Ensure that groups do not use too broad permissions.
ID |
too_broad_group_permissions |
Severity |
critical |
Family |
CI/ CD Security |
Tags |
least-privilege, reachable |
Description
Ensure that user groups do not use too broad permissions.
This check looks for any user groups that have more permissions than necessary for a certain system feature.
Security
Using user groups in your CI/ CD systems with too broad permissions that are not really required maximizes the exposure of the resources in case of a malicious user performs an attack against your system.
Azure Devops
A malicious user may compromise the integrity of a variable group or the entire Library if the broader groups (e.g., Contributors) have excessive permissions (Administrator or User) over certain of these system features, such as variable groups or the whole Library.
Removing access/privileges that are not required minimizes exposure of the resources in case of user account/variable group compromise.
Mitigation / Fix
Downgrade the excessive permissions for the reported user groups.
If the reported excessive permissions are accepted by your organization security policy then update this detector configuration accordingly to your needs.
Configuration
The detector has a property named group_pattern which contains a regular expression that matches the groups to be analyzed. By default, it matches some known broad user groups like: Project Collection Valid Users, Readers, Contributors and Project Valid Users.
The detector has a property named policy which contains the permissions to check for each supported system feature (currently only AzureDevops is allowed).
For AzureDevops, it looks like this:
policy:
- system: azure_devops
permissions:
library: [ Administrator, User ]
variable_group: [ Administrator, User ]