1.3.7 Ensure two administrators are set for each repository

ID

cis_sscs/repositories_admins

Severity

low

Category

source_code/contribution_access

Levels

Optional

false

Tags

administrators, least-privilege, slsa-4

Description

Ensure every repository has a minimum number of users with administrative permissions.

You can configure the maximum and minimum number of administrators by changing these properties in conf/compliance/checkpoints/cis_sscs/repositories_admins.yml:

  • minAdministrators: Minimum number of administrators by repository. Often 2 is recommended for staff redundancy. (Default value: 2)

  • maxAdministrators: Maximum number of administrators by repository. The principle of least privilege recommends limiting the number of administrators. (Default value: 2)

Rationale

Repository administrators have the highest permissions to said repository. These include the ability to add/remove collaborators, change branch protection policy, and convert to a publicly-accessible repository.

Due to the liberal access granted to a repository administrator, it is highly recommended that only a limited number contributors occupy this role.

On the other side, it is also recommended, for staff redundancy, to have also a minimum number of repository administrators.

Verification

For every repository in use, verify that the number of administrators are in the expected range. The range for the compliant number of administrators is configurable.

Remediation

For every repository in use, set a minimum but sufficient number of administrators.