GitHub Repository Permissions and Access Review SOP

Standard procedure for reviewing, granting, and auditing GitHub repository permissions, branch protection rules, CODEOWNERS coverage, and access controls.

Steps

• Confirm the review scope and repository list
  The repository administrator verifies the review period, the repositories in scope, and the reason for the access review. Record the following: - Repository name and owner - Review type: periodic review, new access request, permission change, or audit follow-up - Review period start and end dates - Required approver or control owner If the repository is not in scope, escalate to the control owner and stop the review.
• Collect the current access and control evidence
  The repository administrator exports or records the current repository collaborators, teams, roles, branch protection rules, and CODEOWNERS file location. Capture evidence for: - Direct collaborators and their permission levels - Teams with repository access - Branch protection rules on protected branches - CODEOWNERS file presence and path - Recent access changes since the last review
• Verify repository permissions against approved access
  The security administrator compares each collaborator and team permission against the approved access list. Verify that: - Each user has a documented business need - Each permission level matches the approved role - No inactive, transferred, or terminated users retain access - No direct admin access exists unless explicitly approved Record any deviation as a non-conformance and assign an owner for remediation.
• Review branch protection rules on protected branches
  The repository administrator verifies that protected branches have the required controls enabled. Check for: - Required pull request reviews - Required status checks before merge - Restriction on force pushes - Restriction on branch deletion - Required review from code owners where applicable If a required control is missing, escalate to the repository owner and document the deviation.
• Confirm CODEOWNERS coverage for critical paths
  The engineering manager verifies that the CODEOWNERS file covers critical directories, sensitive files, and release paths. Confirm that: - The CODEOWNERS file exists in the expected location - Critical paths are assigned to competent owners - Ownership is current for active teams and services - No critical path is left without an owner If coverage is incomplete, create a non-conformance and assign corrective action.
• Evaluate access requests and permission changes
  The repository administrator reviews any pending access request or permission change. Assess whether the request has: - Business justification - Least-privilege alignment - Manager or control-owner approval - Time-bound access if elevated permissions are requested
• Apply the approved permission change
  The repository administrator grants, modifies, or revokes the repository permission exactly as approved. Apply the minimum access required and confirm that the change is reflected in GitHub. If elevated access is granted, set a review date or expiration date where the platform supports it.
• Escalate unresolved deviations or access exceptions
  The security administrator escalates any unresolved deviation, missing approval, or control gap to the repository owner and compliance owner. Escalate when: - A user retains access without a valid business need - Branch protection is missing a required control - CODEOWNERS coverage is incomplete for critical paths - A permission change exceeds approved tolerance Do not close the review until the escalation owner records a disposition.
• Record the review result and retain evidence
  The repository administrator records the review outcome in the change log or ticketing system. Include: - Review date and reviewer name - Repositories reviewed - Permissions verified or changed - Branch protection status - CODEOWNERS coverage status - Deviations, non-conformances, and escalations - Final approval or closure note Retain evidence according to the organization's documented information retention requirements.