¶ Access and Identity
- Use SSH keys or SSO-backed auth; disable basic password access where possible.
- Enforce branch protections on main/release branches.
- Apply least privilege to repository and organization permissions.
¶ Commit and Tag Trust
- Require signed commits/tags for critical repos.
- Validate signatures in CI/CD policies.
- Protect release tags from force updates.
¶ Secret and Supply Chain Controls
- Run secret scanning and block known credential patterns.
- Enforce dependency and pipeline policy checks.
- Disallow direct pushes to protected branches.
¶ Recovery and Monitoring
- Maintain frequent mirrored backups.
- Audit repo permission changes and token creation events.
- Track force-push and history rewrite events.