GitHub is the central hub for many development teams, enabling seamless code collaboration and integration. However, the dynamic nature of GitHub's ecosystem—often involving multiple third-party connections, internal cross-services, and automation processes—can introduce significant security risks and expand the attack surface if not handled properly. We are excited to announce that Oasis now offers an out-of-the-box integration with GitHub that allows users to gain visibility, risk posture, and lifecycle management, offering a comprehensive solution for non-human identities (NHIs) within GitHub environments.
Understanding Non-Human Identities in GitHub
Within Github, Non-human identities are in charge of various automated tasks and integrations. These are not typical user accounts but rather entities that interact with repositories, APIs, and workflows on behalf of users and organizations. Understanding these identities is the first step toward securing your GitHub environment. Key types of NHIs in GitHub include:
Users (used as Machine Users): User accounts for automated tasks, typically identified by specific naming conventions (e.g., names ending in `-bot`, `-ci`, `-cd`, or `-svc`).
Personal Access Tokens (PATs): Long-lived tokens used for authenticating to GitHub.
SSH Keys: Keys used for secure connections to GitHub repositories, essential for automated processes and integrations.
GitHub Apps: Long-lived integrations that perform tasks on behalf of a user or an organization, including for CI/CD pipelines.
OAuth Apps: These apps often exist in the environment as shadow apps, where users may unknowingly grant excessive access.
Repository Deploy Keys: SSH keys that provide access to specific repositories.
Repository Secrets: Repository-level secrets are specific to a single repository, can be accessed by the repository workflows, and are typically used for CI/CD pipelines.
Organization Secrets: Organization-level secrets can be configured to be accessible by all repositories within the organization, or only specific ones, and often used for shared services that multiple repositories need access to.
Key Features of Oasis Integration with GitHub
Connecting Oasis to GitHub is extremely simple and can be accomplished in just a few minutes via a secure app integration from our built-in integration library. Once connected, we will automatically discover the Github NHIs and their secrets in use, map their operational attributes, and analyze their posture. By addressing critical security weaknesses - such as stale identities, unrotated secrets, over-permissive access, over-consumed resources, and long expiration periods, the integration provides robust security, operational efficiency, and compliance. Oasis' proactive and automated approach not only enhances the security posture of GitHub environments but also offers peace of mind by mitigating the risk of unauthorized access and data breaches. Here is how:
Detect and Remove Stale Identities: Oasis detects non-human identities that are no longer active, minimizing security risks associated with unused PATs, Applications and Deploy keys. By flagging stale identities, organizations can deactivate or remove them to reduce potential attack vectors, streamlining identity management by ensuring only necessary and active identities can access resources.
Enforce Secret Rotation Policies: Oasischecks if secrets have been in use beyond the recommended rotation period (e.g., 90 days for tokens), flagging those not rotated within the defined interval. We ensure that secrets are regularly rotated, reducing the risk of compromise due to prolonged use. Regular rotation of secrets helps to minimize exposure to malicious actors and supports adherence to industry standards for secret management, such as PCI-DSS and HIPAA.
Monitor GitHub Apps and OAuth Apps for Excessive Permissions: Unmonitored connections to your GitHub environment can create a vast ecosystem of supply chain dependencies, expanding your attack surface and exposing your organization to compliance violations and unauthorized access. Oasis monitors GitHub Applications for inactive or excessively permissive apps. When an app is found to have unnecessary access rights, an alert is generated, prompting a review and adjustment of permissions to ensure the least privilege.
Detect Anomalous Activity and Potential Breaches: Oasis identifies unusual access patterns to sensitive repositories, indicating potential security breaches. Provided with anomaly and suspicious behavior alerts, organizations are able to quickly follow the suggested risk mitigation steps and secure their GitHub environment, preventing unauthorized access.
With Oasis, securing your GitHub environment is both straightforward and hassle-free. Effective security goes beyond automation—it requires full visibility and context. In a dynamic development environment, there’s always an exposure risk, especially if you can’t identify and understand all non-human identities. Knowing which NHIs are in use, who is using them, and what permissions they have is essential for maintaining a clean and secure environment.
Oasis simplifies the complexities of managing code security and integrations, allowing you to focus on what matters most—building high-quality code. Our automated approach ensures your environment is always protected against evolving threats without adding extra work to your team.
Ready to elevate your GitHub security? Contact us today to see how Oasis can enhance your security posture with comprehensive visibility and control.