GitHub setting changed to fork private repository

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects policy changes to allow forking of private GitHub repositories.

Strategy

GitHub provides audit logs and webhook events that capture modifications to repository settings. Look for events where the fork setting for private repositories is enabled, which can pose a significant security risk by exposing sensitive code.

  • private_repository_forking.enable

Triage and Response

  1. Identify whether {{@github.actor}} is changing the forking policy for {{@github.repository}}.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.