|
| 1 | +--- |
| 2 | +title: Best practices for selecting pilot repositories |
| 3 | +shortTitle: Select pilot repositories |
| 4 | +intro: 'The right pilot repositories demonstrate value quickly and prepare your organization for broader enablement of {% data variables.product.prodname_GH_secret_protection %}.' |
| 5 | +versions: |
| 6 | + fpt: '*' |
| 7 | + ghec: '*' |
| 8 | + ghes: '*' |
| 9 | +contentType: concepts |
| 10 | +--- |
| 11 | + |
| 12 | +Before enabling {% data variables.product.prodname_GH_secret_protection %} organization-wide, run a pilot to validate the solution with a small set of repositories. A pilot helps you refine your rollout strategy, identify workflow adjustments, and demonstrate security value to stakeholders. This article will help you choose the best repositories for your pilot. |
| 13 | + |
| 14 | +A successful pilot requires strategic repository selection. The repositories you choose determine how quickly you can demonstrate value, gather actionable feedback, and prepare for organization-wide adoption. |
| 15 | + |
| 16 | +## Selection criteria |
| 17 | + |
| 18 | +A successful pilot requires strategic repository selection. The repositories you choose determine how quickly you can demonstrate value, gather actionable feedback, and prepare for organization-wide adoption. |
| 19 | + |
| 20 | +When choosing repositories, consider the following criteria. |
| 21 | + |
| 22 | +### Active development and team engagement |
| 23 | + |
| 24 | +Your pilot needs repositories that generate timely feedback on how {% data variables.product.prodname_secret_protection %} fits into daily development work. |
| 25 | + |
| 26 | +* Select repositories with **regular commits and pull requests**. Active repositories generate feedback quickly and show how {% data variables.product.prodname_secret_protection %} fits into real development workflows. |
| 27 | +* Choose **teams** that will engage with the pilot. Responsive maintainers will identify workflow adjustments faster and help refine your rollout strategy. |
| 28 | +* **Use repository properties** to systematically identify repositories by team, criticality, or other custom attributes. See [AUTOTITLE](/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). |
| 29 | + |
| 30 | +### Known secret exposure |
| 31 | + |
| 32 | +{% ifversion secret-risk-assessment %} |
| 33 | + |
| 34 | +Choose repositories flagged in your secret risk assessment. These repositories are ideal pilot candidates because they demonstrate immediate value by showing secrets that need remediation. |
| 35 | + |
| 36 | +{% else %} |
| 37 | + |
| 38 | +Choose repositories you suspect contain secrets based on past incidents or security reviews. These repositories are ideal pilot candidates because they allow you to validate the tool's effectiveness quickly. |
| 39 | + |
| 40 | +{% endif %} |
| 41 | + |
| 42 | +Prioritize repositories with production credentials, infrastructure configurations, or integrations with critical services. These high-value targets demonstrate the security value of {% data variables.product.prodname_secret_protection %}. |
| 43 | + |
| 44 | +### Technical diversity |
| 45 | + |
| 46 | +Your pilot should validate that {% data variables.product.prodname_secret_protection %} works with your programming languages and tools. |
| 47 | + |
| 48 | +* Include repositories using different programming languages and frameworks. This validates {% data variables.product.prodname_secret_protection %} coverage across your codebase. |
| 49 | +* Select repositories with CI/CD pipelines to identify potential deployment impacts early. Understanding these interactions prevents surprises during broader rollout. |
| 50 | + |
| 51 | +### Organizational representation |
| 52 | + |
| 53 | +A successful pilot requires buy-in from different parts of your organization. |
| 54 | + |
| 55 | +* Choose repositories from different teams or business units. Diverse feedback reveals patterns that wouldn't emerge from a single team's experience. |
| 56 | +* Include at least one repository that leadership cares about. Executive visibility maintains pilot momentum and facilitates future budget discussions. |
| 57 | + |
| 58 | +### Repositories to avoid initially |
| 59 | + |
| 60 | +Not all repositories make good pilot candidates. |
| 61 | + |
| 62 | +* **Low-activity or archived repositories**: You won't get timely workflow feedback. |
| 63 | +* **Experimental or personal repositories**: These repositories don't reflect production patterns. |
| 64 | +* **Repositories with complex custom tooling**: Unusual workflows may complicate feedback. |
| 65 | +* **Mission-critical repositories with zero change tolerance**: It's best to add these repositories _after_ validating the solution. |
| 66 | + |
| 67 | +## Pilot size by organization |
| 68 | + |
| 69 | +Once you've identified repositories that meet these criteria, determine the size of your pilot. The right pilot size balances gathering sufficient feedback with avoiding team overwhelm. |
| 70 | + |
| 71 | +| Organization size | Number of repositories | Recommendations | |
| 72 | +|---|---|---| |
| 73 | +| **Small** (under 100 developers) | 3-5 repositories | Start with your most critical projects. | |
| 74 | +| **Medium** (100-500 developers) | 5-10 repositories | Select repositories across different teams, including a mix of high-activity and moderate-activity repositories. | |
| 75 | +| **Large** (500+ developers) | 10-20 repositories | Ensure broad representation across the organization. Consider a phased approach with waves of repository additions. | |
| 76 | + |
| 77 | +## Before enabling your pilot |
| 78 | + |
| 79 | +Take these steps to set your pilot up for success. |
| 80 | + |
| 81 | +* Confirm repository owners agree to participate. Unwilling teams generate negative feedback that doesn't reflect actual product issues. |
| 82 | +* Identify champions within each pilot team. Champions answer questions and keep feedback flowing. |
| 83 | +* Document baseline metrics like commit frequency and contributor count. These baselines help you measure pilot impact. |
| 84 | + |
| 85 | +## Further reading |
| 86 | + |
| 87 | +* [Identify repositories for secret protection](https://support.github.com/product-guides/github-advanced-security-secret-protection/get-started/identify-repositories-for-secret-protection) in the GitHub Advanced Security product guides |
| 88 | + |
| 89 | +{% ifversion secret-risk-assessment %} |
| 90 | + |
| 91 | +## Next steps |
| 92 | + |
| 93 | +Now that you've selected your pilot repositories, review pricing and configure {% data variables.product.prodname_GH_secret_protection %}. See [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/protect-your-secrets). |
| 94 | + |
| 95 | +{% endif %} |
0 commit comments