User Email should be Private

​

More Info:

Checks that the primary email addresses associated with a GitHub account is set to private visibility. Email addresses added to GitHub should be set to private visibility to increase privacy and prevent account reconnaissance.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

​

Remediation

​

Using Console

To remediate the misconfiguration of user email being public on Github, you can follow the below steps:

1. Log in to your Github account.
2. Click on your profile picture in the top-right corner and select “Settings” from the dropdown menu.
3. In the left-hand menu, select “Emails”.
4. Under the “Primary email address” section, ensure that the checkbox next to “Keep my email address private” is checked.
5. If you have any additional email addresses listed, ensure that the checkbox next to each of them is also checked.
6. Click on the “Save” button at the bottom of the page to save your changes.

Following these steps will ensure that your email address is kept private on Github.

​

Using CLI

To remediate the misconfiguration of user email being public in Github using Github CLI, follow the below steps:

1. Open the command prompt or terminal on your local machine.
2. Install Github CLI, if not already installed, by following the instructions given on this link: https://cli.github.com/manual/installation
3. Login to your Github account using the command: gh auth login
4. Select the appropriate authentication method and follow the prompts to complete the authentication process.
5. Once authenticated, run the command gh config set prompt private to set the default visibility of future commits to private.
6. To update the visibility of all previous commits to private, navigate to the local repository directory on your machine and run the command git filter-branch --commit-filter 'if [ "$GIT_AUTHOR_EMAIL" = "[email protected]" ]; then git commit-tree "$@" -m "$GIT_COMMIT"; else git commit-tree "$@"; fi' HEAD
7. Push the updated commits to Github using the command git push --force origin HEAD

Once these steps are completed, the user email will be set to private and all previous commits with the public email will be updated to private.

​

Using Python

To remediate the issue of user email being public in GitHub using Python, you can follow the below steps:

1. Install the PyGithub library using the pip command: pip install PyGithub

2. Create a personal access token from GitHub with user and user:email scopes.

3. In your Python script, import the necessary libraries:

from github import Github
import os

4. Set the access token as an environment variable:

os.environ['GITHUB_TOKEN'] = '<your_access_token>'

5. Initialize the Github object with the access token:

g = Github(os.environ.get('GITHUB_TOKEN'))

6. Get the authenticated user:

user = g.get_user()

7. Get the current email visibility setting:

email_visibility = user.get_public_emails()

8. If the email visibility is public, set it to private:

if email_visibility:
    user.edit(public_email=False)

9. Print a message to confirm that the email visibility has been updated:

print('Email visibility has been set to private.')

10. Save and run the Python script.

After following these steps, the user email visibility will be set to private in GitHub.

​

Additional Reading:

• https://developer.github.com/v3/users/emails/#toggle-primary-email-visibility
• https://developer.github.com/v3/users/emails/#list-email-addresses-for-a-user