|
| 1 | +package compliance_framework.owner_count |
| 2 | + |
| 3 | +risk_templates := [ |
| 4 | + { |
| 5 | + "name": "Excessive number of organization owners", |
| 6 | + "title": "Too Many Organization Owners Increases Blast Radius of Privileged Account Compromise", |
| 7 | + "statement": "Organization owners in GitHub hold the highest level of privilege: they can modify security settings, manage all members and teams, access all repositories, and permanently delete the organization. Granting owner access to more than 5 individuals significantly increases the attack surface for privilege abuse, insider threats, and account compromise scenarios. Limiting ownership to a small, well-controlled set ensures that elevated access is deliberately granted and periodically reviewed.", |
| 8 | + "likelihood_hint": "moderate", |
| 9 | + "impact_hint": "high", |
| 10 | + "violation_ids": ["too_many_owners"], |
| 11 | + "threat_refs": [ |
| 12 | + { |
| 13 | + "system": "https://cwe.mitre.org", |
| 14 | + "external_id": "CWE-269", |
| 15 | + "title": "Improper Privilege Management", |
| 16 | + "url": "https://cwe.mitre.org/data/definitions/269.html" |
| 17 | + }, |
| 18 | + { |
| 19 | + "system": "https://cwe.mitre.org", |
| 20 | + "external_id": "CWE-284", |
| 21 | + "title": "Improper Access Control", |
| 22 | + "url": "https://cwe.mitre.org/data/definitions/284.html" |
| 23 | + } |
| 24 | + ], |
| 25 | + "remediation": { |
| 26 | + "title": "Reduce organization owner count to 5 or fewer", |
| 27 | + "description": "Review the list of organization owners and remove owner access from any accounts that do not require it. Prefer using team-based admin roles for day-to-day administrative tasks, reserving full organization ownership for a minimal set of accountable individuals.", |
| 28 | + "tasks": [ |
| 29 | + { "title": "Navigate to Organization Settings > People > Owners" }, |
| 30 | + { "title": "Review the business justification for each owner account" }, |
| 31 | + { "title": "Downgrade any owners who do not require full organization-level privileges to member or team maintainer roles" }, |
| 32 | + { "title": "Ensure remaining owners have MFA enabled and use strong authentication" }, |
| 33 | + { "title": "Schedule a periodic review of organization ownership at least annually" } |
| 34 | + ] |
| 35 | + } |
| 36 | + }, |
| 37 | + { |
| 38 | + "name": "Organization owner data is missing", |
| 39 | + "title": "Missing Organization Owner Telemetry Prevents Privileged Access Review", |
| 40 | + "statement": "When the organization owner list is missing from collected GitHub data, the policy cannot verify whether ownership is limited to a small, accountable group. Missing owner telemetry can hide excessive privileged access and prevents reviewers from confirming that organization-level administrative authority is appropriately governed.", |
| 41 | + "likelihood_hint": "moderate", |
| 42 | + "impact_hint": "high", |
| 43 | + "violation_ids": ["owners_missing"], |
| 44 | + "threat_refs": [ |
| 45 | + { |
| 46 | + "system": "https://cwe.mitre.org", |
| 47 | + "external_id": "CWE-269", |
| 48 | + "title": "Improper Privilege Management", |
| 49 | + "url": "https://cwe.mitre.org/data/definitions/269.html" |
| 50 | + }, |
| 51 | + { |
| 52 | + "system": "https://cwe.mitre.org", |
| 53 | + "external_id": "CWE-284", |
| 54 | + "title": "Improper Access Control", |
| 55 | + "url": "https://cwe.mitre.org/data/definitions/284.html" |
| 56 | + } |
| 57 | + ], |
| 58 | + "remediation": { |
| 59 | + "title": "Collect organization owner data before evaluating owner-count posture", |
| 60 | + "description": "Update the GitHub organization data collector or input mapping so the policy receives the current list of organization owners. Re-run the policy after owner telemetry is present to verify that the owner count is compliant.", |
| 61 | + "tasks": [ |
| 62 | + { "title": "Verify that the GitHub token can read organization owner membership" }, |
| 63 | + { "title": "Populate the input owners field with current organization owners" }, |
| 64 | + { "title": "Re-run the owner-count policy after collection succeeds" }, |
| 65 | + { "title": "Review the collected owner list for stale or unnecessary owner access" } |
| 66 | + ] |
| 67 | + } |
| 68 | + } |
| 69 | +] |
| 70 | + |
| 71 | +_owners := object.get(input, "owners", []) |
| 72 | + |
| 73 | +violation[{"id": "owners_missing"}] if { |
| 74 | + not "owners" in object.keys(input) |
| 75 | +} |
| 76 | + |
| 77 | +violation[{"id": "too_many_owners"}] if { |
| 78 | + count(_owners) > 5 |
| 79 | +} |
| 80 | + |
| 81 | +title := "Organization has 5 or fewer owners" |
| 82 | +description := "The number of GitHub organization owners should not exceed 5 to limit the blast radius of a privileged account compromise and ensure that elevated access is deliberately granted and regularly reviewed." |
| 83 | +remarks := "More information: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners" |
0 commit comments