GitHub Security & Compliance Status
Before you share customer data with GitHub, your compliance team needs documented proof they can be trusted. ThirdProof investigated GitHub across 27 intelligence sources — here's what we found.
✓ FedRAMP Status: Authorized (Moderate) — verified against marketplace.fedramp.gov
- FedRAMP Status
- GitHub is listed on the FedRAMP Marketplace as Authorized (Moderate) as of March 2026.
- SOC 2 Status
- GitHub has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- GitHub returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned GitHub a Moderate Risk tier with 100% confidence across 27 intelligence sources.
27 sources checked. Every investigation delivers two audit-ready artifacts: a risk report and an auto-filled security questionnaire — built from independent evidence, not vendor self-attestation.
Get GitHub's Full Report Free →Certification & Compliance Status
Need a complete vendor security questionnaire?
Run a full ThirdProof investigation to get 133 security questions auto-filled with source evidence — ready for your next audit or vendor onboarding review.
Get GitHub's Full Report Free →Verified against FedRAMP Marketplace API as of March 2026
Verified against the official FedRAMP Marketplace API as of March 2026.
GitHub Enterprise Cloud authorized at Moderate impact level.
Assessment Preview — 23 Sources Queried
Run your own investigation to see the full evidence chain, compliance assessment, and recommended actions.
Get GitHub's Full Report Free →Executive Summary Preview
GitHub (github.com) is a widely adopted software development platform owned by Microsoft, assessed here as a SaaS tool with medium data access. The rule engine has assigned a Tier 3 (Moderate Risk) rating, driven primarily by a documented supply-chain security incident affecting downstream organizations and an AI data training policy that defaults to opt-out rather than opt-in for certain product tiers.
This is an excerpt. Run your own investigation to see the full assessment. Get GitHub's Full Report Free →
Key Findings for GitHub
| Severity | Finding | Source |
|---|---|---|
| info | TLS certificate renewal approaching | Domain Analysis |
| info | Clean domain reputation | Threat Intelligence |
| medium | Sensitive services exposed to internet | Infrastructure Exposure |
| medium | AI model training requires customer opt-out | AI Data Usage Policy |
4 total findings. Get GitHub's Full Report Free →
Recommended Actions
- Confirm AI training opt-out status before April 24, 2026: If your organization uses any non-enterprise Copilot tier (Free, Pro, Pro+), log in to GitHub personal settings under 'Copilot' and verify the model training opt-out is enabled. For Enterprise/Business tiers, obtain written confirmation from your GitHub account team that the DPA-based no-training commitment applies to your subscription.
- Request GitHub's current SOC 2 Type II report and bridge letter: Contact your GitHub Enterprise account manager or GitHub's security team via their [trust center](https://github.com/security). Many enterprise customers can request the report under NDA. Verify the report covers the current period and ask for a bridge letter if the report is more than 6 months old.
- Obtain the vendor's official incident report for the 2025 supply-chain breach: Contact GitHub's enterprise security team and request a formal incident summary or post-mortem for the supply-chain attack [reported in September 2025](https://www.esecurityplanet.com/cybersecurity/github-breach-exposed-700-companies-in-months-long-attack/). Document the response, remediation steps, and any compensating controls implemented.
Intelligence Sources Queried for GitHub
ThirdProof uses a deterministic rules engine to assign risk tiers. AI writes the narrative — rules drive the decision.
What a ThirdProof assessment covers↓
Sanctions Screening
Is GitHub on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is GitHub's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is GitHub a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has GitHub appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is GitHub's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are GitHub's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does GitHub claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does GitHub depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has GitHub appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate GitHub and every other vendor in your stack — average report time: 7 minutes. Get GitHub's Full Report Free →
Frequently asked about GitHub
Is GitHub FedRAMP authorized?+
Does GitHub have SOC 2 Type II?+
Is GitHub on the OFAC sanctions list?+
What is GitHub's vendor risk tier?+
Can I get an auto-filled security questionnaire for GitHub?+
Is GitHub safe to use as a vendor?+
Does GitHub have SOC 2 certification?+
Has GitHub had any data breaches?+
Is GitHub on any sanctions lists?+
How do I assess GitHub for vendor risk?+
How long does a ThirdProof assessment take?+
Is ThirdProof free?+
Can I use a ThirdProof report as SOC 2 audit evidence?+
How is ThirdProof different from a security questionnaire?+
GitHub is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates GitHub across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
Replaces $600–$900 in manual compliance consulting time per vendor assessed.