GitHub Organization Policies are rules and settings enforced at the organization level to control how repositories, members, and integrations behave. These policies help you:
- Improve security and compliance
- Standardize development practices
- Automate access controls
- Enforce governance at scale
π Section 1: What are GitHub Organization Policies?
β Definition:
Organization policies in GitHub are configurations and rules set by organization owners to govern repositories, teams, members, and applications within that organization.
π§° Section 2: What Can You Do With Organization Policies?
Hereβs what you can control:
| Category | Policy Examples |
|---|---|
| Member Management | Require 2FA, restrict repo creation, limit external collaborators |
| Repository Settings | Default branch protection rules, required reviews, commit signing |
| App/Token Access | Restrict GitHub Apps, OAuth apps, PAT usage |
| Security | Enforce Dependabot, secret scanning, code scanning |
| CI/CD | Restrict GitHub Actions to certain runners or workflows |
| Compliance | Audit logs, webhook permissions, access controls |
π Section 3: Basic Setup Guide
𧩠Step 1: Create a GitHub Organization
- Go to https://github.com/organizations/new
- Choose a name, billing plan (Free/Team/Enterprise), and invite members.
π Step 2: Enable & Enforce 2FA
Use case: Ensure all members have two-factor authentication.
How:
- Go to your organization > Settings > Security > Authentication security
- Enable: Require two-factor authentication
π Effect: Users without 2FA will be removed from the org after 1 day.
π Step 3: Restrict Repository Creation
Use case: Prevent users from creating repos outside approved governance.
How:
- Go to Settings > Member Privileges
- Under Repository Creation, choose:
- No one
- Selected members/teams
- Only admins
β Step 4: Apply Default Repository Settings
Use case: Standardize settings for every new repo (branch protection, etc.)
How:
- Go to Settings > Repository Defaults
- Default branch:
main - Default visibility:
private - Require branch protection rules
- Default branch:
π Step 5: Configure Branch Protection
Use case: Prevent force-pushes, require reviews, enforce CI
How:
- Navigate to a repo > Settings > Branches > Add Rule
- Require PR review (1+)
- Require status checks (CI passing)
- Require signed commits
For org-wide setup, create a template repo with protection rules.
π§Ύ Step 6: Enable Audit Logging (Enterprise)
Use case: Track changes, user actions, security breaches.
How:
- Go to your GitHub Enterprise org > Settings > Audit Log
- Filter by event types, users, or repositories.
πΌ Section 4: Intermediate Policy Use Cases
π― 1. Restrict GitHub Actions Use
How:
- Go to Settings > Actions > Policies
- Allow only internal actions
- Restrict to specific workflows or runner groups
- Require approval for external workflows
π§ 2. Limit GitHub App Installations
How:
- Go to Settings > Third-party access
- Allow only approved GitHub Apps
- Block unknown OAuth apps or PATs
π¦ 3. Set Organization-wide Secrets
Use case: Provide centralized secrets for all CI/CD.
How:
- Go to Settings > Secrets and variables
- Add Organization Secrets (e.g., AWS keys, API tokens)
π§ Section 5: Advanced Governance (Enterprise Tier)
If youβre using GitHub Enterprise Cloud or Enterprise Managed Users, here are advanced controls:
π Enterprise Policies via GitHub CLI / API
Example: Enforce 2FA using CLI
gh api \
--method PATCH \
-H "Accept: application/vnd.github+json" \
/orgs/YOUR_ORG \
-f members_can_create_repositories=false
ποΈ GitHub Policy Service (beta/enterprise)
GitHub has an internal feature called Policy Service (in private beta) that allows defining JSON/YAML-based policy rules like:
require_codeowners:
enabled: true
require_pull_request_reviews:
required_approving_review_count: 2
These policies are applied org-wide for compliance automation.
π‘ Real-World Use Cases
| Use Case | Policy/Feature Required |
|---|---|
| Enforce 2FA for all members | Settings > Security |
| Prevent unapproved GitHub Actions | Settings > Actions > Workflow Restrictions |
| Centralized secrets for deployments | Organization > Secrets |
| Standardize repo setup with templates | Repository Templates + Default Settings |
| Enforce CI + code review | Branch Protection Rules |
| Deny external OAuth apps | Third-party Access Settings |
| Require CODEOWNERS for ownership | Branch Protection + CODEOWNERS file |
π Best Practices
- Use Teams to manage access instead of individual users.
- Enforce branch protection on main branches.
- Create a compliance repo documenting all policies.
- Use Audit Logs to monitor suspicious activity.
- Keep GitHub Apps and PATs tightly scoped.
- Review member privileges quarterly.
π Bonus: GitHub CLI for Org Policies
You can script organization policies with GitHub CLI:
# Disable repository creation by members
gh api --method PATCH /orgs/MY_ORG \
-f members_can_create_repositories=false
β Summary
| Capability | Org Policy Feature |
|---|---|
| Security enforcement | 2FA, OAuth App control, token control |
| Collaboration governance | Team-based access, repo creation limits |
| Dev workflow enforcement | Branch protection, CODEOWNERS, CI |
| Automation & Integration | GitHub Apps, Action runner controls |
| Central secrets management | Org-wide Secrets |
| Visibility & audit | Audit Logs, Action logs |
Iβm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
