Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

About GitHub EMU

What is GitHub Enterprise Managed Users?

GitHub Enterprise Managed Users (EMU) is an offering built on top of GitHub Enterprise Cloud that extends the identity and security features of GitHub Enterprise Cloud. An EMU enterprise also has no concept of a public repository, so there is no risk of an EMU user accidentally exposing internal information in a public repository.

Benefits of GitHub EMU

With EMU, user accounts no longer belong to individual users, instead your account is provisioned by the VA using an approved Identity Provider such Azure Active Directory and is backed by Personal Identity Verification (PIV) cards. This means that when users join the VA and are onboarded to GitHub, they will receive an email notification instructing them how to access their EMU account through VA Single Sign-On.

Unlike GitHub Enterprise Cloud, EMU accounts are not tied to a personal email address. If a user leaves the VA, their EMU account will be inaccessible the moment their PIV certificate is invalidated, or disabled the moment the email account is suspended and the user will immediately no longer have access to the VA’s GitHub organization.

In addition, EMU accounts are backed by PIV cards. This means that users will be required to use their PIV card to authenticate to GitHub. This is a more secure method of authentication than using a username and password with 2FA.

Organizational Structure of GitHub EMU

Unlike the Department of Veterans Affairs enterprise on GitHub Enterprise Cloud which operates in a single organization, the GitHub admin team has planned for a multi-organization structure from the start within GitHub EMU.

As one of the most requested features from product groups, GitHub EMU will allow for product groups to have their own organization on GitHub. This will allow for product groups to have more control over their repositories and users.

Support for IP Restricted Access

The GitHub admin team also understands that not all development team needs are the same, nor do they have the same security requirements. For this reason, and for the first time, the GitHub admin team will provide support for enabling IP restricted access to product specific GitHub EMU organizations.

If your team has additional requirements that your source code and all supporting functions not be accessible outside the VA network, the GitHub admin team will now have the ability to isolate your team in an organization that only allows access from the VA network.

With IP restrictions enabled, all GitHub activities and resources are isolated to VA networks, including, but not limited to:

  • Git operations (clone, push, pull, etc.) using either https and ssh
  • Web-based access to GitHub
  • Access via the GitHub Desktop application
  • API requests
  • GitHub Pages
  • GitHub Actions
  • GitHub Container Registry

Who is eligible for EMU?

GitHub EMU will be made available to all VA users in coming weeks. There are a few restrictions however to be aware of:

  • If you have a public repository that depends on your private source code, you may not be able to migrate to EMU. This is because EMU does not support public repositories. Please reach out to the GitHub admin team via the contact us page to explore your use case.
  • If you have a repository currently hosted on VAEC GitHub and contains PII or PHI, you may not migrate to EMU. If your repository contains PII or PHI, the GitHub Expert Services team will be providing additional guidance on how to migrate your repository to EMU. Please await further guidance from the GitHub team.

How do I Get Started with EMU?

In the coming weeks, the GitHub admin team will publish updated guidance on requesting access to GitHub EMU. At that time the GitHub admin team will also provide guidance on how to migrate your repositories from VAEC GitHub to EMU.

As part of the migration process, the GitHub team will be providing self-service capabilities for teams to migrate their repositories to EMU on their own schedule, as well as dry-run capabilities allowing your teams to test GitHub EMU and the migration process without impacting your ability to continue development on VAEC GitHub.

If you are interested in learning more about EMU, please reach out to the GitHub admin team via the contact us page.