Audit your organization's public GitHub footprint

Inventory every public repository

Start with a complete list. For each organization and each member account that pushes work-related code, enumerate all public repositories. The GitHub API (/orgs/{org}/repos and /users/{user}/repos) returns them; a tool like RepoGuard gives you the same inventory in one view, including repository count, top languages, and most-starred projects.

Assess the risk

Go through the list and ask, for each repo, whether it is meant to be public. Flag anything that looks internal, plus repos whose names hint at sensitive content. Pay special attention to:

• Repos named after internal tools, infrastructure, or environments.
• Forks of private work that were made public.
• Archived or abandoned repos no one is watching anymore.
• Personal accounts of team members that host work-related code.

Fix and document

For each finding, decide: make it private, keep it public intentionally, or rotate any secrets it exposed. Document the decision so the next audit is faster and a public repo becomes a choice, not an accident.

Turn the audit into policy

A one-off audit fades the day after you run it. Capture what you learned as a lightweight policy: default new repositories to private, agree on naming that never hints at secrets, schedule a periodic re-audit, and back it with continuous monitoring so drift is caught automatically rather than at the next manual review.

Make it continuous

An audit is only current the day you run it. Organizations change constantly - new repos, new members, visibility flips. Set up continuous monitoring that watches every account in scope and alerts you the moment a new public repository appears, so your audit never goes stale.