Ensure strict base permissions are set for repositories
ID |
org_default_repo_permission |
Severity |
critical |
Family |
SCM |
Tags |
least-privilege, reachable, security, slsa-4, supply-chain |
Description
Base permissions define the permission level automatically granted to all organization members. Define strict base access permissions for all the repositories in the organization, including new ones.
Security
Defining strict base permissions is the best practice in every role-based access control (RBAC) system. If the base permission is high — for example, "write" permission — every member of the organization will have "write" permission to every repository in the organization.
This will apply regardless of the specific permissions a user might need, which generally differ between organization repositories. The higher the permission, the higher the risk for incidents such as bad code commit or data breach.
It is therefore recommended to set the base permissions to the strictest level possible.
Mitigation / Fix
Set strict base permissions for the organization repositories — either "None" or "Read."
GitHub
Go to your GitHub organization’s page, then Settings > Member privileges > Repository permissions (or https://github.com/organizations/ORGANIZATION/settings/member_privileges), and in the dropdown menu Base permissions select either "None" or "Read".
Note that this setting is a baseline (permissions for individual repositories can be adjusted as needed), and applies only to members of the organization: external collaborators are managed separately.
Teams can be used for more fine-grained access control to repositories.