# GitHub Security

## Motivation


Learning about GitHub security features will help protect your repositories from unauthorized access and potential vulnerabilities, ensuring the integrity of your code. It also provides a safer environment for collaboration, as you'll be able to manage access levels and permissions effectively. In this lesson we will learn to:

- Set up Two-Factor Authentication (2FA) to make your account more secure
- Interact with your repositories using *SSH* keys, which allows you to connect securely without relying on a username or password
- Understand GitHub's role-based access, and how to invite people to collaborate on your project

## Two-Factor Authentication

*Two-Factor Authentication* (2FA) adds an extra layer of security to your GitHub account by requiring not just a password, but also an additional piece of information that only you would have access to. This could be a code generated by an application on your smartphone, or a physical device that generates authentication codes. By enabling 2FA, you significantly decrease the risk of unauthorized access to your account, even if someone else obtains your password. This is especially important on GitHub, where your account could be associated with important codebases, sensitive information, and administrative privileges.



To set up 2FA, follow these steps:

1. Navigate to your GitHub account settings by clicking your profile photo in the upper-right corner of any page, and then clicking **Settings**
2. In the user settings sidebar, click on **Account security**
3. Click on the **Enable two-factor authentication** button
4. You will be asked to enter your password to continue. Do this and click **Confirm password**.
5. You'll be presented with two options for 2FA: via an authenticator app (like Google Authenticator or Authy, which you will have to download) or via SMS. Choose your preferred method and follow the on-screen instructions.

<br><p align=center><img src=images/setup_2FA.gif width=900></p><br>


### Backup Methods for Two-Factor Authentication

While setting up 2FA, it is important to establish backup methods in case you lose access to your primary method. GitHub offers two types of backup methods:

- **Recovery codes:** GitHub generates a set of recovery codes that you can use to regain access to your account. These should be stored in a secure location, such as a password manager or secure physical storage. Each recovery code can only be used once, and GitHub will generate a new set whenever you choose to.

- **SMS backup:** If you set up 2FA using an app, GitHub will also allow you to set up an SMS number as a backup option. In case you lose access to your authenticator app, GitHub can send a code via SMS to this number.

Remember to treat your backup methods as sensitively as you would your primary authentication method. While they provide a safety net, they could also be used to gain unauthorized access to your account if they were to fall into the wrong hands.



## SSH Keys and GitHub

Secure Shell (SSH) keys are a way to identify trusted computers, without involving passwords. The technology is used to securely connect to remote servers, like the ones that host your GitHub repositories. An SSH key pair comprises of two keys: a private key, which you should guard carefully and never expose, and a public key, which you can share freely. When you try to connect to a server, the server will use your public key to create a message for you. Only your private key can decrypt this message, verifying your identity.

When you connect to GitHub from git, you have the choice of using SSH or HTTPS. If you have an SSH key linked to your GitHub account, you can use SSH URLs for your repositories, which look like this: `git@GitHub.com:username/repo.git`. When you use SSH URLs, your interaction with GitHub is authenticated using your SSH key, rather than asking you for your username and password each time. This can make managing multiple repositories much smoother and more secure.


**Adding an SSH Key to your GitHub Account**

To generate an SSH key pair and add it to your GitHub, you can use the `ssh-keygen` tool that comes with the SSH package on Linux/Mac systems, or Git Bash on Windows. Here's how:

1. Open Terminal
2. Paste the text below, substituting in your GitHub email address: `ssh-keygen -t rsa -f ~/example-key -C your@email.com`. Substitute the string after the `-f` flag for the filepath where you want to save your key, and replace the email after the `-C` flag.
3. At the prompt, type a secure passphrase (recommended)

<br><p align=center><img src=images/keygen.gif width=700></p><br>

This will generate a new SSH key pair at the specified location with the comment as your email.

4. To add the public key to your GitHub account, first copy the key to your clipboard using the following command on Mac Os or Linux:

```bash
pbcopy < ~/example-key.pub
```

Or on Windows / Git Bash:

```bash
clip < ~/example-key.pub
```
5. Then navigate to your GitHub page, and in the top right corner, click your profile photo, then click **Settings**
6. In the user settings sidebar, click `SSH and GPG keys`
7. Click **New SSH key**
8. In the **Title** field, add a descriptive label for the new key. For example, if you're using a personal Mac, you might call this key "Personal MacBook Air".
9. Paste your key into the **Key** field.
10. Click **Add SSH key**

<br><p align=center><img src=images/add_pubkey.gif width=900></p><br>



## Understanding GitHub Role-Based Access Control

GitHub uses a role-based access control system to manage permissions within a repository. This means users are assigned to roles and permissions are then associated with these roles. There are three main roles: *Owner*, *Collaborator*, and *Contributor*. 

- **Owner:** Owners have full control over the repository, including sensitive operations like deleting the repository or managing access and permissions. In personal repositories, the owner is the account that created the repository. In organisation repositories, owners are team members with owner-level access.

- **Collaborator:** Collaborators are individuals who have been granted read, write, or admin permissions by the repository owner.In addition to the abilities of regular users, collaborators can directly push to and pull from the repository, accept or close pull requests, manage issues, and review and comment on commits. They can also create, manage, and delete branches within the repository.

- **Contributor:** Contributors are anyone who interacts with the repository by submitting pull requests or commenting on issues. They do not have write access to the repository unless the owner or a collaborator grants it.


### Inviting Collaborators and Managing Invitations

From time to time you might want to invite others to collaborate on a repository you own. This will allow them additional access compared to a regular user.

> The specific permissions a collaborator has (read, write, or admin) depend on what the owner assigns. A collaborator with write access can modify the repository directly, while a collaborator with read access can only pull from the repository. A collaborator with admin access can change the repository's settings, add more collaborators, and has write access as well. However, even collaborators with admin access do not have the same level of access as owners. They can't delete the repository or transfer it to another owner, which are privileges reserved only for the owner.

To invite a collaborator to a personal repository, navigate to the main page of the repository: 

1. Navigate to the main page of your repository
2. Click on the **Settings** tab
3. Proceed to the **Manage Access** section
4. Click on **Invite a collaborator** button
5. Enter the GitHub username or email address of the person you want to invite
6. Click **Add [username] to [repository]** to send the invitation
7. The invited user will receive an email invitation, they need to accept this invitation to become a collaborator

<br><p align=center><img src=images/add_collaborator.gif width=900></p><br>

As a repository owner, in the **Manage Access** section, you can:
  - See all pending invitations
  - Cancel any pending invitations
  - Re-send any pending invitations
  - Remove access for existing collaborators

There is only one permission level for the collaborators on a personal account. Full details of the permissions granted to collaborator status are shown [here](https://docs.GitHub.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-GitHub/managing-personal-account-settings/permission-levels-for-a-personal-account-repository) .



## Key Takeaways

- **Two-Factor Authentication (2FA)** enhances GitHub account security by requiring a password and an additional unique access code, minimizing unauthorized access risk even if your password is compromised
- **SSH keys** offer password-less, secure GitHub connections; they authenticate users through a private-public key pair, improving repository management's efficiency and security
- GitHub uses **role-based access control** with three roles: **Owner**, with full repository control; **Collaborator**, granted read, write, or admin permissions by the owner; and **Contributor**, anyone interacting via pull requests or comments
- **Owners** can invite others as **collaborators**, assigning read, write, or admin permissions; though collaborators with admin access can't delete or transfer the repository, privileges reserved for owners