Ensure repository creation is limited to specific members
ID |
repository_creation |
Severity |
high |
Family |
SCM |
Tags |
code-leakage, least-privilege, reachable, repo-permissions |
Security
Restricting repository creation to trusted users and teams is recommended in order to keep the organization properly structured, track fewer items, prevent impersonation, and to not overload the version-control system.
It will allow administrators easier source code tracking and management capabilities, as they will have fewer repositories to track. The process of detecting potential attacks also becomes far more straightforward, as well, since the easier it is to track the source code, the easier it is to detect malicious acts within it.
Additionally, the possibility of a member creating a public repository and sharing the organization’s data externally is significantly decreased.
Mitigation / Fix
Restrict repository creation to trusted users and teams only.
GitHub
Go to the organization’s Settings > Member privileges/Repository creation (or https://github.com/organizations/ORGANIZATION/settings/member_privileges), then check / uncheck the "Public" or "Private" checkboxes and click on the "Save" button.
|
To restrict members for creating public repositories, the organization must use GitHub Enterprise Cloud, otherwise public repositories creation cannot be disabled.
GitHub Enterprise Cloud offers additional capabilities to restrict repository creation. For example, repository creation privileges could be assigned to specific teams. |
See Restricting repository creation in your organization for full details.
GitLab
Go to the group Settings/General (or https://gitlab.com/groups/GROUP/-/edit) and search for "Roles allowed to create projects". Choose between "No one", "Maintainers" or "Developers + Maintainers". Click on the "Save changes" button.