Ensure strict base permissions are set for repositories
Description
This policy checks whether the default repository permission in a GitHub organization is set to 'read' or none, ensuring that users do not have excessive permissions by default. It is essential to set strict base permissions to prevent unauthorized access to repositories. By setting the default repository permission to 'read' or none, organizations can limit the potential attack surface and reduce the risk of sensitive data exposure. This rule helps enforce the principle of least privilege, which is a fundamental security best practice.
Code Example
github
Set 'Base permissions' to 'Read' in the GitHub organization settings: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/setting-base-permissions-for-an-organizationRemediation
Set the default repository permission to 'read' or remove it to achieve the least privilege principle.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1063 |
| Severity | MEDIUM |
| IaC Type | github_configuration |
| Frameworks | * |
| Checkov ID | CKV_GITHUB_27 |