I've heard this before from people but I can help but think, "companies are paying GitHub to store code which in itself is often very valuable IP that needs to be protected". Are we sure GitHub doesn't have any promises to the protection of private repos? Obviously anything could happen and it's best to encrypt secrets and such... but if it's true that GitHub is not very serious about protecting the contents of private repos seems off to me. Any links to anything regarding their stance on this?
There's a big difference between proprietary code and secrets. If you get my proprietary code you will be able to understand and copy how my application works, but (if I've coded it well) you won't be able to compromise a running instance. This is why open-source software is not necessarily less secure than closed-source software.
But if you get my secrets, you can most likely own that instance.
And I think it's worth pointing out that companies who are serious about the trade secrecy of their code tend to host their own repos. I don't think you'll find critical source code from Microsoft, Google, Facebook, Apple, etc. sitting in private repos on Github.com.
I've been using Github private repos at work since 2013. As I said, I've not seen anything from Github that says that private repos are secure enough to upload secrets. For example, this document does not distinguish between public and private repos:
I use private repos to interact with contractors. Just because I grant a contractor access to collaborate on a private repo, that doesn't mean I want them to have my api keys, passwords, etc.
I use private repos because I want a cheap and easy way to host git repos, but I don't want to bother with the public. I don't want to create the false impression that I'm open to pull requests or forking my code.
The features of github means the data can't just be left encrypted all the time. No matter what, github employees are going to have access to your code. If you absolutely require security github enterprise is the on-prem way to remove the risk of a rogue github employee (to just the risk of your own rogue employees)
