Outside Collaborator MFA required

​

More Info:

​

Risk Level

​

Address

​

Compliance Standards

​

Remediation

​

Using Console

1. Log in to your GitHub account and navigate to the repository with the misconfiguration.
2. Click on the “Settings” tab in the repository menu.
3. Scroll down to the “Collaborators & teams” section and click on “Manage access.”
4. Locate the outside collaborator in the list of collaborators and click on their name.
5. In the “Outside collaborator” section, click on the “Require two-factor authentication” checkbox.
6. Click “Save changes” to apply the changes.

​

Using CLI

1. Install GitHub CLI by following the instructions provided in the GitHub CLI documentation.
2. Open your terminal and authenticate to GitHub using the command gh auth login.
3. Once you are authenticated, run the following command to check if any outside collaborator is missing MFA:
   Copy

   Ask AI

   gh api /orgs/{org}/outside_collaborators --paginate --jq 'map(select(.login | test("^[^@]+@[^@]+\\.[^@]+$"))) | .[] | select(.login != "{your_username}") | select(.site_admin == false) | select(.has_two_factor_enabled == false) | .login'
   

   Replace {org} with your organization name and {your_username} with your GitHub username.
4. This command will return a list of outside collaborators who are missing MFA. Reach out to each collaborator and ask them to enable MFA.
5. Once all the outside collaborators have enabled MFA, run the following command to verify that all outside collaborators now have MFA enabled:
   Copy

   Ask AI

   gh api /orgs/{org}/outside_collaborators --paginate --jq 'map(select(.login | test("^[^@]+@[^@]+\\.[^@]+$"))) | .[] | select(.login != "{your_username}") | select(.site_admin == false) | select(.has_two_factor_enabled == false) | .login'
   

   This command should not return any results, indicating that all outside collaborators now have MFA enabled.
6. You have now remediated the “Outside Collaborator MFA required” misconfiguration for GitHub using GitHub CLI.

​

Using Python

1. Install the PyGithub library using the following command:

pip install PyGithub

2. Create a GitHub API token with the necessary permissions to access the organization and repositories that you want to remediate.
3. Use the following Python code to check if the “Require two-factor authentication” setting is enabled for outside collaborators:

from github import Github

# Replace <api_token> with your GitHub API token
g = Github("<api_token>")

# Replace <org_name> with the name of your organization
org = g.get_organization("<org_name>")

# Iterate through all repositories in the organization
for repo in org.get_repos():
    # Iterate through all outside collaborators in the repository
    for user in repo.get_collaborators(affiliation="outside"):
        # Check if the user has two-factor authentication enabled
        if not user.has_two_factor_authentication():
            print(f"User {user.login} does not have two-factor authentication enabled in repo {repo.name}")

4. If the above code prints any users who do not have two-factor authentication enabled, you can use the following code to enable it:

# Iterate through all repositories in the organization
for repo in org.get_repos():
    # Iterate through all outside collaborators in the repository
    for user in repo.get_collaborators(affiliation="outside"):
        # Check if the user has two-factor authentication enabled
        if not user.has_two_factor_authentication():
            # Enable two-factor authentication for the user
            user.create_mfa_requirement()
            print(f"Enabled two-factor authentication for user {user.login} in repo {repo.name}")

5. Run the above code and verify that all outside collaborators now have two-factor authentication enabled.

​

Additional Reading:

• https://help.github.com/en/articles/requiring-two-factor-authentication-in-your-organization