More Info:

Allowing outside collaborators admin or push access to organization repositories places the organization at risk from non-member contributions that can be pushed without review.

Risk Level

Medium

Address

Security

Compliance Standards

Remediation

Using Console

The misconfiguration of having an outside collaborator as admin in GitHub can be remediated by following these steps:

  1. Log in to your GitHub account and navigate to the repository where the outside collaborator has been added as an admin.

  2. Click on the “Settings” tab located on the right-hand side of the repository.

  3. In the left-hand menu, select “Collaborators & teams.”

  4. Find the outside collaborator’s name in the list of collaborators and click on the gear icon next to their name.

  5. From the dropdown menu, select “Remove from team.”

  6. A confirmation message will appear asking if you’re sure you want to remove the user from the team. Click “Remove.”

  7. Next, in the left-hand menu, select “Teams.”

  8. Find the team that the outside collaborator was a part of and click on the gear icon next to the team’s name.

  9. From the dropdown menu, select “Manage access.”

  10. Find the outside collaborator’s name in the list of members and click on the gear icon next to their name.

  11. From the dropdown menu, select “Remove from team.”

  12. A confirmation message will appear asking if you’re sure you want to remove the user from the team. Click “Remove.”

  13. Finally, it’s a good idea to review your repository’s security settings to make sure that only trusted collaborators have access to sensitive information.

By following these steps, you can remediate the misconfiguration of having an outside collaborator as an admin in GitHub.

Using CLI

The misconfiguration of having an outside collaborator as admin can be remediated in GitHub using the following steps via GitHub CLI:

  1. Firstly, identify the username of the outside collaborator who has been given admin access.

  2. Open the command prompt or terminal and log in to your GitHub account using the gh auth login command.

  3. Once you are logged in, use the gh repo collaborator remove command to remove the outside collaborator from the repository. For example, if the username of the outside collaborator is “exampleuser”, you can use the following command to remove them:

    gh repo collaborator remove exampleuser --admin

    This will remove the user “exampleuser” from the repository and revoke their admin access.

  4. After the collaborator has been removed, you can use the gh repo collaborator add command to add them back to the repository with the appropriate access level. For example, if you want to add the user “exampleuser” back to the repository with read access, you can use the following command:

    gh repo collaborator add exampleuser --permission read

    This will add the user “exampleuser” back to the repository with read access.

  5. Finally, it is recommended to review and update the access levels of all collaborators on the repository to ensure that they have appropriate access levels. This can be done using the GitHub web interface or the gh repo collaborator command.

Using Python

The misconfiguration of having an outside collaborator as admin on GitHub can be remediated using the following steps in Python:

  1. Authenticate with GitHub API using a personal access token with admin privileges.
import requests

# Replace <token> with your personal access token
headers = {
    'Authorization': 'token <token>',
    'Accept': 'application/vnd.github.v3+json'
}
  1. Get the list of collaborators for the repository.
# Replace <owner> and <repo> with the repository details
url = f'https://api.github.com/repos/<owner>/<repo>/collaborators'
response = requests.get(url, headers=headers)

# Get the list of collaborators
collaborators = [collaborator['login'] for collaborator in response.json()]
  1. Check if the outside collaborator is listed as an admin.
# Replace <outside_collaborator> with the username of the outside collaborator
url = f'https://api.github.com/repos/<owner>/<repo>/collaborators/{outside_collaborator}/permission'
response = requests.get(url, headers=headers)

if response.json()['permission'] == 'admin':
    # Remove the outside collaborator as admin
else:
    # No action required
  1. Remove the outside collaborator as admin.
# Replace <outside_collaborator> with the username of the outside collaborator
url = f'https://api.github.com/repos/<owner>/<repo>/collaborators/{outside_collaborator}/permission'
data = {
    'permission': 'push'  # Set the permission to push
}
response = requests.put(url, headers=headers, json=data)
  1. Verify that the outside collaborator has been removed as admin.
# Replace <outside_collaborator> with the username of the outside collaborator
url = f'https://api.github.com/repos/<owner>/<repo>/collaborators/{outside_collaborator}/permission'
response = requests.get(url, headers=headers)

if response.json()['permission'] != 'admin':
    print(f'{outside_collaborator} has been removed as admin.')
else:
    print(f'Failed to remove {outside_collaborator} as admin.')

Additional Reading: