Tech & Engineering Blog

Exposed Repository: Fixing the Accidental Public Repo Breach

Have you ever had a security incident due to a GitHub organization member accidentally creating a repository in his personal account instead of under the organization?

We have been using GitHub for over six years, so we have had the issue more than once. Usually, it's a private repository. The member notices it and transfers it to the organization.

But what if they made a double mistake by making it public? Now, your code is exposed to the world of git crawlers until you notice.

The two common sources of this problem are: A developer push-create a new repository from their device. A developer uses the UI and doesn't notice they work in the private workspace.

The problem is there is no way to monitor and find these issues in time, since the organization can't monitor actions on the member's private account.

To fix that gap, we created a GitHub Application that scans the organization's member's public repository list and sends an alert if the app finds a new one (with some tweaks to avoid being too noisy - the details are in the code).

We are sharing this as an open-source tool hoping the community will extend it.