Legit-Labs/legitify

Rule `Only Admins Should Be Able To Create Public Repositories` change visibility permission

timmeinerzhagen opened this issue ยท 4 comments

TL;DR

The rule non_admins_can_create_public_repositories only checks if members can outright create a public repository. By default they can howether achieve the same thing by creating a private repository and changing the visibility of to public, as that is not restricted by that permission. Even worse, they can change the visibility of any repository that they are an admin of.

Thus, only prohibiting all visibility changes via the option Repository visibility change actually stops creation of public repositories. The current rule gives a very wrong impression of security while not giving the whole picture.

Expected behavior

Legitify should check that the member privileges have two settings:

  • Repository Creation only allows private, internal, or none
  • Repository visibility change is not allows

Observed behavior

It only checks for one setting

  • Repository Creation only allows private, internal, or none

Version

v0.2.5

On which operating system are you using legitify?

Linux

Relevant log output

No response

Additional information

See the GitHub Documentation page on Restricting repository creation in your organization specifically pointing this out.

Warning: This setting only restricts the visibility options available when repositories are created and does not restrict the ability to change repository visibility at a later time. For more information about restricting changes to existing repositories' visibilities, see "Restricting repository visibility changes in your organization."

Hi @timmeinerzhagen, your issue makes a good point.
Unfortunately, GitHub's API support this configuration only for enterprise accounts ATM, but weโ€™ve added a note to this policy that users should check if they configured that value.

Yeah the note is a good first step for the documentation at least. In my opinion, it is not visible enough, since it is just inline at the end of the description instead of made visible (though that is probably not easily adjustable with your setup). Not ideal since people will not read it when the non_admins_can_create_public_repositories is successful, since they don't get this finding at all.

Even if it is an Enterprise only feature, I think it should be included / have a separate rule specifically for this setting. Other rules like require SSO and GitHub Advanced Security are Enterprise Only features as well.

Hi @timmeinerzhagen , thanks for your comment!
Unfortunately, unlike the require SSO and the GitHub Advanced security options, there is no API collection option for Allow members to change repository visibilities for this organization.
There is, however, a higher-level configuration for this policy - on the enterprise level. If the configuration is disabled on the enterprise level, all organizations under this enterprise will have this option disabled. So if your PAT has admin permissions on the enterprise account, legitify will help you remediate this situation all across the board.
We believe this is indeed very valuable, so we have decided to add another namespace to legitify for enterprise. This will allow showing misconfigurations for the entire enterprise. We will keep you posted when the new namespace is added.

Hi again, @timmeinerzhagen We've just released v0.2.6 with enterprise namespace: https://github.com/Legit-Labs/legitify/releases/tag/v0.2.6
You will be able to see enterprise-wide policies. We will enrich our policies as we go.
Once GitHub releases an API for organization-level visibility change, an organization-level policy will also be added to legitify.