2/8/2023 GitHub Administration Flashcards
What are best practices for the team-level organization (3)
Nested teams to reflect your group or companys hierarchy (Can nest teams)
Create teams based on interest or specific technology to help streamline review process “Steel-thread”
Enable team sync between identity provider and Github
What permissions does an Admin or Team Maintainer have? (5 total)
*hint “Team lvl”
Create, Modify, Delete a team
Add or remove outside collaborators
Allow/disable team discussions
Change visibility of team within org
Manage automatic code review assignments for pull requests
What permissions does an Admin at the Organization level have? (6 total)
Invite users to join org
Organize users into a team and grant “Team Maintainer” permissions
Add/remove outside collaborators
Set up security within org
set up billing or assign billing manager
Apply org wide changes
Explain each level of github hierarchy and purpose (Team, Org, Enterprise)
Team - Creating teams in your organization
Organization - Shared spaces enabling users to collaborate across many projects at once
Enterprise - Allows owners to centrally manage policy for multiple organizations
How many action minutes and storage can be stored for GitHub (Free, Pro/Team, Enterprise)
Free: 2k minutes per month (private & public) w/ 500MB of storage
Team/Pro: 3k minutes per month w/ 2GB of storage
Enterprise: 50k minutes per month w/ 50GB of storage
What features do you get with Github Enterprise? (7 total)
Access Control for GH pages
Centralized Billing
99.9 SLA uptime
Security, compliance, and deployment controls
SSO
GH Connect
Option to purchase GHAS
What are the runner costs for Windows, Linux, and Mac OS’s?
- Linux is 1 for 1 (1min using a runner costs 1min on your acct)
- Windows is 2 for 1 (1min using a runner costs 2mins on your acct)
- macOS is 10 for 1
*By default you cant spend over your minutes unless you increase your spending limit then you will be charged for what you use
How do you calculate storage usage?
Storage Amount * # of days * hours per day / [total hours per month]
*Repeat this formula for various storage amounts throughout the month
What is the “SECURITY.md” file used for?
For contributors to report or address security issues/bugs located in the root repo
(Way to responsibly disclose concerns)
What are security Advisories?
Allow for repo maintainers to privately discuss and fix a security vulnerabilities within a project.
What is the purpose of the “.gitignore” file?
Preventive control to decrease the likelihood of committing sensitive information
“A file that tells Git to ignore paths and patterns when aggregating files for a commit”
NOTE:
*Only as strong as settings are written (files can slip through)
*Assume any data committed has been compromised
What is a CodeOwner and what is the purpose of a CodeOwner file?
Assigns teams or individuals as code owners.
Owners are pull-request reviewers
*Files can be created in root, docs, or .github folder
What are common community health files found at an organizational level? (6 total)
Code of Conduct (md file)
Contributing (md file)
Funding (yml file)
config (yml file)
Security (md file)
support (md file)
What is branch protection? (1)
What are rules put in place with branch protection? (4)
Enforce certain workflows for one or more branches
- Review Approvals
- Status checks
- Build complete
- Linter “typos and conformation”
What are key security settings available to administrators? (6 Total)
Access restrictions
Security Documentation
Advisories
Dependabot Alerts
Security Updates
Github Dependency Graph
What is the purpose of a pre-commit hook?
Automated check prior to committing that looks for sensitive information stored within code
What are two tools to scrub your repo if sensitive information has been committed to your repo?
BFG Repo-Cleaner
- East and efficient (set of default actions) however limited in its capabilities / less
ability to customize
git filter-repo
- syntax is complex and strong risk of creating unforeseen problems in a repos
integrity (especially in windows env)
*Once sensitive information is removed you must force push your changes to GitHub “git push –force”
*May need to contact GitHub support for further assistance.
What are two ways to log information? (Compliance, Internal Purposes)
GraphQL API
What information should be included in a security advisory (4)
Product and versions affected
Severity
Types of security weaknesses addressed by the project owner actions
Impact, status of patches, and workarounds
What two pieces of information are included in your orgs log?
User that performed the action
Data and time of the action
What SSO providers does GitHub currently support? (6)
ADFS
Azure AD
Okta
OneLogin
PingOne
Shibboleth
*You need to enforce this via org setting
*Github will remove any user of the org that has not authenticated successfully with SAML IdP
What kinds (types) of 2FA does GitHub support (3)
Security Keys
TOTP
SMS
*You can review for user compliance and revoke access who are not compliant
What does SCIM stand for?
What does SCIM do?
Systems Cross-domain Identity Management - add, manage, or remove org members access within GitHub
What are SCIM usage limitations when using Team Sync and what happens when you exceed this?
Unexpected performance and sync failures
Max for # of members in a GitHub Team: 5k
Max for # of members in a GitHub Organization: 10k
Max for # of teams in a GitHub Organization: 1500
What IdPs does Team sync work with? (2)
Can you disable Team Sync?
Azure AD
Okta
Yes - you can disable Team Sync
What permission is required to enable Team Sync within Azure AD? (3)
Read all users’ full profiles,
Sign in and Read User Profile
Read Directory Data
What IdP are compatible with GH SCIM API for orgs? (3)
Azure AD
Okta
OneLogin
What are key takeaways to EMU (Enterprise Managed Users)? (4 total)
Onboarding New Employees
Offboarding Employees
Reduce Accidental IP Leakage
Consultant Administration (temp access based on IdP provider)
What is GitHub Connect?
Shares data between GitHub Enterprise Server and GitHub Enterprise Cloud
What are they key takeaways from GH AE? (4)
GHAE “GitHub AE”
- Isolated env, Self-Managed, private
- Hosted in Azure
- Supports FedRamp (ATO), ISO27001, SOC 1, SOC 2 Type II, SOC 3
- GH Support helps with issues
Who owns the users within GitHub.com (Users or Enterprise)?
Users
What are the best practices for managing a GitHub Enterprise? (Organization Level) (2)
Organizations
- Have as few orgs as possible
- Have multiple Owners
Teams:
- Focus on Top Level Corp Divisions
What are ways to organizae your Team structure?
Based on:
- Interest (Teams based on Tech)
- Organizational Unit ( Replicate your org structure)
- Product Teams (Keep Product Centric)
For authentication using GitHub Apps a user or org can own how many applications? With how many requests?
100 GitHub Apps
Up to15k requests (enterprise)
For authentication using OAuth a user or org can own up to how many applications? With how many requests?
100 oAuth Apps
- up to 5k in requests
When should PAT tokens be primarly used?
For personal use only
- Never use them for global setup of services on the company
How long do logs last in retention by default?
90 days
What are action best practices? (6)
- Limit token permission
- Use GH token when possible
- run only trusted actions
- protect secrets with environments
- create starter workflows
- create meaningful readme files
What are the key takeaways of GHES? (4)
GHES “GitHub Enterprise Server”
- On Prem, Self Managed, private infra
- Supports GH Connect
- Supports GHAS
- Ran on Hypervisor
What are the key takeaways of GHEC? (4)
GHEC “GitHub Enterprise Cloud”
- Good for Public, Open source collaboration
- SaaS, easy and fast
- minimal configuration (private yet on the internet)
- Accounts belong to user except for EMU (Enterprise Managed User)
