I audit GitHub or GitLab organization security settings to identify exposed secrets, overly permissive rights controls, missing branch protections, and unsafe CI pipeline configurations — before an attacker exploits them.
Audit coverage: org-level settings and member permissions; repository privs controls and visibility; branch protection rules and required review policies; CI/CD secrets configuration and scope; GitHub Actions workflow permissions and GITHUB_TOKEN usage; third-party Actions pinning (SHA vs. mutable tag); workflow log secret exposure; and CODEOWNERS configuration.
From Premium engagements I run Gitleaks across your commit history to find credentials, API keys, and tokens accidentally committed to repositories — this is how most credential exposures are discovered after the fact.
Deliverables: prioritized findings report, recommended org policy changes, secrets hygiene guide for developers, and (Premium) rulesets and branch protection implementation. Requires org read rights (Security Manager role is sufficient for GitHub).