Detect GitHub Misconfigurations

Description

GitHub misconfigurations can pose significant risks to organizations and individuals who use the platform. A misconfiguration in GitHub can result in sensitive data exposure, intellectual property theft, and compromise of systems. It's crucial to regularly review and monitor GitHub configurations to prevent misconfigurations and ensure the security of sensitive information.

Jit will run the GitHub misconfiguration scanner on schedule and communicate the findings on the Backlog page.

Stack layerSecurity domainSecurity tool initiated by this item
CI/CD SecurityGitHub Misconfiguration DetectionLegitify

Checklist

This security tool runs the following 5 high severity checks:

ChecksDescription (by Legitify)
Only Admins Should Be Able To Create Public RepositoriesThe organization should be configured to prevent non-admin members creating public repositories. Creating a public repository may expose sensitive organization code, which, once exposed, may be copied, cached or stored by external parties. Therefore, it is highly recommended to restrict the option to create public repositories to admins only and reduce the risk of unintentional code exposure.
Organization Should Have Fewer Than Three OwnersOrganization owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Organizational Admins to the minimum needed (recommended maximum 2 owners).
Default Member Permissions Should Be RestrictedDefault repository permissions configuration is not set in the organization, thus every new repository will be accessible by default to all users. It is strongly recommended to remove the default permissions and assign them on demand.
Workflows Should Not Be Allowed To Approve Pull RequestsThe default GitHub Actions configuration allows for workflows to approve pull requests. This could allow users to bypass code-review restrictions.
Default Workflow Token Permission Should Be Read OnlyThe default GitHub Action workflow token permission is set to read-write. When creating workflow tokens, it is highly recommended to follow the Principle of Least Privilege and force workflow authors to specify explicitly which permissions they need.

Additional checks will be added soon.

Configuration

To run Legitify, you must provide a personal access token (PAT) for your GitHub account. Create PAT here.

Required permissions:

  • admin:org
  • read:enterprise
  • admin:org_hook
  • read:org
  • repo
  • read:repo_hook

Copy the generated PAT.

Next, on the Secret Page, create a new secret. Name it github_misconfiguration_github_token. Paste the PAT to the Secret box and click Create Secret.

You can now enable GitHub Misconfiguration Detection.