Domain 6: Privacy, Security, and Administration (10%) โ
Authentication โ
Two-Factor Authentication (2FA) โ
2FA adds a second layer of security beyond a password. GitHub supports:
- TOTP apps (Authenticator apps like Google Authenticator, Authy)
- SMS (less secure, not recommended)
- Security keys (hardware keys, WebAuthn โ most secure)
- GitHub Mobile (push notification approval)
Important
Organization admins can require 2FA for all members. Members who don't enable it are removed from the org.
Personal Access Tokens (PATs) โ
PATs replace passwords for API and Git authentication:
| Token Type | Scope |
|---|---|
| Classic PAT | Broad permissions, single token |
| Fine-grained PAT | Per-repo, per-permission control |
Best Practice
Use fine-grained PATs โ they follow the principle of least privilege. Classic PATs are being deprecated for org use.
SSH Keys โ
SSH keys allow passwordless Git authentication:
ssh-keygen -t ed25519 -C "your@email.com"
# Add public key to GitHub Settings โ SSH and GPG keysSAML SSO โ
Organizations on GitHub Enterprise Cloud can require SAML Single Sign-On โ members authenticate through an identity provider (Okta, Azure AD, etc.) before accessing org resources.
Branch Protection Rules โ
Branch protection rules enforce code quality gates on specific branches (typically main).
Available Protections โ
| Rule | Effect |
|---|---|
| Require pull request reviews | PR must be approved before merge |
| Required approvals | Minimum number of approvals (e.g., 2) |
| Dismiss stale reviews | New commits re-require approval |
| Require status checks | CI must pass before merge |
| Require signed commits | All commits must be GPG/SSH signed |
| Require linear history | No merge commits โ squash or rebase only |
| Include administrators | Rules apply to repo admins too |
| Restrict who can push | Limit direct pushes to specific users/teams |
| Require conversation resolution | All review comments must be resolved |
Exam Tip
Branch protection rules are set per branch (or branch pattern with wildcards like release/*). They're configured under Settings โ Branches.
Rulesets (newer approach) โ
Rulesets are a more flexible alternative to branch protection rules:
- Can apply to multiple branches at once with patterns
- Can be enforced at organization level across all repos
- Support "Evaluate" mode for testing before enforcing
Security Features โ
Secret Scanning โ
Secret scanning automatically detects accidentally committed secrets (API keys, tokens, passwords):
| Tier | Behavior |
|---|---|
| Default (public repos) | Scans pushed commits, alerts the token provider |
| Secret scanning alerts (private) | Org/repo admins see alerts in the Security tab |
| Push protection | Blocks the push if a secret is detected (before it lands in history) |
Push Protection
With push protection enabled, GitHub blocks the git push if it detects a secret โ preventing it from ever entering the commit history.
Dependabot โ
Dependabot automates dependency security:
| Feature | What it does |
|---|---|
| Dependabot alerts | Notifies you when a dependency has a known vulnerability (CVE) |
| Dependabot security updates | Automatically opens PRs to update vulnerable dependencies |
| Dependabot version updates | Automatically opens PRs to keep dependencies up-to-date |
Configured via .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"Code Scanning (GHAS) โ
Code scanning uses CodeQL or third-party tools to find security vulnerabilities in code. Available on:
- Public repos (free)
- Private repos with GitHub Advanced Security (GHAS)
Organizations, Teams, and Permissions โ
Organization Structure โ
Organization
โโโ Teams
โ โโโ Team A (members + repos)
โ โโโ Team B (members + repos)
โโโ Repositories
โโโ Members (roles)Organization Roles โ
| Role | Capabilities |
|---|---|
| Owner | Full admin access to org and all repos |
| Member | Access to repos based on team membership |
| Outside Collaborator | Access to specific repos only, not org member |
| Billing Manager | Manage billing only |
Repository Permission Levels โ
| Level | Can do |
|---|---|
| Read | View and clone repo |
| Triage | Manage issues and PRs (no code push) |
| Write | Push to branches, manage issues/PRs |
| Maintain | Manage repo settings (no destructive actions) |
| Admin | Full control, including destructive actions |
Exam Tip
Teams grant repository access at a permission level. Org members inherit the base permission level set by the org admin. Individual permissions can override team permissions (highest wins).
Teams โ
Teams group org members and can be:
- Visible โ all org members can see the team and @mention it
- Secret โ only team members and org owners can see it
Teams can be nested (parent/child hierarchy) and support @org/team-name mentions.
Domain 6: Security and Administration
What does the branch protection rule Require Status Checks do?
(Click to reveal)