Break Glass for GitHub PRs with Indent

8 months ago
Written by
Indent
@indent

GitHub branch protection rules ensure that changes to critical branches, such as the main branch, meet certain criteria before being merged into the codebase.

They’re guardrails to ensure PRs are properly reviewed, tested, and approved before they’re merged into the codebase, reducing the likelihood of introducing bugs or vulnerabilities.

But every once in a while you might have an emergency.

One of those hair-on-fire moments where time is ticking, and you need to make a change pronto. That’s when you need to break glass and bypass those branch protection rules, but doing it correctly is critical for the security of your codebase.

The essential components of a secure break glass workflow is:

  • Time-boundedness: no users should be able to indefinitely be able to bypass branch protection rules.
  • Notifications: breaking glass in the physical world makes noise. There should also be noise when your normal security workflow is being circumvented. Admins should receive notifications when someone has bypassed your branch protection rules.
  • Auditability: Everytime someone uses break glass access, it should be logged, so it can undergo a security audit later.

Common Methods

One way we see people attempt to set up break glass access is by creating teams with the ability to override branch protection rules. Members of the team still have persistent access, increasing the potential for a compliance violation, unauthorized action, or a mistake.

Automating the process of granting and revoking access to the team is a great way to ensure that access is only granted when necessary and is automatically revoked after a specified period.

To achieve this, you can use the GitHub API to create a script that:

  • When an issue is opened, add them to breakglass-approvers team
  • When the issue is closed, remove the user from the team
  • Check out this open-source GitHub repository that uses GitHub Issues/Actions for a DIY solution: github-break-glass-template →

The issue with the Issue/Action-based approach is that it has no approval process and it's up to the user to decide when to open/close the issue. You’re also missing those crucial logging and notification components as well. It's better than nothing, but there’s a better way.

Bypassing Branch Rules the Right Way

The easiest way to incorporate these attributes is to use a privileged access management solution like Indent.

With Indent, you can:

  • Set-up access policies and auto-grant or revoke access as needed
  • Log access related events for security and compliance
  • Send notifications to admins to keep them in-the-loop

Set-up Break Glass for GitHub PRs

Getting Indent set-up with GitHub is free and takes just a few minutes.

  • Make branch protection rules for main that require approval, including for admins (there’s an extra checkbox for that)
  • Create a GitHub team like breakglass-approvers that is excluded in the branch protection rule just created
  • Sign up for a free Indent account and select GitHub groups as what you’d like to manage during set-up
  • Start using Indent to grant temporary access to the breakglass-approvers team either with management or on-call approval

Secure all your access workflows - not just GitHub break glass

Indent can also help manage access to your production infrastructure like AWS, GCP, or Azure. Many teams also choose to set up on-call auto approvals with our PagerDuty, Opsgenie, and Incident.io integrations.

Want to see a demo or have a guided onboarding?

Feel free to schedule time that works for you and we're happy to answer any questions you have!

Try Indent for free.