|
| 1 | +package compliance_framework.default_repo_permission |
| 2 | + |
| 3 | +risk_templates := [ |
| 4 | + { |
| 5 | + "name": "Default repository permission is too permissive", |
| 6 | + "title": "Overly Permissive Default Repository Access Grants Excessive Privileges to All Members", |
| 7 | + "statement": "The default repository permission setting determines the base access level automatically granted to every organization member on all repositories. Setting this to 'write' or 'admin' means that all organization members, including newly onboarded employees and contractors, receive write or administrative access to every repository by default. This violates the principle of least privilege and can lead to unauthorized modifications, accidental data loss, or privilege escalation if any member account is compromised. The default should be 'read' or 'none', with elevated access granted explicitly via team membership.", |
| 8 | + "likelihood_hint": "moderate", |
| 9 | + "impact_hint": "high", |
| 10 | + "violation_ids": ["default_permission_too_permissive"], |
| 11 | + "threat_refs": [ |
| 12 | + { |
| 13 | + "system": "https://cwe.mitre.org", |
| 14 | + "external_id": "CWE-269", |
| 15 | + "title": "Improper Privilege Management", |
| 16 | + "url": "https://cwe.mitre.org/data/definitions/269.html" |
| 17 | + }, |
| 18 | + { |
| 19 | + "system": "https://cwe.mitre.org", |
| 20 | + "external_id": "CWE-284", |
| 21 | + "title": "Improper Access Control", |
| 22 | + "url": "https://cwe.mitre.org/data/definitions/284.html" |
| 23 | + }, |
| 24 | + { |
| 25 | + "system": "https://cwe.mitre.org", |
| 26 | + "external_id": "CWE-732", |
| 27 | + "title": "Incorrect Permission Assignment for Critical Resource", |
| 28 | + "url": "https://cwe.mitre.org/data/definitions/732.html" |
| 29 | + } |
| 30 | + ], |
| 31 | + "remediation": { |
| 32 | + "title": "Set the default repository permission to 'read' or 'none'", |
| 33 | + "description": "Configure the organization's default repository permission to 'read' or 'none'. Grant write and admin access explicitly via team membership to specific repositories, following the principle of least privilege.", |
| 34 | + "tasks": [ |
| 35 | + { "title": "Navigate to Organization Settings > Member privileges > Base permissions" }, |
| 36 | + { "title": "Change the base permission to 'Read' or 'No permission'" }, |
| 37 | + { "title": "Review all repositories to ensure teams have explicit access grants where write access is required" }, |
| 38 | + { "title": "Communicate the change to all members and update onboarding documentation" }, |
| 39 | + { "title": "Audit existing repositories for any direct-user write grants that should be team-based" } |
| 40 | + ] |
| 41 | + } |
| 42 | + } |
| 43 | +] |
| 44 | + |
| 45 | +_settings := object.get(input, "settings", {}) |
| 46 | + |
| 47 | +_default_repository_permission := object.get(_settings, "default_repository_permission", "") |
| 48 | + |
| 49 | +_allowed_permissions := {"read", "none"} |
| 50 | + |
| 51 | +violation[{"id": "default_permission_too_permissive"}] if { |
| 52 | + not _allowed_permissions[_default_repository_permission] |
| 53 | +} |
| 54 | + |
| 55 | +title := "Default repository permission is set to 'read' or 'none'" |
| 56 | +description := "The organization's default repository permission must not grant write or admin access to all members by default. Elevated access should be granted explicitly via team membership to follow the principle of least privilege." |
| 57 | +remarks := "More information: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization" |
0 commit comments