Rule `Only Admins Should Be Able To Create Public Repositories` change visibility permission
timmeinerzhagen opened this issue ยท 4 comments
TL;DR
The rule non_admins_can_create_public_repositories
only checks if members can outright create a public repository. By default they can howether achieve the same thing by creating a private repository and changing the visibility of to public, as that is not restricted by that permission. Even worse, they can change the visibility of any repository that they are an admin of.
Thus, only prohibiting all visibility changes via the option Repository visibility change
actually stops creation of public repositories. The current rule gives a very wrong impression of security while not giving the whole picture.
Expected behavior
Legitify should check that the member privileges have two settings:
Repository Creation
only allows private, internal, or noneRepository visibility change
is not allows
Observed behavior
It only checks for one setting
Repository Creation
only allows private, internal, or none
Version
v0.2.5
On which operating system are you using legitify?
Linux
Relevant log output
No response
Additional information
See the GitHub Documentation page on Restricting repository creation in your organization
specifically pointing this out.
Warning: This setting only restricts the visibility options available when repositories are created and does not restrict the ability to change repository visibility at a later time. For more information about restricting changes to existing repositories' visibilities, see "Restricting repository visibility changes in your organization."
Hi @timmeinerzhagen, your issue makes a good point.
Unfortunately, GitHub's API support this configuration only for enterprise accounts ATM, but weโve added a note to this policy that users should check if they configured that value.
Yeah the note is a good first step for the documentation at least. In my opinion, it is not visible enough, since it is just inline at the end of the description instead of made visible (though that is probably not easily adjustable with your setup). Not ideal since people will not read it when the non_admins_can_create_public_repositories
is successful, since they don't get this finding at all.
Even if it is an Enterprise only feature, I think it should be included / have a separate rule specifically for this setting. Other rules like require SSO and GitHub Advanced Security are Enterprise Only features as well.
Hi @timmeinerzhagen , thanks for your comment!
Unfortunately, unlike the require SSO
and the GitHub Advanced security
options, there is no API collection option for Allow members to change repository visibilities for this organization.
There is, however, a higher-level configuration for this policy - on the enterprise level. If the configuration is disabled on the enterprise level, all organizations under this enterprise will have this option disabled. So if your PAT has admin permissions on the enterprise account, legitify will help you remediate this situation all across the board.
We believe this is indeed very valuable, so we have decided to add another namespace to legitify for enterprise.
This will allow showing misconfigurations for the entire enterprise. We will keep you posted when the new namespace is added.
Hi again, @timmeinerzhagen We've just released v0.2.6 with enterprise namespace: https://github.com/Legit-Labs/legitify/releases/tag/v0.2.6
You will be able to see enterprise-wide policies. We will enrich our policies as we go.
Once GitHub releases an API for organization-level visibility change, an organization-level policy will also be added to legitify.