How do I document SOC 2 evidence for GitHub access controls?
March 6, 20262 min readSOC 2 for Specific Tech Stacks
GitHub's Permission Model for SOC 2
GitHub has a built-in RBAC system that maps well to SOC 2 access control requirements (CC6.1). Document how you use it:
| GitHub Role | What It Can Do | Who Should Have It |
|---|---|---|
| Owner | Full admin, billing, settings | CTO or 1-2 founders |
| Member | Read/write repos assigned to their teams | All engineers |
| Outside Collaborator | Access to specific repos only | Contractors, partners |
Evidence to Collect
Organization-Level
- Member list: Screenshot of Settings → People showing all members and their roles
- 2FA enforcement: Screenshot showing "Require two-factor authentication" is enabled
- Default permissions: Screenshot of Member Privileges showing base-level permissions
- SSO configuration: If using SAML SSO, screenshot of the SSO settings
Repository-Level
- Branch protection: Screenshot of branch protection rules on main for production repos
- Team access: Screenshot showing which teams have access to which repos and their permission levels (read, write, admin)
- Deploy keys: List of any deploy keys and their scope
Audit Log
- Organization audit log: Export covering the audit period showing access changes, permission updates, and administrative actions
Access Review Process
For your quarterly access review, check GitHub specifically:
- Are all organization members still employees?
- Does anyone have Owner access who shouldn't?
- Are Outside Collaborators still needed?
- Are there any personal access tokens or SSH keys from former employees?
Document the review with date, reviewer name, and any changes made.
Common Findings
- Former employees still listed as organization members
- All engineers set as Owners instead of Members
- No branch protection on the main branch
- 2FA not enforced at the organization level
- Stale Outside Collaborator accounts from past contracts