NetNXT Logo

How to Secure GitHub Access and Prevent Code Exfiltration Using Cato Networks?

January 13, 2026
4 min read
ByNetNXT

Overview

Source code is your organization's most valuable intellectual property. Securing GitHub involves more than just passwords; you must ensure access is only possible from corporate devices and that users cannot exfiltrate code to personal repositories.

This guide details how to:

  1. Lock GitHub Access to only Cato-connected devices (IP Allowlisting).

  2. Prevent Exfiltration by blocking uploads to personal GitHub accounts (Tenant Control).

  3. Scan for Secrets (API Keys/Passwords) preventing accidental commits.

Layer 1: Network Lock (IP Allowlisting)

Goal: Ensure that even if a hacker steals a user's GitHub credentials, they cannot log in unless they are on the Cato VPN.

Prerequisites:

  • GitHub Enterprise Cloud (IP Allowlisting is not available on GitHub Free/Team).

  • Cato Egress IPs: You must know the IP addresses Cato uses to exit to the internet.

Step 1: Locate Your Cato Egress IPs

  1. Log in to the Cato Management Application (CMA).

  2. Navigate to Network > IP Allocation (or Network Rules > NAT depending on your config).

  3. Identify the Egress IPs assigned to your account.

    • Note: If you use a "Global" IP range, ensure you grab the full CIDR blocks provided by Cato Support for your tenant.

Step 2: Configure GitHub Enterprise

  1. Log in to GitHub as an Enterprise Owner.

  2. Go to Settings > Enterprise Settings > Policies > Network.

  3. Under IP allow list, add your Cato Egress IPs/CIDRs.

    • Name: Cato Networks Egress

    • IP/CIDR: x.x.x.x/32

  4. Check the box "Enable IP allow list".

Result: Any user trying to git clone or log in to github.com/YourOrg from a non-Cato IP (e.g., home Wi-Fi without VPN) will be rejected immediately.

Layer 2: Prevent Exfiltration (Tenant Awareness)

Goal: Allow developers to push code to github.com/NetNXT (Corporate) but block pushing code to github.com/UserPersonal (Personal).

Cato's Inline CASB can inspect the URL path and HTTP headers to distinguish between "Corporate" and "Personal" repo activities.

Configuration in Cato Networks

  1. Navigate to Security > Application Control (CASB).

  2. Click (+) New Rule.

  3. Name: Block Personal GitHub Uploads.

  4. Application: Search for and select GitHub.

  5. Activity: Select Upload and Push Code (or git-receive-pack).

  6. Tenant/Instance: (This is the critical step).

    • Select "Not In" (Exclude) your corporate tenant.

    • Or: Create a rule that says Block if URL does not contain github.com/NetNXT.

  7. Action: Block.

  8. Source: "All Users".

  9. Save and Apply.

Result:

  • git push origin master (to Corporate Repo) -> Allowed.

  • git push origin master (to Personal Repo) -> Blocked by Cato with a "Policy Violation" page or connection reset.

Layer 3: Secret Scanning (DLP API)

Goal: Prevent developers from accidentally committing AWS Keys, API Tokens, or Private Keys to the repo.

While inline DLP checks uploads, API-based DLP is more robust for scanning the entire commit history.

Step 1: Connect Cato to GitHub

  1. Navigate to Security > App & Data API Protection.

  2. Click (+) New Connector > GitHub.

  3. You will be redirected to GitHub to authorize the Cato App.

    • Grant permissions to Read/Write on Repositories.

Step 2: Configure the Data Protection Rule

  1. In the Data Protection Policy tab, click New Rule.

  2. Application: Select the GitHub connector you just created.

  3. Content Profile: Select "Secrets & Credentials" (This is a pre-built Cato profile containing RegEx for AWS keys, Azure tokens, Private Keys, etc.).

  4. Action:

    • Monitor: Admins get an alert; the commit stays.

    • Block: (If supported by API hooks) The commit is rejected. Note: API usually quarantines or alerts after the fact; Inline DLP blocks in real-time.

  5. Save.

Result: If a developer tries to commit a file named credentials.json or a string matching an AWS Key, Cato will trigger an alert incident for the SOC team.

FAQ

1) How does Cato restrict GitHub access to corporate devices only?

Cato enforces GitHub IP allowlisting using its egress IPs, ensuring users can access GitHub only when connected through the Cato VPN from approved corporate networks.

2) How can Cato block developers from pushing code to personal GitHub accounts?

Cato CASB inspects GitHub upload and push activities, allowing corporate repositories while blocking uploads to non-corporate tenants based on URL paths and tenant awareness.

3) Why is IP allowlisting required for GitHub Enterprise security?

IP allowlisting prevents access from stolen credentials by restricting GitHub login and git operations to traffic originating only from trusted corporate VPN egress IPs.

4) How does Cato detect secrets committed to GitHub repositories?

Cato integrates with GitHub via API-based DLP to scan commits using predefined secret patterns, triggering alerts or blocking actions when credentials or private keys are detected.

Was this article helpful?