GitHub Organization Policies are rules and settings enforced at the organization level to control how repositories, members, and integrations behave. These policies help you:
- Improve security and compliance
- Standardize development practices
- Automate access controls
- Enforce governance at scale
📘 Section 1: What are GitHub Organization Policies?
✅ Definition:
Organization policies in GitHub are configurations and rules set by organization owners to govern repositories, teams, members, and applications within that organization.
🧰 Section 2: What Can You Do With Organization Policies?
Here’s what you can control:
| Category | Policy Examples |
|---|---|
| Member Management | Require 2FA, restrict repo creation, limit external collaborators |
| Repository Settings | Default branch protection rules, required reviews, commit signing |
| App/Token Access | Restrict GitHub Apps, OAuth apps, PAT usage |
| Security | Enforce Dependabot, secret scanning, code scanning |
| CI/CD | Restrict GitHub Actions to certain runners or workflows |
| Compliance | Audit logs, webhook permissions, access controls |
🚀 Section 3: Basic Setup Guide
🧩 Step 1: Create a GitHub Organization
- Go to https://github.com/organizations/new
- Choose a name, billing plan (Free/Team/Enterprise), and invite members.
🛠 Step 2: Enable & Enforce 2FA
Use case: Ensure all members have two-factor authentication.
How:
- Go to your organization > Settings > Security > Authentication security
- Enable: Require two-factor authentication
🔒 Effect: Users without 2FA will be removed from the org after 1 day.
🗂 Step 3: Restrict Repository Creation
Use case: Prevent users from creating repos outside approved governance.
How:
- Go to Settings > Member Privileges
- Under Repository Creation, choose:
- No one
- Selected members/teams
- Only admins
⚙ Step 4: Apply Default Repository Settings
Use case: Standardize settings for every new repo (branch protection, etc.)
How:
- Go to Settings > Repository Defaults
- Default branch:
main - Default visibility:
private - Require branch protection rules
- Default branch:
🔐 Step 5: Configure Branch Protection
Use case: Prevent force-pushes, require reviews, enforce CI
How:
- Navigate to a repo > Settings > Branches > Add Rule
- Require PR review (1+)
- Require status checks (CI passing)
- Require signed commits
For org-wide setup, create a template repo with protection rules.
🧾 Step 6: Enable Audit Logging (Enterprise)
Use case: Track changes, user actions, security breaches.
How:
- Go to your GitHub Enterprise org > Settings > Audit Log
- Filter by event types, users, or repositories.
💼 Section 4: Intermediate Policy Use Cases
🎯 1. Restrict GitHub Actions Use
How:
- Go to Settings > Actions > Policies
- Allow only internal actions
- Restrict to specific workflows or runner groups
- Require approval for external workflows
🧠 2. Limit GitHub App Installations
How:
- Go to Settings > Third-party access
- Allow only approved GitHub Apps
- Block unknown OAuth apps or PATs
📦 3. Set Organization-wide Secrets
Use case: Provide centralized secrets for all CI/CD.
How:
- Go to Settings > Secrets and variables
- Add Organization Secrets (e.g., AWS keys, API tokens)
🧠 Section 5: Advanced Governance (Enterprise Tier)
If you’re using GitHub Enterprise Cloud or Enterprise Managed Users, here are advanced controls:
🔐 Enterprise Policies via GitHub CLI / API
Example: Enforce 2FA using CLI
gh api \
--method PATCH \
-H "Accept: application/vnd.github+json" \
/orgs/YOUR_ORG \
-f members_can_create_repositories=false
Code language: JavaScript (javascript)
🏛️ GitHub Policy Service (beta/enterprise)
GitHub has an internal feature called Policy Service (in private beta) that allows defining JSON/YAML-based policy rules like:
require_codeowners:
enabled: true
require_pull_request_reviews:
required_approving_review_count: 2
Code language: JavaScript (javascript)
These policies are applied org-wide for compliance automation.
💡 Real-World Use Cases
| Use Case | Policy/Feature Required |
|---|---|
| Enforce 2FA for all members | Settings > Security |
| Prevent unapproved GitHub Actions | Settings > Actions > Workflow Restrictions |
| Centralized secrets for deployments | Organization > Secrets |
| Standardize repo setup with templates | Repository Templates + Default Settings |
| Enforce CI + code review | Branch Protection Rules |
| Deny external OAuth apps | Third-party Access Settings |
| Require CODEOWNERS for ownership | Branch Protection + CODEOWNERS file |
📌 Best Practices
- Use Teams to manage access instead of individual users.
- Enforce branch protection on main branches.
- Create a compliance repo documenting all policies.
- Use Audit Logs to monitor suspicious activity.
- Keep GitHub Apps and PATs tightly scoped.
- Review member privileges quarterly.
📚 Bonus: GitHub CLI for Org Policies
You can script organization policies with GitHub CLI:
# Disable repository creation by members
gh api --method PATCH /orgs/MY_ORG \
-f members_can_create_repositories=false
Code language: PHP (php)
✅ Summary
| Capability | Org Policy Feature |
|---|---|
| Security enforcement | 2FA, OAuth App control, token control |
| Collaboration governance | Team-based access, repo creation limits |
| Dev workflow enforcement | Branch protection, CODEOWNERS, CI |
| Automation & Integration | GitHub Apps, Action runner controls |
| Central secrets management | Org-wide Secrets |
| Visibility & audit | Audit Logs, Action logs |
I’m Rajesh Kumar, a DevOps, SRE, DevSecOps, Cloud, and Platform Engineering expert passionate about sharing practical knowledge, real-world experiences, and industry best practices. I have worked at Cotocus and regularly write about technology, travel, investing, health, product reviews, and digital marketing through my various platforms.
I publish technical articles at DevOps School, travel stories at Holiday Landmark, stock market insights at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow, and SEO and digital marketing strategies at Wizbrand.
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals