GitHub Security Audit¶
Audit of the uccaonline GitHub account performed 2026-03-05 via GitHub REST API.
Personal Account, Not Organisation
uccaonline is a personal GitHub account, not a GitHub organisation. This means org-level controls (member 2FA enforcement, default repo permissions, team structure, audit log) are not available. When collaborators are added (e.g. Alex), they will be added as outside collaborators on individual repos — there is no org-wide policy enforcement.
Recommendation: Migrate to a proper GitHub organisation before adding any collaborators. Org-level benefits: enforced 2FA for all members, default repository permissions, team-based access control, branch protection rules (with Team plan), and audit logging.
Account Overview¶
| Setting | Value | Status |
|---|---|---|
| Account | uccaonline |
Personal account |
| Account type | Personal (Free) | Not an organisation |
| Plan | Free | Branch protection unavailable on private repos |
| 2FA | Enabled (account-level) | ✅ |
Repositories¶
| Repo | Visibility | Wiki | Issues | Archived | Branch Protection |
|---|---|---|---|---|---|
ucca-engine |
Private | Off | On | No | Unavailable (Free plan) |
ucca-surfaces |
Private | Off | On | No | Unavailable (Free plan) |
ucca-docs |
Private | Off | On | No | Unavailable (Free plan) |
ucca-infra |
Private | Off | On | No | Unavailable (Free plan) |
ucca-site |
PUBLIC | Off (fixed) | On | No | Not configured |
ucca-site (PUBLIC)¶
The marketing site (ucca.online) source code is in a public repository. This is architecturally acceptable — it's a Next.js marketing site with no secrets, no backend logic, and no proprietary code. However:
- ~~Builder.io webhook~~ — Removed 2026-03-05. Was an undocumented legacy webhook from the demo build phase, sending PR/check events to
api.builder.io. Deleted as unnecessary attack surface. - Wiki was enabled (now disabled).
- Public repos get free secret scanning from GitHub — 0 alerts found.
Collaborators & Access¶
| Repo | Collaborators | Outside Collaborators |
|---|---|---|
ucca-engine |
uccaonline (admin) |
None |
ucca-surfaces |
uccaonline (admin) |
None |
ucca-docs |
uccaonline (admin) |
None |
ucca-infra |
uccaonline (admin) |
None |
ucca-site |
uccaonline (admin) |
None |
Single-operator setup. No outside collaborators. No team structure.
Authentication & Tokens¶
| Token | Type | Scope | Notes |
|---|---|---|---|
gh CLI OAuth token |
OAuth token (gho_ prefix) |
gist, read:org, repo, workflow |
Used by both gh CLI and git push/pull. Stored in macOS Keychain via osxkeychain credential helper. No expiry — persists until revoked or gh auth logout. |
Fine-grained PAT removed
The ucca-engine-push fine-grained PAT (expiry Mar 26, 2026) was never used — GitHub dashboard showed "Never used". Investigation on 2026-03-05 revealed git pushes were authenticating via the gh CLI OAuth token stored in macOS Keychain, not the PAT. The unused PAT was deleted to avoid confusion. ACTION: Tim to delete from GitHub → Settings → Developer settings → Fine-grained tokens.
Webhooks¶
No webhooks on any repo. No GitHub Actions configured. No deploy keys on any repo.
Builder.io webhook removed
ucca-site had a Builder.io webhook (https://api.builder.io/projects/github/webhook) firing on PRs and check runs. This was a legacy integration from the demo build phase — undocumented and unnecessary. Deleted 2026-03-05.
Secret Scanning¶
| Repo | Secret Scanning | Alerts |
|---|---|---|
ucca-engine |
Disabled | N/A |
ucca-surfaces |
Disabled | N/A |
ucca-docs |
Disabled | N/A |
ucca-infra |
Disabled | N/A |
ucca-site |
Enabled (public repo, automatic) | 0 alerts |
Secret scanning on private repos requires GitHub Advanced Security (paid). On the Free plan, only public repos get automatic scanning.
Git history scan (manual): Scanned all repo histories for common secret patterns (API keys, tokens, passwords, Cloudflare tokens, Twilio credentials). No secrets found in git history. SIDs (identifiers) for Twilio appear in docs but these are non-sensitive.
Dependency Vulnerability Alerts¶
| Repo | Dependabot Alerts | Status |
|---|---|---|
ucca-engine |
Enabled (fixed) | Was disabled |
ucca-surfaces |
Enabled (fixed) | Was disabled |
ucca-docs |
Enabled (fixed) | Was disabled |
ucca-infra |
Enabled (fixed) | Was disabled |
ucca-site |
Enabled (fixed) | Was disabled |
All repos now have Dependabot vulnerability alerts enabled.
.gitignore Coverage¶
| Repo | .env excluded | .tfvars excluded | *.pem excluded |
|---|---|---|---|
ucca-surfaces |
Yes | N/A | N/A |
ucca-docs |
N/A | N/A | N/A |
ucca-infra |
Yes | Yes | N/A |
ucca-engine |
Yes | N/A | N/A |
ucca-site |
Yes | N/A | Yes |
All repos properly exclude sensitive files.
Fixes Applied During Audit¶
| Fix | Detail |
|---|---|
| Enabled Dependabot alerts | All 5 repos — vulnerability alerts were disabled on every repo |
Disabled wiki on ucca-site |
Was enabled but unused, reduces attack surface |
| Removed Builder.io webhook | ucca-site — undocumented legacy webhook from demo build phase |
Findings Requiring Manual Action¶
~~Critical~~¶
- ~~PAT renewal~~ — ✅ CLOSED 2026-03-05. The
ucca-engine-pushfine-grained PAT was never used — git authenticates via theghCLI OAuth token. PAT to be deleted from GitHub → Settings → Developer settings → Fine-grained tokens.
High¶
-
Migrate to GitHub organisation —
uccaonlineis a personal account, not an organisation. Before adding Alex or any other collaborators, migrate to a proper org for: enforced 2FA for all members, default repo permissions, team-based access control, branch protection (with Team plan), and audit logging. -
Branch protection unavailable — GitHub Free plan does not support branch protection on private repos. Options:
- Upgrade to GitHub Team ($4/user/month) after org migration to get branch protection rules
- Accept the risk — single operator, low insider threat currently
- Revisit before any team expansion (threat model Priority 4)
Medium¶
-
~~Builder.io webhook on ucca-site~~ — ✅ CLOSED 2026-03-05. Webhook removed.
-
Secret scanning limited — Only available on public repos (Free plan). Private repo secret scanning requires GitHub Advanced Security. The manual git history scan found no secrets, but automated scanning is preferable. Consider as part of any GitHub plan upgrade.
-
~~
ghCLI OAuth token scope~~ — N/A.uccaonlineis a personal account, not an org —admin:orgscope is not applicable.
Recommendations Summary¶
| Priority | Action | Status |
|---|---|---|
| ~~Critical~~ | ~~Renew PAT before Mar 26 expiry~~ | ✅ PAT unused — to be deleted. Auth is via gh OAuth token. |
| High | Migrate uccaonline to a proper GitHub organisation |
Open — required before adding collaborators |
| High | Branch protection (requires org + Team plan) | Blocked on org migration |
| ~~Medium~~ | ~~Remove Builder.io webhook~~ | ✅ Removed 2026-03-05 |
| Medium | Enable automated secret scanning when plan supports it | Open |
Version History¶
| Version | Date | Change | Author |
|---|---|---|---|
| 1.0 | 2026-03-05 | Initial audit — org settings, repos, access, secrets, dependencies | Claude Code |
| 1.1 | 2026-03-05 | Corrected: uccaonline is a personal account, not an org. 2FA confirmed enabled. Builder.io webhook removed. Org migration recommendation added. | Claude Code |
| 1.2 | 2026-03-05 | Auth investigation: git uses gh OAuth token, not fine-grained PAT. PAT (ucca-engine-push) never used — marked for deletion. PAT expiry finding closed. | Claude Code |