DOS4260

Outside Collaborator - Should not have admin permission at the organization level

DOS4260

GitHub organization Severitycritical builtIn

Description

Outside (external) collaborators should never have admin permission across the organization. Admin grants the ability to add/remove collaborators, modify protected branches, and access secrets - powers that should be reserved for trusted org members. External collaborators with admin access are a frequent supply-chain attack vector and a top finding in GitHub security audits.

Learn More

Recommendation

1. Go to Organization -> Outside collaborators. 
2. For each collaborator, review their permissions. 
3. Downgrade any 'Admin' permission to 'Maintain', 'Write', or lower as appropriate.

Policy Rule

{
  "target": "GHOutsideCollaborator",
  "if": {
    "allOf": [
      {
        "resource": "GHOutsideCollaborator",
        "property": "Permissions.Admin",
        "operator": "notEquals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS4250 DOS4265 »
Rule Details
  • Rule ID: DOS4260
  • Code: GH_Organization_OutsideCollaborator_Should_Not_Have_Admin
  • Platform: GitHub
  • Category: organization
  • Severity: Severitycritical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2