DOS5855

Repository Collaborator - Outside collaborators should not hold the 'admin' role

DOS5855

GitHub repository Severityhigh builtIn

Description

GitHub's role-based collaborator model surfaces RoleName ('read' / 'triage' / 'write' / 'maintain' / 'admin' / custom) alongside the per-permission booleans. When an outside collaborator's RoleName is 'admin', they hold the highest role grantable on a repository, regardless of which Permissions.* booleans are flipped. This is a critical finding that complements the Permissions.Admin check - the role and the booleans should both be audited.

Learn More

Recommendation

1. Go to Repository Settings -> Collaborators and teams. 
2. Identify outside collaborators with role 'Admin'. 
3. Change their role to 'Maintain' or lower.

Policy Rule

{
  "target": "GHRepositoryCollaborator",
  "if": {
    "allOf": [
      {
        "resource": "GHRepositoryCollaborator",
        "property": "Affiliation",
        "operator": "equals",
        "value": "outside"
      },
      {
        "resource": "GHRepositoryCollaborator",
        "property": "RoleName",
        "operator": "notEquals",
        "value": "admin"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5850 DOS5900 »
Rule Details
  • Rule ID: DOS5855
  • Code: GH_Repository_Collaborator_Outside_Role_Should_Not_Be_Admin
  • Platform: GitHub
  • Category: repository
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2