Using Our Tools · Guide · Developer Utilities
GitHub Public vs Private + Permissions Guide
Private vs public repos, GitHub for client projects, code theft + IP protection, branch protection rules to prevent breaking production, license interpretation, what happens if GitHub gets hacked, stopping API key leaks.
“Is GitHub safe for client work?” comes up weekly in r/freelance and r/cscareerquestions. The answer depends on what you mean by safe — visibility, IP protection, security, or compliance. This guide walks each.
Advertisement
Private vs public repos
- Public: anyone can read. You control who can write. Free for unlimited repos. Visible to search engines.
- Private: only invited collaborators can read or write. Free for unlimited repos (since 2019). Not visible to search engines or non-collaborators.
The default is private for new repos. Make sure you check before pushing anything sensitive.
Is GitHub safe for client projects?
For most freelance + agency work: yes, with sensible setup.
- Use private repos for client work. Add the client as a collaborator if they want access; otherwise keep it to your team.
- Don’t commit secrets. Use environment variables; configure the client’s secrets via GitHub Actions secrets or their cloud provider’s secret manager.
- Sign NDAs first. If client requires it, GitHub Enterprise Cloud or Enterprise Server has the compliance features (SAML SSO, audit logs, longer retention).
- Transfer the repo at project end. GitHub has a built-in repo transfer flow. Move it to the client’s org when the engagement ends.
For HIPAA / FedRAMP / similarly regulated work: GitHub Enterprise Cloud is compliant. Confirm specific requirements with the client’s compliance team before committing.
How would I know if my code was stolen on GitHub?
Practical detection:
- GitHub code search. Search distinctive strings from your code. Catches direct copy-paste theft.
- Sourcegraph public search. Same idea, different index. Sometimes catches what GitHub search doesn’t.
- Distinctive variable names + comments. Add unusual identifiers to your code. Plagiarism detection becomes trivial.
- License signal. If your repo is MIT/Apache, “stealing” is mostly attribution failure. Add a clear LICENSE file.
For genuinely critical IP: don’t put it on GitHub at all. Use a private repo with strict access controls, or self-host on GitLab/Gitea.
GitHub permissions + production safety
The branch protection rules that prevent breaking production:
- Required reviews. Block merge to main without N approvals.
- Required status checks. Block merge until CI passes.
- No force-push. Prevents history rewriting on main.
- Restrict who can push. Limit deploy-related branches to specific roles.
- Code owners. Require specific people to approve changes to specific paths (e.g. infra dirs require infra-team approval).
Set these on day 1 for any team repo. Teams that skip them eventually have a “why did this break production?” incident that traces to a missing protection rule.
Can I download someone else’s code and use it legally?
Depends on the license:
- MIT, Apache 2.0, BSD: permissive. You can use, modify, distribute, even commercially. Must include attribution.
- GPL, AGPL: copyleft. If you distribute software using GPL code, your software must also be GPL. AGPL extends this to network-served software.
- No license: default copyright applies. You can’t legally use it without permission, even if it’s public on GitHub.
- “Source available” (BSL, Elastic License): somewhere in between. Read the specific terms — usually allows internal use but restricts hosting as a competing service.
What happens to my code if GitHub gets hacked?
GitHub has had security incidents but no full-database breach to date. The practical risks:
- Account compromise. Most common. Mitigate with 2FA + a password manager.
- Token leakage. Personal Access Tokens accidentally committed to public repos. GitHub Secret Scanning catches most of these automatically.
- Provider-wide breach. Hypothetical. The realistic mitigation is keeping local clones (you have them anyway) and not relying on GitHub as your only backup.
For genuinely critical code: mirror to a second provider (GitLab, Bitbucket, self-hosted Gitea) on a periodic schedule. Never have a single point of failure.
Stopping API keys from getting leaked
Standard practices:
- Never commit secrets. Use .env files (gitignored), GitHub Actions secrets, or cloud secret managers.
- GitHub Secret Scanning. Free, scans for known token patterns (AWS, Stripe, etc.). Auto-rotates some tokens via partner integrations.
