Security Best Practices
Contents
GitHub
SSH Keys
Connecting to GitHub generally requires the use of an SSH key (unless connecting over https). Keys stored on your filesystem are susceptible to theft and misuse by malware.
Generate a new key reserved only for use with GitHub. The key should be generated with Secretive or 1Password. ECDSA/Ed25519 is preferable to RSA - don't use RSA.
Commit signing
A git commit's Author field is completely user controllable and can be forged. Signing your commits cryptographically proves you authored them, preventing impersonation and confusion.
You can sign commits with either Secretive or 1Password. We have a slight preference for Secretive because it stores your key in the macOS Secure Enclave, ensuring the key can never be exported or extracted, even by malware.
Setting up with Secretive
Open Secretive and click the + button to create a new key.
Name your key "Git signing key" and select Notify in the Protection Level dropdown.
Go to Secretive > Integrations in the menu bar.
Click Git Signing and select "Git signing key" from the Secret dropdown.
Copy and paste the
~/.gitconfigand~/.gitallowedsignerssnippets into their respective files- If you already have content in
~/.gitconfig, merge the new sections into the existing file rather than replacing it.
- If you already have content in
Select your shell on the left side of Secretive and set the
SSH_AUTH_SOCKenvironment variable as instructed. For zsh, add the following to your~/.zshrc:TerminalThen run
source ~/.zshrcto apply it.Your
~/.gitconfignow has asigningkeypointing to a file. Copy your public key to the clipboard:TerminalGo to your GitHub SSH keys settings and add a new SSH key. Paste your public key and set the key type to Signing Key.
Test it by creating an empty commit on a new branch:
TerminalPush the branch to GitHub — you should see a green Verified badge on the commit.
Setting up with 1Password
Follow the 1Password git commit signing guide.
After setup
Once commit signing is configured, enable the option in your GitHub Profile to "Flag unsigned commits as unverified".
GitHub Actions
Great care should be taken when writing or modifying a GitHub Actions workflow. Actions can access (and exfiltrate) secrets scoped to the repo. We scan workflows with Semgrep and CodeQL for common misconfigurations.
Authentication
Most Actions use the default GITHUB_TOKEN, whose permissions can be scoped via the permissions property. However, GITHUB_TOKEN cannot trigger other workflows — so commits or PRs created by an Action won't run CI, leaving PRs unmergeable without manual intervention. The workaround is a Personal Access Token (PAT) or GitHub App. We use GitHub Apps because PATs are tied to an individual user and break when that user leaves PostHog.
Scope each GitHub App to its use case and ideally a single repo. Prefer creating a new App over expanding an existing one's permissions, otherwise every Action using that App inherits permissions it doesn't need.
Send a message in #team-security if you need help setting up a new GitHub App.
External contributors
In public repos, Actions may run against PRs written by external contributors. These PRs should be reviewed thoroughly before approving workflows to run against them. Otherwise, a malicious PR could gain access to and steal all of the secrets available to the repo.
Managing secrets
AWS
Application secrets are stored in AWS Secrets Manager. To modify an app's secrets, use our secrets tool.
GitHub
Secrets used by GitHub Actions are stored in GitHub secrets. All secrets should be stored in our GitHub org rather than in an individual repo. This allows us to more easily reuse secrets across repos, and also provides a holistic view of all of our secrets. The org secret should be scoped to the specific repos that need it.
Reporting a security issue
If you believe we've been hit by a security issue, raise an incident. In the best case, it'll mean security folks look at it ASAP. In the worst case, it's a false positive and we can close the incident.