Org Default Permissions

​

More Info:

The default permission given to new organization users should be set to none. Read permissions risk exposing private repositories, while write or admin permissions risk sensitive access to repositories for new users.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

​

Remediation

​

Using Console

The misconfiguration of “Org Default Permissions” means that the default permission level for new repositories in your GitHub organization is set to a level that is too permissive. To remediate this misconfiguration in GitHub using the GitHub console, follow these steps:

1. Log in to your GitHub account and navigate to your organization’s page.
2. Click on the “Settings” tab in the top right corner of the page.
3. In the left-hand menu, click on “Member privileges.”
4. Scroll down to the “Repository permissions” section and locate the “Default repository permission” dropdown menu.
5. Select the appropriate permission level that you want to set as the default for new repositories. For example, if you want to limit access to only organization members, select “Read” or “Write” access for “Organization members” only.
6. Click on the “Save” button at the bottom of the page to save your changes.

By following these steps, you have successfully remediated the “Org Default Permissions” misconfiguration for your GitHub organization using the GitHub console.

​

Using CLI

The “Org Default Permissions” misconfiguration in GitHub refers to the default permission levels set for new members in the organization. To remediate this using GitHub CLI, follow these steps:

1. Open your terminal and log in to your GitHub account using the GitHub CLI command gh auth login.

2. Once you are logged in, use the following command to view the current default permission level for new members in your organization:

   gh api -X GET /orgs/<org-name>/memberships/orgs/<org-name>/public_members
   

   Replace <org-name> with the name of your GitHub organization.

3. If the default permission level is set to “read,” use the following command to change it to “write”:

   gh api -X PATCH /orgs/<org-name>/memberships/orgs/<org-name>/public_members --field default_repository_permission=write
   

   Replace <org-name> with the name of your GitHub organization.

4. If the default permission level is set to “admin,” use the following command to change it to “write”:

   gh api -X PATCH /orgs/<org-name>/memberships/orgs/<org-name>/public_members --field default_repository_permission=write --field default_repository_permission_locked=true
   

   Replace <org-name> with the name of your GitHub organization.

   Note that setting default_repository_permission_locked to true will prevent members from changing their own permission levels.

5. Verify that the default permission level has been updated by running the command in step 2 again.

By following these steps, you will have successfully remediated the “Org Default Permissions” misconfiguration for GitHub using GitHub CLI.

​

Using Python

The misconfiguration “Org Default Permissions” in GitHub means that new repositories created within the organization inherit default permissions that may not be appropriate for the organization’s security policies. To remediate this misconfiguration, you can use the GitHub API with Python to update the default repository permissions for the organization.

Here are the step-by-step instructions to remediate this misconfiguration for GitHub using Python:

1. Generate a Personal Access Token (PAT) with the necessary permissions to update the organization’s settings. You can do this by going to your GitHub account settings, selecting “Developer settings”, and then “Personal access tokens”. Create a new token with the “admin:org” scope.

2. Install the PyGitHub library, which is a Python wrapper for the GitHub API. You can install it using pip:

   pip install PyGithub
   

3. Use the PyGitHub library to authenticate with the GitHub API using the PAT you generated in step 1:

   from github import Github
   
   # Replace <PAT> with your Personal Access Token
   g = Github("<PAT>")
   org = g.get_organization("<ORGANIZATION_NAME>")
   

4. Use the get_default_repository_permission method to check the current default repository permission for the organization:

   default_permission = org.get_default_repository_permission()
   print("Current default repository permission:", default_permission)
   

5. If the default repository permission is not “none”, use the set_default_repository_permission method to update it to “none”:

   if default_permission != "none":
       org.set_default_repository_permission("none")
       print("Default repository permission updated to 'none'")
   else:
       print("Default repository permission is already 'none'")
   

6. Run the Python script to update the default repository permission for the organization.

By following these steps, you can remediate the “Org Default Permissions” misconfiguration for GitHub using Python.

​

Additional Reading:

• https://help.github.com/en/articles/repository-permission-levels-for-an-organization