- Pre-commit hooks. Tools like git-secrets or trufflehog prevent committing tokens locally.
- Rotate tokens regularly. Even with prevention, assume some will leak. Short token lifetimes limit damage.
- If a token leaks: rotate immediately, audit access logs, force-push removal won’t help (Git history persists in clones — consider it permanently exposed).
Use these while you read
Tools that pair with this guide
- JSON FormatterPaste JSON to format, validate, and minify. Clear error messages with line numbers. Free and runs in your browser.Developer Utilities
- JSON to CSV ConverterConvert JSON arrays to CSV instantly. Auto-detects headers, handles nested fields, exports to file.Developer Utilities
- Base64 Encoder & DecoderEncode text to base64 or decode base64 back to text. UTF-8 safe. Runs entirely in your browser.Developer Utilities
- URL Encoder & DecoderEncode URLs for safe use in links and query strings, or decode encoded URLs back to readable text.Developer Utilities
Frequently asked questions
Is GitHub safe for client projects?
Yes with sensible setup: use private repos, don't commit secrets, sign NDAs first, transfer repo at project end. For HIPAA/FedRAMP/regulated work: GitHub Enterprise Cloud is compliant — confirm specific client requirements before committing.
What's the real difference between public and private repos?
Public: anyone can read, you control writes, visible to search engines. Private: only invited collaborators can read or write, not search-indexed. Both free for unlimited repos. Default for new repos is private — verify before pushing anything sensitive.
How do I stop my API keys from getting stolen on GitHub?
Never commit secrets — use .env (gitignored) + GitHub Actions secrets or cloud secret managers. Enable GitHub Secret Scanning (free, auto-detects tokens). Use pre-commit hooks (git-secrets, trufflehog). Rotate tokens regularly. If a token leaks: rotate immediately; force-push won't help (Git history persists in clones).
Can I download someone else's code on GitHub and use it legally?
Depends on license. MIT/Apache/BSD: yes with attribution. GPL/AGPL: yes but your software must also be GPL/AGPL. No license: default copyright applies, you legally can't use without permission. Source-available (BSL, Elastic): read terms — usually allows internal use but restricts competing hosting.
What happens to my code if GitHub gets hacked?
GitHub has had incidents but no full-database breach to date. Realistic risks: account compromise (mitigate with 2FA), token leakage (Secret Scanning catches most), provider-wide breach (keep local clones, mirror to second provider for critical code). Never single-point-of-failure.
How do I set up GitHub permissions so my team can't break production?
Branch protection rules: required reviews (block merge without N approvals), required status checks (CI must pass), no force-push, restrict who can push to deploy branches, code owners (require specific approvers for specific paths). Set these on day 1 — teams that skip eventually have a 'why did this break' incident.
Advertisement
Continue reading
- Using Our ToolsGitHub vs Alternatives + Team FeaturesGitHub vs GitLab decision, DeepSeek + AI-first alternatives, finding developers near you, organizing multiple repositories, non-technical coworker workflows, replacing your project management tool with GitHub.
- Using Our ToolsGitHub Pages and Hosting ExplainedGitHub Pages vs traditional web hosting (when to use which), GitHub pricing tiers explained, using GitHub for non-code documents, can GitHub replace Slack for team communication.
- Using Our ToolsHow to create a strong passwordThe entropy math, 2026 NIST rules, passphrases vs passwords, password managers, MFA and hardware keys, where passkeys fit, 5 mistakes that still lose accounts
- Using Our ToolsHow to generate QR codesMake a QR code for a URL, wifi, vCard, or plain text. What error-correction means, how big to print, how to test it.
- Using Our ToolsCommon File Conversion Questions AnsweredQuick answers to recurring file conversion questions — Office to plain text, metadata privacy, graphics format choices, speed and size, encrypted files, rare formats. Each links to a deeper guide.
- Using Our ToolsHow to Choose a File Converter5-question selection framework for picking the right converter — sensitivity, frequency, complexity, output fidelity, budget. Plus the verification protocol to test before committing, and decision trees by use case.