Ensure two administrators are set for each repository

ID

repositories_admins

Severity

low

Family

SCM

Tags

administrators, least-privilege, non-reachable, slsa-4

Description

Ensure every repository has a minimum number of users with administrative permissions.

You can configure the maximum and minimum number of administrators by changing these properties in conf/misconfigurations/repositories_admins.yml:

  • minAdministrators: Minimum number of administrators by repository. Often 2 is recommended for staff redundancy. (Default value: 2)

  • maxAdministrators: Maximum number of administrators by repository. The principle of least privilege recommends limiting the number of administrators. (Default value: 2)

Security

Repository administrators have the highest permissions to said repository. These include the ability to add/remove collaborators, change branch protection policy and convert to a publicly-accessible repository.

Due to the liberal access granted to a repository administrator, it is highly recommended that only a limited number contributors occupy this role.

On the other side, it is also recommended, for staff redundancy, to also have a minimum number of repository administrators.

Mitigation / Fix

For every repository in use, set a minimum but sufficient number of administrators. The following are configurations for popular SCM systems.

GitHub

As an repository administrator, go to your Repository page > Settings > Collaborators and teams (or directly with https://github.com/OWNER/REPOSITORY/settings/access) and give admin role to the trusted set of people (or remove some when exceeding the maximum) by clicking on the "Role" button.

GitLab

As a project owner, go to the Project > Manage > Members administration page at https://gitlab.com/GROUP/PROJECT/-/project_members, and invite new members with "Owner" as Role, or change its role.

Azure DevOps (ADO)

Project Administrators are powerful users for a project: they can manage users and groups, or set project policies.

To add or remove new project administrators, go to the Azure DevOps project, Project settings > General/Permissions > Groups/Project Administrators > Members (for the on-cloud ADO, go to https://dev.azure.com/ORGANIZATION/PROJECT/_settings/permissions, click on the "Project Administrators" group and then click on "Members").

To edit the project administrator group, select the user and add / remove him/her from the "Project Administrator" group in the project scope.