The following should serve as a basic checklist list for reviewing Github Enterprise deployments. It'll largely apply to Github Organizations on github.com too.
- What authentication mechanism is being used?
- Are built-in users allowed too?
- Is two factor authentication (2FA) enforced?
- About two-factor authentication - GitHub Help
- Requiring two-factor authentication for an organization - GitHub Help
- Not supported for SAML or CAS; Github Enterprise trusts the IdP's assertions as to authentication, and thus 2FA needs to be enforced at the IdP
- check the user audit log
- Is an Administrators group defined if using federation? If so, who are the members?
- What's the permissions model like for repositories?
- What's the default repository visibility?
- Is log forwarding enabled?
- is collectd enabled?
- How's audit logging working? Audit logging - GitHub Help
- Are pages enabled? This can potentially be problematic if public pages are enabled because the websites become available to unauthenticated users too
- Is LFS enabled?
- Check webhook configurations in use
- Are any global webhooks enabled?