Home - Teleport Blog - Zero-Trust Access for GitHub

Zero-Trust Access for GitHub

by Ben Arent — Feb 20, 2025

Why We Built GitHub Proxy Support

Our journey with GitHub proxy support began with an internal challenge: securing our most critical repositories against unauthorized access. As a company that manages infrastructure as code, including sensitive systems like Hardening Okta with Terraform, we needed an ironclad solution to lock down access to our codebase. The problem was that traditional authentication methods like SSH keys and Personal Access Tokens (PATs) left our repositories vulnerable to unauthorized access.

Our vision was to create a security system with zero exceptions. Every developer interaction with our repositories must pass through a robust authentication process, including hardware MFA verification. This approach creates an unbreakable chain of trust, ensuring that each commit is legitimate and properly authorized.

What started as an internal security initiative quickly resonated with our customers facing similar challenges. Many organizations struggle with repository security, especially for their most sensitive codebases.

The Many Ways to Access GitHub

When accessing GitHub repositories, developers typically choose between two authentication methods: SSH keys or HTTPS with Personal Access Tokens (PATs). While both methods provide direct access to GitHub, they come with inherent security risks.

Consider a scenario where an attacker successfully phishes a PAT — they gain the ability to push code under the compromised user's identity. Even with additional security measures like commit signing in place, this traditional setup still leaves repositories vulnerable to unauthorized code pushes and pulls. Commit signing only proves who authored a commit — when an attacker has a valid PAT, they can still push commits with their own GPG key, create branches, and access code while being properly authenticated to GitHub.

Zero-Trust GitHub Access

One solution to this problem is to follow the principles of zero trust, which we’ve written in depth about. These are:

Verify Explicitly - All resources and users must be authenticated and authorized regardless of location.
Least Privilege Access - Users and systems should have the minimum permissions necessary.
Assume Breach - Operate as if a compromise has already occurred.
Identity-Based Security Perimeter - Instead of a network perimeter security approach, identity becomes the new security boundary. Instead of locking down to IPs or networks, each request is checked against the identity of the person making the request.
Short-Lived Certificates - Certificates should be short-lived and rotated frequently.
Micro-Segmentation - Break security perimeters into small, isolated zones.
Zero-Standing Privileges - Access should be granted on a Just-In-Time basis.

As a company that cares deeply about security, we’ve been thinking about ways in which we can bring concepts of zero-trust to Git & GitHub. We also happen to be slightly obsessed with x509 certs, so when we noticed GitHub Enterprise supports x509 SSH certificate authorities, we jumped on the idea.

GitHub SSH CA documentation outlines the flow.

For example, you can build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization's repositories on GitHub Enterprise Cloud. At the end of the day, the certificate can automatically expire, protecting your repositories if the certificate is later compromised.

We saw the opportunity to leverage the Teleport Platform to bring zero-trust to Git! But leveraging an SSH CA is just one piece of the puzzle, and I’ll outline how we’ve built a complete solution to bring zero-trust concepts to GitHub.

Demo of Teleport GitHub Proxy & SSH CA Support

To highlight some of the feature’s capabilities, we’ve put together this short video. The video provides an overview of users accessing GitHub via Teleport, using a normal Git workflow, and finally a review of the auditing capabilities for this setup.

RFD Discussion

Try Teleport GitHub Proxy Support

Companies can try Teleport GitHub Proxy starting with Teleport Enterprise 17.2. To set it up, please follow our documentation on Teleport GitHub Support. This feature requires Teleport Enterprise and a GitHub Enterprise Account. If you would like a demo from our team, please get in touch with us. Or if your team uses GitLab, we have support for that as well.