DOS5850

Repository Collaborator - Outside collaborators should not have admin permission

DOS5850

GitHub repository Severitycritical builtIn

Description

When the per-repo collaborator audit (G2.4) lists a collaborator with Affiliation = 'outside' AND Permissions.Admin = true, this is a critical finding: an external user has admin rights on a specific repository. This is the per-repo equivalent of the org-level outside-collaborator audit and surfaces overrides where an outside collaborator was granted admin on a single repo despite org-level policy.

Learn More

Recommendation

1. Go to Repository Settings -> Collaborators and teams. 
2. Identify outside collaborators with admin role. 
3. Downgrade their permission to Maintain, Write, Triage, or Read as appropriate.

Policy Rule

{
  "target": "GHRepositoryCollaborator",
  "if": {
    "allOf": [
      {
        "resource": "GHRepositoryCollaborator",
        "property": "Affiliation",
        "operator": "equals",
        "value": "outside"
      },
      {
        "resource": "GHRepositoryCollaborator",
        "property": "Permissions.Admin",
        "operator": "notEquals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5815 DOS5855 »
Rule Details
  • Rule ID: DOS5850
  • Code: GH_Repository_Collaborator_Outside_Should_Not_Have_Admin
  • Platform: GitHub
  • Category: repository
  • Severity: Severitycritical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2