Code Repository

The Secure Data Enclave (SDE) provides a controlled environment for developing and managing research-related code securely. To maintain compliance and protect sensitive data, all code repository activity is restricted to Northwestern’s enterprise GitHub environment.

An SDE environment can access repositories in a GitHub organization set up as part of Northwestern’s enterprise agreement with GitHub with appropriate access and security controls enabled. SDE users can access these GitHub repositories both from VMs inside the SDE environment and from their laptops to facilitate code development and sharing across the research team.

Data Ingress/Egress via GitHub is Prohibited

GitHub is not approved for storing sensitive data or transferring data into or out of the SDE. Any attempt to use GitHub to circumvent SDE data ingress or egress policies may result in a suspension of access to the SDE.

Access and Setup

Access to GitHub environment can be requested during the SDE onboarding process. If GitHub access is needed after the SDE environment is set up, it can be requested through Northwestern IT . When requesting an enterprise GitHub organization, please indicate on the request form that you plan to use the organization with an SDE environment and provide the name of your SDE environment.

Once the GitHub organization is set up, Northwestern IT will configure the VMs in your SDE environment to communicate securely with GitHub.

SDE users are only authorized to interact with approved GitHub organizations from the SDE environment. Accessing unapproved GitHub organizations or repositories is a violation of the SDE Acceptable Use Policy.

User Access

Northwestern SSO must be enabled for all repositories in your GitHub organization and required: the option to “Require SAML SSO authentication” during SSO setup must be enabled. All users must interact with repositories in the GitHub organization using Northwestern identities and credentials. Users can create Northwestern-specific GitHub accounts, or they can add their Northwestern email to an existing GitHub account .

No external collaborators may be added to the GitHub organization used with an SDE environment.

Usage Guidelines

Access to GitHub is provided to support code development and collaboration, not data storage or transfer.

Action	Policy
Push and Pull to the Repository	Allowed, for code files only. Repositories should contain source code only (no data, models, binaries, or credentials).
Clone Repositories	Allowed.
Download Libraries or Packages	Not permitted from GitHub; use approved software request channels instead.
Transfer Data Files	Strictly prohibited.

Repositories in the GitHub organization can be accessed both from VMs in the SDE environment and from users’ managed endpoints (laptops).

Access Keys and Personal Tokens

You may authenticate to GitHub using SSH keys or Personal Access Tokens (PATs). Because SSO is required, all keys and tokens must be authorized for SSO before use.

• GitHub SSH Key Authorization (SSO)

• Personal Access Token (PAT) Authorization (SSO)

Security Requirements & Guardrails

• Do not commit or push:

  • Data of any kind

  • Credentials, tokens, or configuration secrets

  • Large files or archives

  • Research results

  • Files with any PII or other protected data

• Rotate access tokens regularly and remove unused keys

• Use the approved organization GitHub account, not a personal GitHub account