GitHub is the largest and most popular version control platform on the planet. It has more than 40 million users and over 190 million repositories.
GitHub is safe to use but was built for collaboration, not security. So, you must actively take steps to keep safe on GitHub and avoid dangerous code. You can make a repo private to avoid prying eyes but this is only one side of the equation.
Version control is one of the many skills you need as a developer and using GitHub forms an enormous part of that.
Let’s take a look at how safe GitHub is and what you can do to avoid running into any security issues on the platform. If you are uploading all of your projects to a platform you want to know whether it is safe.
Is GitHub safe to use for developers?
Platforms like GitHub, StackOverflow, and WordPress are just tools. How we decided to use them has a massive impact on whether GitHub is safe to use or not. If you don’t do things the right way and leave yourself exposed, then using GitHub can be dangerous.
Overall GitHub is perfectly secure and when used correctly is an incredibly powerful tool. Version control can be the make or break of software projects so make sure you are following Git’s best practices.
Security issues can present themselves in a few ways when using GitHub, as a developer you need to be on the lookout.
Downloading Repos
Using GitHub is safe to use but you can run into problems if you download code from a repository you are not familiar with.
You should be cautious of anything you download to your computer and GitHub repos are no different.
Malicious code can be hidden inside a repo and not cause any issues until you compile and run the code locally.
Often these will have smaller programs running inside the app. These are hard to track and leave you open to exploitation by tracking keystrokes and providing other personal information to a hacker.
If you are in any doubt about the repo you’re pulling down locally, make sure to run it through a virus scanner. It won’t always pick up the issue but lowers the chance of your machine being infected.
Hacking Repos
Using GitHub can become unsafe if you don’t take the proper security precautions in terms of passwords and sensitive information.
Hundreds of GitHub repositories were held for ransom by hackers who accessed people’s accounts. They did this by exploiting weak passwords and taking advantage of the .DS_Store file stored on Mac-OS systems.
Many of the accounts that were targeted also didn’t have two-factor authentication enabled which made getting in easier. On top of that, they weren’t following Git best practices and left the repo open to anyone
In reality, most security flaws in GitHub come from the user. PEBKAC, or “problem exists between keyboard and chair” springs to mind. Due diligence can help prevent most issues.
Can Viruses be uploaded to GitHub?
Malware can easily be uploaded to GitHub because it is just a collaboration platform. GitHub doesn’t do any antivirus scans on the files that are uploaded.
It is your job as the developer to download the repo and run antivirus scans.
Repos like theZoo and The-MALWARE-Repo have been purpose-built to help educate developers about malware.
They enable people to analyze malware and understand how they operate.
Be careful though as everything in these repos is live and dangerous!
Unfortunately, most malicious code on GitHub isn’t for educational purposes. A lot of malware is hidden in tools that seem perfectly normal.
Any virus or malware can be uploaded to a repo on GitHub without repercussion. So whether GitHub is dangerous or not will depend on how you use it.
Enormous software companies use GitHub without any negative consequences so in the right hands GitHub is safe to use.
Is it safe to download from GitHub?
In general, it is safe to download from GitHub because it is a safe and reputable platform for hosting and sharing software projects. However, to ensure that you are downloading from trustworthy sources there are a few things you should keep in mind:
- Check the repository owner: Before downloading anything from GitHub, check the profile of the person or organization who owns the repository. If they have a verified profile and a history of activity on GitHub, it’s more likely that their repository is safe.
- Read the README: Most GitHub repositories include a README file that provides important information about the project, including how to download and install it. Take the time to read the README and make sure that the instructions are clear and that the repository is suitable for your needs.
- Look for active development: If a repository hasn’t been updated in a long time, it may be a sign that it is no longer being actively maintained. This could mean that there are security vulnerabilities that have not been addressed, so it’s important to be cautious.
- Check for security warnings: GitHub uses a security alert system to notify repository owners and users about known vulnerabilities in third-party dependencies. If a repository has any security warnings, make sure that the owner has addressed them before downloading.
- Use caution with third-party code: Many GitHub repositories use third-party libraries and dependencies. Be cautious when downloading and using these dependencies, as they may have their own security vulnerabilities.
Downloading from GitHub should be safe if you take the time to do your due diligence by following these best practices.
6 ways for developers to stay safe on GitHub
There are a few tips and tricks to make sure that GitHub is safe to use. By following the below you can lower your chances of downloading malware or a virus, and improve overall security.
1. Use a virus scanner
You can’t guarantee anything you download from the internet is safe without passing it through a virus scanner.
If you don’t know the developers behind a repo or don’t trust the content, always give it a once-over with malware detection software before running it.
NordVPN offers a fantastic virus scanner that gets the job done and protects your downloading. I highly recommend it.
2. Protect your login credentials
As we discussed earlier in the article, the major ransom attack on GitHub was made possible by lax login credentials.
Developers were using passwords that were easy to crack and this gave hackers access to their repository.
- Make sure to enable two-factor authentication to give you that extra protection against nefarious actors.
- Use a complex password that you don’t use on other platforms
3. Tighten your repo settings
For important code, you should probably be using a private repository. Public repos are visible to everyone and can be cloned down effortlessly.
Not great if you have been working on the next big idea.
- Make sure you have the work you want to keep secret inside a private repo. These are hidden and give you greater control.
- Only give developers working on the project access to the repo.
- Always revoke credentials when someone leaves the project.
Always double-check your repo settings at the start of a project to avoid headaches down the line.
4. Remove sensitive data
When you’re new to coding it can be easy to forget the importance of API keys and other sensitive information.
You should abstract this data out or keep it stored in the back-end away from prying eyes.
Making your API keys publicly available can have enormous financial costs. At the time of writing, Google Maps API costs $7 per 1000 requests.
If someone has your key and hits this endpoint hundreds of thousands of times, you may be in big trouble financially.
5. Look to the community
Repos on GitHub has some awesome metrics which allow you to understand the community’s sentiment towards it. These things can let you know almost immediately if the code is likely to be safe or not.
- Contributors and commits – This will let you know how many people are working on this project. There is safety in numbers. The bigger the team the less likely you encounter a lone wolf hacker trying his luck by uploading a malicious repo.
- Stars – The number of stars a project has lets us know how interested the wider community is in the project. It’s essentially a reputation system. The more people that are interested, generally the safer it is to use.
- Activity – Is the project being supported? Are they active in fixing bugs and patching updates? The more active a repo is, the better. You don’t want to use a package that stopped being supported years ago.
6. Inspect the repository
It’s a manual process and will eat into your time. But the last line of defense against malicious code is to inspect what you are downloading. There is no better way to verify that GitHub is safe to use than by crawling through the different pages and looking for malicious code.
This option is the least practical and most difficult to do, especially as a new developer. I’d highly recommend implementing the other tips and leaving this as a complete last resort.
Conclusion
GitHub is as safe to use as you make it. If you are reckless with your repositories and don’t take care of your passwords, then you could fall prey to hackers.
However, if you follow Git guidelines and make sure your repo settings are locked in tight, GitHub is perfectly secure and safe.
Resource
Nathan Britten, the founder and editor of Developer Pitstop, is a self-taught software engineer with nearly five years of experience in front-end technologies. Nathan created the site to provide simple, straightforward knowledge to those interested in technology, helping them navigate the industry and better understand their day-to-day roles.
