Is GitHub secure?
GitHub has security features that help keep code and secrets secure in repositories and across organizations. Some features are available for repositories on all plans. Additional features are available to enterprises that use GitHub Advanced Security.
GitHub is a Trusted Cloud Provider(™) with the Cloud Security Alliance (CSA). GitHub has completed the self-assessment of the Consensus Assessment Initiative Questionnaire (CAIQ) required for Level 1 of the CSA STAR Registry.
GitHub supports several options for 2FA, and while any of them is better than nothing, the most secure option is a WebAuthn credential. WebAuthn requires an authenticator such as a FIDO2 hardware security key, a platform authenticator like Windows Hello, an Apple or Google phone, or a password manager.
GitHub does not provide issues-only access permissions, but you can accomplish this using a second repository which contains only the issues. Create a private repository to host the source code from your project. Create a second repository with the permissions you desire to host the issue tracker.
Public repositories are accessible to everyone on the internet. Private repositories are only accessible to you, people you explicitly share access with, and, for organization repositories, certain organization members.
One major drawback is cost. Although GitHub offers free accounts, its paid plans can be quite expensive, particularly for individuals and small teams. This can limit access to some of the more advanced features and tools, making it difficult to customize the platform to specific needs.
We do not sell your personal information and we do not display advertising on GitHub. We provide ways for you to access, alter, or delete your personal information.
Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."
Never hardcode authentication credentials like tokens, keys, or app-related secrets into your code. Instead, consider using a secret manager such as Azure Key Vault or HashiCorp Vault. For more information about securing GitHub App credentials, see "Best practices for creating a GitHub App."
GitHub claims it is used by over 4 million organizations and more than 100 million developers [2].
What is the controversy with GitHub?
Harassment allegations
In March 2014, GitHub programmer Julie Ann Horvath alleged that founder and CEO Tom Preston-Werner and his wife, Theresa, engaged in a pattern of harassment against her that led to her leaving the company. In April 2014, GitHub released a statement denying Horvath's allegations.
In rare cases of very widespread abuse of dual-use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN.
In the menu, click Settings to access the project settings. Next to Visibility in the "Danger zone", select Private or Public.
If your project is hosted on GitHub, you can view how many people land on your project and where they come from. From your project's page, click “Insights”, then “Traffic”.
When you enable the activity overview section on your profile, viewers can see more information about the types of contributions you make and repositories you're most active in. A viewer can only see information in the activity overview about repositories they have read access to.
Collaborators on a personal repository can pull (read) the contents of the repository and push (write) changes to the repository. Note: In a private repository, repository owners can only grant write access to collaborators. Collaborators can't have read-only access to repositories owned by a personal account.
If you subscribe to the GitHub Free plan, you can start using the available features and it is free forever. This plan is not a trial version but rather a brief look at the software and all that it can offer. In the Free plan, you will get access to: Unlimited public/ private repositories.
Should I upload these small projects to my Github profile to show them to the company I like to work with? Short answer is yes, upload all your project to github. It's free, and can help you at least back-up your work and help keep track of its development over time.
"But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware." Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address.
If you want others to use, distribute, modify, or contribute back to your project, you need to include an open source license. For example, someone cannot legally use any part of your GitHub project in their code, even if it's public, unless you explicitly give them the right to do so.
Are GitHub files scanned for viruses?
When you push a commit to a repository, GitHub scans the files for viruses using the ClamAV antivirus engine. If a virus is found, GitHub will quarantine the file and notify you of the issue. This helps to maintain the security and integrity of the platform.
You can upload a variety of projects on GitHub, including small projects, important code snippets, or even larger projects. GitHub is a platform for version control and collaboration, so it's a great place to showcase your work and contribute to the open-source community.
If Git prompts you for a username and password every time you try to interact with GitHub, you're probably using the HTTPS clone URL for your repository. Using an HTTPS remote URL has some advantages compared with using SSH. It's easier to set up than SSH, and usually works through strict firewalls and proxies.
The safest and easiest place to store your passwords is in a password manager such as Dashlane or 1Password. A password manager is an application that stores all your passwords in an encrypted database, which can only be unlocked with a single master password.
Just like any other version control system, Git stores your committed files under a directory on the server like github/users/username/repositoryname . Under this directory there are the most updated files which are exact copy of your local clone. Github uses Git which can be seen as an object data storage.
