DeepSec 2025 Talk: GitHub Security at Scale: One Opensource Tool to Rule Them All – Sina Yazdanmehr & Hugo Baccino
Managing GitHub security across all organizations and repositories within a company can be challenging. Mis-configured settings, hard-coded secrets, and outdated dependencies often go unnoticed, creating critical security gaps.
In this session, we introduce an open source tool built to help companies secure their GitHub environments at scale. The tool runs security posture checks across organization and repository levels, scans for hard-coded secrets, performs Software Composition Analysis (SCA), validates security rule sets, detects misconfigurations, and generates a single comprehensive report. The report not only identifies risks but also provides actionable remediation steps, helping teams prioritize and address issues effectively.
By using this tool, companies gain a complete view of their GitHub security posture across all organizations and repositories, making it easier to maintain strong security without adding complexity. This talk is also an open invitation for the community to collaborate and help enhance the tool.
We asked Sina and Hugo a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- The tool we developed is fully open source and free; contributions are welcome from anyone interested in improving it
- Addresses a critical need: managing security consistently across GitHub organizations and repositories at scale, helping organizations gain visibility into their supply chain security posture
- Solves a real problem for large teams: manually auditing security across hundreds of repos and users isn’t realistic, and this tool automates that work to catch misconfigurations that attackers actively exploit
- Focuses on high-risk misconfigurations often missed in manual reviews, for example: overly permissive secrets/runners, missing branch protections, and weak SSO/MFA policies that can lead to unauthorized access and code compromise
- Built with a modular architecture and a Python CLI, making it easy to extend with new checks or integrate into CI pipelines
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We kept seeing the same security issues repeated across different companies during incident reviews. Someone would accidentally expose a secret with org-wide scope, or a critical branch would have no PR requirements. We got tired of manually clicking through GitHub’s UI to audit hundreds of repos and org-level settings. The initial version was a quick script for checking these org-wide configs, but it kept growing as more scenarios came up. We also added secret scanning to catch hard-coded credentials and dependency scanning in order to cover every aspect of security that an organization could be missing. We knew other teams faced the same challenges, so we decided to make it open source rather than keeping it internal.
Why do you think this is an important topic?
Most organizations focus security efforts on code vulnerabilities but overlook the platform layer. A single mis-configured GitHub Action secret or runner can bypass all your other defenses. These misconfigurations are easy to introduce (default settings are often too permissive) and hard to spot manually at scale. Automating these checks helps companies catch and monitor the issues before they’re exploited.
Is there something you want everybody to know – some good advice for our readers maybe?
Don’t wait for an incident to audit your GitHub security posture. If you’re managing more than a handful of repos, manual auditing is slow and unsustainable. Start with a baseline scan across your org (MFA enforcement, secrets scope, branch protections) and schedule regular checks to catch drift. GitHub is where your code lives and where your CI/CD runs, so securing it should be a priority, not an afterthought.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Attackers are increasingly targeting supply chain weaknesses rather than code bugs directly. Exposed secrets, overly permissive CI/CD configurations, and compromised dependencies are becoming the primary attack vectors. We’re seeing this shift in real incidents, which is why we’re expanding this tool to cover dependency scanning and extending platform support to GitLab and others. The goal is to help companies defend against these supply chain attacks before they happen, not just after an incident forces a reactive audit.
Sina Yazdanmehr is a senior information security consultant and researcher. Since 2009, he has worked for different security firms and CERT, developing a strong expertise in cloud, application, and telecom security. He has presented his research at conferences like Black Hat and DeepSec.
Hugo is a penetration tester with strong expertise in offensive cybersecurity. Before joining Aplite, he carried out high-impact penetration tests across diverse industries. With a background in Capture the Flag competitions, he brings a practical, attacker-oriented mindset to engagements, helping organizations identify and address critical vulnerabilities.