Ensure two administrators are set for each repository

ID

repositories_admins

Severity

low

Family

SCM

Tags

administrators, least-privilege, non-reachable, slsa-4

Description

Ensure every repository has a minimum number of users with administrative permissions.

You can configure the maximum and minimum number of administrators by changing these properties in conf/misconfigurations/repositories_admins.yml:

  • minAdministrators: Minimum number of administrators by repository. Often 2 is recommended for staff redundancy. (Default value: 2)

  • maxAdministrators: Maximum number of administrators by repository. The principle of least privilege recommends limiting the number of administrators. (Default value: 2)

Security

Repository administrators have the highest permissions to said repository. These include the ability to add/remove collaborators, change branch protection policy and convert to a publicly-accessible repository.

Due to the liberal access granted to a repository administrator, it is highly recommended that only a limited number contributors occupy this role.

On the other side, it is also recommended, for staff redundancy, to also have a minimum number of repository administrators.

Mitigation / Fix

For every repository in use, set a minimum but sufficient number of administrators. The following are configurations for popular SCM systems.

GitHub

As an repository administrator, go to your Repository page > Settings > Collaborators and teams (or directly with https://github.com/OWNER/REPOSITORY/settings/access) and give admin role to the trusted set of people (or remove some when exceeding the maximum) by clicking on the "Role" button.

GitLab

As a project owner, go to the Project > Manage > Members administration page at https://gitlab.com/GROUP/PROJECT/-/project_members, and invite new members with "Owner" as Role, or change its role.

Azure DevOps (ADO)

Project Administrators are powerful users for a project: they can manage users and groups, or set project policies.

To add or remove new project administrators, go to the Azure DevOps project, Project settings > General/Permissions > Groups/Project Administrators > Members (for the on-cloud ADO, go to https://dev.azure.com/ORGANIZATION/PROJECT/_settings/permissions, click on the "Project Administrators" group and then click on "Members").

To edit the project administrator group, select the user and add / remove him/her from the "Project Administrator" group in the project scope.

Gitea

Within Gitea, teams with "admin" or "owner" permissions can be set for each repository.

These teams can be managed by going to your organization’s main page at {giteahost}/{orgname}, selecting a specific team or creating a new one will direct you to {giteahost}/{orgname}/teams/{teamname} and from there you can manage the teams permissions, members and repositories the team applies to.

Refer to Gitea specific documentation about team permissions here: https://docs.gitea.com/usage/permissions#organization-repository