Outside Collaborator MFA required

​

More Info:

MFA should be enabled and enforced for all outside collaborators of an organization.

​

Risk Level

High

​

Address

Security

​

Compliance Standards

​

Remediation

​

Using Console

To remediate the “Outside Collaborator MFA required” misconfiguration on GitHub using the GitHub console, follow these steps:

1. Log in to your GitHub account and navigate to the repository with the misconfiguration.

2. Click on the “Settings” tab in the repository menu.

3. Scroll down to the “Collaborators & teams” section and click on “Manage access.”

4. Locate the outside collaborator in the list of collaborators and click on their name.

5. In the “Outside collaborator” section, click on the “Require two-factor authentication” checkbox.

6. Click “Save changes” to apply the changes.

This will require the outside collaborator to set up two-factor authentication on their GitHub account before they can access the repository. This will help to ensure that their account is secure and that they are who they say they are when accessing the repository.

​

Using CLI

To remediate the “Outside Collaborator MFA required” misconfiguration in GitHub using GitHub CLI, follow these steps:

1. Install GitHub CLI by following the instructions provided in the GitHub CLI documentation.

2. Open your terminal and authenticate to GitHub using the command gh auth login.

3. Once you are authenticated, run the following command to check if any outside collaborator is missing MFA:

   gh api /orgs/{org}/outside_collaborators --paginate --jq 'map(select(.login | test("^[^@]+@[^@]+\\.[^@]+$"))) | .[] | select(.login != "{your_username}") | select(.site_admin == false) | select(.has_two_factor_enabled == false) | .login'
   

   Replace {org} with your organization name and {your_username} with your GitHub username.

4. This command will return a list of outside collaborators who are missing MFA. Reach out to each collaborator and ask them to enable MFA.

5. Once all the outside collaborators have enabled MFA, run the following command to verify that all outside collaborators now have MFA enabled:

   gh api /orgs/{org}/outside_collaborators --paginate --jq 'map(select(.login | test("^[^@]+@[^@]+\\.[^@]+$"))) | .[] | select(.login != "{your_username}") | select(.site_admin == false) | select(.has_two_factor_enabled == false) | .login'
   

   This command should not return any results, indicating that all outside collaborators now have MFA enabled.

6. You have now remediated the “Outside Collaborator MFA required” misconfiguration for GitHub using GitHub CLI.

​

Using Python

To remediate the “Outside Collaborator MFA required” misconfiguration in GitHub using Python, you can use the PyGithub library. Here are the step-by-step instructions:

1. Install the PyGithub library using the following command:

pip install PyGithub

2. Create a GitHub API token with the necessary permissions to access the organization and repositories that you want to remediate.

3. Use the following Python code to check if the “Require two-factor authentication” setting is enabled for outside collaborators:

from github import Github

# Replace <api_token> with your GitHub API token
g = Github("<api_token>")

# Replace <org_name> with the name of your organization
org = g.get_organization("<org_name>")

# Iterate through all repositories in the organization
for repo in org.get_repos():
    # Iterate through all outside collaborators in the repository
    for user in repo.get_collaborators(affiliation="outside"):
        # Check if the user has two-factor authentication enabled
        if not user.has_two_factor_authentication():
            print(f"User {user.login} does not have two-factor authentication enabled in repo {repo.name}")

4. If the above code prints any users who do not have two-factor authentication enabled, you can use the following code to enable it:

# Iterate through all repositories in the organization
for repo in org.get_repos():
    # Iterate through all outside collaborators in the repository
    for user in repo.get_collaborators(affiliation="outside"):
        # Check if the user has two-factor authentication enabled
        if not user.has_two_factor_authentication():
            # Enable two-factor authentication for the user
            user.create_mfa_requirement()
            print(f"Enabled two-factor authentication for user {user.login} in repo {repo.name}")

5. Run the above code and verify that all outside collaborators now have two-factor authentication enabled.

​

Additional Reading:

• https://help.github.com/en/articles/requiring-two-factor-authentication-in-your-organization