pull request reviews before merging rule.
GitHub: Repository Default Branch Protection does not have Force Pushes Disabledefc3e582-ef39-4316-b1f3-d4717ef30867MediumA repository's default branch has enabled Allow force pushes.
GitHub: Repository Default Branch Protection does not have Stale PR Approvals Disabled7dc170d7-b1ef-4138-95fb-403d16e7ed43MediumA repository's default branch does not have a Dismiss stale pull request approvals when new commits are pushed rule.
GitHub: Repository Default Branch Protection does not have Admin Restrictions4e4aec5b-e763-41ac-9099-af874606959bMediumA repository's default branch does not have a Do not allow bypassing the above settings rule for administrators.
GitHub: Repository Default Branch Protection does not have Status Checks1eba1aeb-9827-4a03-9c47-8290bd3a83d5MediumA repository's default branch does not have a Require status checks to pass before merging rule.
GitHub: Organization repository has default WRITE permissionfc074da0-1e1c-4982-8673-0852d70bf80cMediumA repository's default write protection settings were not changed.
GitHub: Repository not updated in 12+ months68b6ef6d-7e00-4761-b3f1-fcf323dc9c26MediumNo changes were made to a repository in at least a year.

Learn more about GitHub branch protection rules.

User accounts

Finding typeFindingTypeIDSeverityDescription
GitHub: Organization two-factor authentication disabled47d01030-0ed8-496d-9484-f77899b21d59HighAn organization does not have its organization-wide two-factor authentication (2FA) requirement enabled.
GitHub: Organization user two-factor authentication disableddfed92b2-a45e-46ed-a86b-8c7e3db01f3cHighA member of the organization does not have two-factor authentication (2FA) enabled.