4.2.5 Ensure anonymous access to artifacts is revoked

ID

cis_sscs/anonymous_access

Severity

critical

Category

artifacts/access_to_artifacts

Levels

Optional

false

Tags

code-leakage, least-privilege, package-permissions, security, supply-chain

Description

Disable anonymous access to artifacts.

Rationale

Most artifact repositories support anonymous users, such as Jfrog and Nexus. For unauthorized users, this defaults to a user with only read permissions, however more permissions may be added. Disable the option to view artifacts as "Anonymous User" in order to protect private artifacts from being exposed. This way, only trusted and authorized members will be able to access artifacts. == Verification

For each artifact or package manager in use, verify that anonymous access is disabled.

Remediation

Disable the anonymous access option on every artifact or package manager in use.