Security hardening checklist for code leakage prevention

[dateolive]

Objective

Reduce the risk of source code, firmware, production scripts, credentials, and confidential engineering materials being exposed through GitHub.

Immediate organization-level settings

• Enable secret scanning for the organization.
• Enable push protection for the organization.
• Restrict repository visibility changes so ordinary members cannot make repositories public.
• Restrict creation of public repositories to owners or approved admins only.
• Restrict private repository forking unless explicitly needed.
• Require two-factor authentication for all organization members.
• Review and remove inactive members, outside collaborators, deploy keys, and GitHub Apps.
• Review personal access token policy and prefer fine-grained, short-lived tokens.

Repository baseline

• Confirm public repository allowlist: OpenSource, .github, flutter_screen_recording, bookoo-esp-modbus.
• Confirm whether each public repository is intentionally public.
• Apply branch protection or rulesets to default branches of high-sensitivity repositories.
• Require pull requests and at least one reviewer for high-sensitivity repositories.
• Block force pushes and deletions on protected branches.

High-sensitivity repository categories

Prioritize firmware, bootloader, production, download tools, production database, protocol documents, platform/backend, and calibration/testing tools.

Notes

Codex has added an organization default SECURITY.md in BooKooCode/.github to discourage public disclosure of vulnerabilities, secrets, logs, and confidential code. Organization settings still need to be configured by a BooKooCode owner in GitHub settings because the current GitHub connector does not expose those administration APIs.