DOS6022

Group should restrict project creation to Maintainer or above

DOS6022

GitLab organization Severitymedium builtIn

Description

Top-level groups should restrict who can create new projects to Maintainer or Owner role. Setting project_creation_level = maintainer prevents arbitrary developers from creating ungoverned projects (which then escape policy assignment, default-branch protection, and CI/CD scanning baselines). Allowed values: noone | maintainer | developer.

Learn More

Recommendation

1. Go to your top-level Group Settings > General. 
2. Expand the Permissions and group features section. 
3. Under Allowed to create projects, choose Maintainers or No one. 
4. Save changes.

Policy Rule

{
  "target": "GLGroup",
  "if": {
    "allOf": [
      {
        "resource": "GLGroup",
        "property": "ProjectCreationLevel",
        "operator": "equals",
        "value": "maintainer"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6021 DOS6023 »
Rule Details
  • Rule ID: DOS6022
  • Code: GL_Group_Permissions_Project_Creation_Maintainer_Only
  • Platform: GitLab
  • Category: organization
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2