Wouldn't private git hosting add another barrier for the attackers? In addition to the tokens, they would also need to somehow gain access to the network through VPN or through an opening in the firewall?

Yes. By way of example, my employer does this:

* gitlab hosted internally * VPN needed to access gitlab * VPN requires a gsuite login, with 2FA * You can only login to a gsuite account on a employer-provided machine (so no access to anything on a non-employer machine, even email)

You'd have to steal a company laptop, or social engineer yourself into a building with a desktop machine, to even start to get near the code repository.

The "must login from a employer-provided machine" thing can be disabled on a per-user basis by remote policy (via an administrator), if needed.

> You can only login to a gsuite account on a employer-provided machine

How is this achieved?

There's an Endpoint Verification plugin that integrates with gsuite.

Github repos can require using company's vpn