DOS4220

Organization Credential Authorizations - Should record the authorizing login

DOS4220

GitHub organization Severityhigh builtIn

Description

Every SAML SSO credential authorization should be associated with a known organization member's login. An empty Login field indicates an orphaned credential (e.g., the user was removed from the org but the credential authorization was not revoked) - a common GitHub Enterprise Cloud audit finding. Such credentials should be revoked.

Learn More

Recommendation

1. Go to Organization Settings -> Authentication security -> SAML single sign-on. 
2. Review 'Authorized credentials' and revoke any belonging to users no longer in the organization. 
3. Document the revocation in the audit trail.

Policy Rule

{
  "target": "GHCredentialAuthorization",
  "if": {
    "allOf": [
      {
        "resource": "GHCredentialAuthorization",
        "property": "Login",
        "operator": "notEquals",
        "value": ""
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS4210 DOS4225 »
Rule Details
  • Rule ID: DOS4220
  • Code: GH_Organization_CredentialAuth_Should_Have_Login
  • Platform: GitHub
  • Category: organization
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2