Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
GitHub Auto Checks Detailed Explanations
Ensure secret scanning is enabled to detect sensitive dataEnsure code owner approval is required for owned code changesEnsure at least two approvals are required before merging codeEnsure branches are deleted automatically after mergingEnsure unresolved conversations block mergesEnsure force push is disabled for all branchesEnsure admins are subject to branch protection rulesEnsure a CODEOWNERS file exists in the repositoryEnsure inactive repositories are archivedEnsure all required status checks pass before mergingEnsure linear history is enforced on the default branchEnsure branch protection is enforced on the default branchEnsure the default branch cannot be deletedEnsure vulnerability scanning is enabled for repository dependenciesEnsure public repositories include a SECURITY.md fileEnsure all organization members have MFA enabledEnsure only signed commits are accepted

Ensure inactive repositories are archived

Framework Reference: A.8.9 (Configuration Management) Integration: GitHub – Repository Management

Why this matters

Inactive repositories often contain outdated code, unpatched dependencies, and old configurations that no longer meet current security standards.
Unmaintained repositories can also become attack vectors if they reference deprecated packages, contain exposed credentials, or are forked and reused without review.

Archiving inactive repositories ensures that:

  • Only actively maintained codebases remain modifiable
  • Security and dependency management efforts focus on relevant projects
  • Outdated repositories are clearly marked as read-only, reducing accidental updates or use

Without archiving, dormant repositories may persist unnoticed, creating unnecessary risk and maintenance overhead.

What this check does

This check identifies repositories with no recent activity (such as commits, pull requests, or issues) and verifies whether they are archived in GitHub.
A repository is considered archived if the “Archive this repository” setting is enabled.
Archived repositories become read-only and cannot be pushed to or modified, preserving their state for reference.

How to fix it

From the GitHub Web Console

  1. Go to the repository on GitHub.
  2. Navigate to Settings → General.
  3. Scroll to the Danger Zone section.
  4. Click Archive this repository.
  5. Confirm by clicking I understand the consequences, archive this repository.

After archiving, the repository becomes read-only. You can unarchive it later if active development resumes.

From the GitHub REST API (Optional)

You can also archive a repository via the API:

PATCH /repos/{owner}/{repo} {  "archived": true }

Exceptions

  • Repositories that are still used for documentation, CI templates, or dependency references should not be archived until verified.
  • Archiving removes write permissions; only administrators can unarchive a repository if future changes are required.
  • Automated archiving based on inactivity thresholds should include manual review to avoid disrupting active workflows.

Further Resources

 

Was this article helpful?

Powered by Product Fruits