DOS4225

Organization Credential Authorizations - Should specify a credential type

DOS4225

GitHub organization Severityhigh builtIn

Description

Every SAML SSO credential authorization records the credential kind (one of 'personal access token', 'SSH key', or 'GitHub app'). A missing or blank credential type indicates an unrecognized credential class that bypasses standard auditing - typically a GitHub API change or a partially-migrated credential. Such records require manual review.

Learn More

Recommendation

1. Go to Organization Settings -> Authentication security -> SAML single sign-on -> Authorized credentials. 
2. For credentials with an unknown type, contact the user and confirm they are still in active use. 
3. Revoke unrecognized credential types.

Policy Rule

{
  "target": "GHCredentialAuthorization",
  "if": {
    "allOf": [
      {
        "resource": "GHCredentialAuthorization",
        "property": "CredentialType",
        "operator": "notEquals",
        "value": ""
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS4220 DOS4230 »
Rule Details
  • Rule ID: DOS4225
  • Code: GH_Organization_CredentialAuth_Should_Have_Type
  • Platform: GitHub
  • Category: organization
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2