SecDevOps & LimaCharlie: Automating and auditing of Github access.

Most security teams carry a clear mental model of their attack surface: endpoints, identity providers, the network. Source code repositories rarely sit inside that frame. They get treated as a developer concern rather than a security one. In this session, Maxime Lamothe-Brassard, founder and CEO of LimaCharlie, argues that this is a mistake, and that the gap is closing the same way it already closed for identity. The real subject is not GitHub. It is whether a provider can treat any new attack surface as just another stream of data to collect, query, and automate against, without buying a new tool or building a new workflow every time.

The attack surface keeps expanding, and the answer cannot be a new tool every time

Lamothe-Brassard frames the problem through a progression most defenders have already lived. Identity became an attack surface, and the industry accepted it. Logs from 1Password, Duo, and Okta are now routinely monitored for trouble. CI/CD pipelines are arriving at that same realization, just later. Any organization that builds, ships, or deploys software in an automated fashion, particularly anyone running GitHub Enterprise, carries risk in a layer that detection teams historically ignored.

The structural problem is that every new surface tempts you to bolt on a dedicated product, and a provider running detection across many clients cannot absorb a new tool and a new workflow for each one. LimaCharlie's answer is architectural. Lamothe-Brassard describes the platform as built like AWS: scale up, scale down, self-serve, multi-tenant, billed per usage per month, and OEM friendly so you can build products on top of it. What it sells are cyber security primitives rather than a point-and-click box for someone fresh out of college. The implication for GitHub is direct. It is not a special integration with its own console. It is one more source in a system designed to ingest "pretty much anything from anywhere," which brings the repository attack surface under the exact detection and response workflow a provider already operates.

Treating repositories as telemetry, not as a special case

The demo argues, by demonstration, that GitHub deserves no special handling. Lamothe-Brassard spins up a fresh organization (a tenant, in LimaCharlie terms) in a few seconds, then adds GitHub as a cloud sensor using GitHub Enterprise credentials and audit log streaming through a Google Cloud Storage bucket. Within moments, logs begin flowing.

Two design choices carry the thesis. First, by default LimaCharlie creates a separate sensor for each GitHub actor, so every user shows up as their own sensor in the same place an EDR endpoint or a browser would. That is deliberate. It lets a provider write detections on a per-user basis, the natural granularity for repository abuse, rather than parsing one undifferentiated pipe of logs. Second, the data arrives almost untouched. Lamothe-Brassard notes that LimaCharlie encapsulates and normalizes EDR telemetry but does very little to non-EDR sources. GitHub generates JSON, and JSON is what lands in the timeline. The payoff is consistency. You write rules against GitHub the same way you write them against logs forwarded from a Splunk instance or anywhere else, which keeps detection engineering uniform no matter how many sources a provider folds in.

Rules that encode judgment, and outputs that respect yours

The detections show what becomes possible once repository activity is just queryable data. Lamothe-Brassard applies a set of example rules from LimaCharlie's public template repository, distributed as infrastructure-as-code precisely so they replicate across tenants at scale. The examples encode real operational judgment. One geofences clones and pushes of private repositories using GitHub's actor location country code, alerting when activity originates outside expected countries. A time-based variant flags off-hours clones and pushes, and notably excludes Google Cloud Build runs so an expected CI/CD pipeline does not trip the alert, a small detail that signals these rules were written by someone who has tuned out noise before. A third alerts whenever a protected branch policy is overridden, catching the quiet removal of a control like required pull request approvals. The fourth leans toward UEBA: if a single user clones more than five private repositories in 60 seconds, generate an alert, the signature of someone, insider or intruder, trying to walk off with an entire codebase.

Each rule pairs a detect component with a respond component, and Lamothe-Brassard edits one live, trimming the geofence down to a single country. He also runs into the value of testing the hard way. A misconfigured field path keeps his first test detection from firing, which sends him back to the replay service that validates a rule against a real event before you trust it, with a candid reminder that "that is what happens when you don't test."

The closing argument lands on the same principle that runs through the whole session: LimaCharlie does not decide where your alerts go. A detection can be routed through outputs to S3, Slack, email over SMTP, a ticketing system, a SIEM, low-code tools like Tines or Torq, or a general webhook feeding a Lambda or cloud function, and that routing can be scoped from all detections down to a single type. For deeper logic, LimaCharlie services let you build thin Python or Go integrations against the platform lifecycle, reacting to events like a specific detection or a new sensor enrolling. Because services handle credential management across tenants, the same logic scales to every client organization rather than being rewired one tenant at a time.

That last point is where the session matters most for an MSSP or MDR. The repository attack surface is real, but the durable advantage is not a GitHub feature. It is a posture in which any new surface becomes telemetry you ingest, rules you replicate across tenants as code, and alerts you route into the stack you already run. Lamothe-Brassard calls the platform a set of Lego blocks and admits he does not always know what people will build with them. For a provider, that openness is the point. The next attack surface is coming, and the goal is to already have the shape that absorbs it.