From 0c0270500850359ee9b8d1a493e8bb3146bb24fb Mon Sep 17 00:00:00 2001 From: build docs workflow Date: Sun, 19 May 2024 14:55:40 +0000 Subject: [PATCH] update docs --- docs/CNAME | 2 +- docs/Gemfile | 11 --- docs/Gemfile.lock | 84 ------------------- .../actions_can_approve_pull_requests.md | 4 +- .../actions/all_github_actions_are_allowed.md | 12 ++- ...all_repositories_can_run_github_actions.md | 9 +- ...token_default_permissions_is_read_write.md | 2 +- ...enterprise_allows_creating_public_repos.md | 11 ++- .../enterprise_allows_forking_repos.md | 3 +- ...allows_inviting_externals_collaborators.md | 4 +- ...prise_enforce_two_factor_authentication.md | 6 +- .../enterprise_not_using_single_sign_on.md | 6 +- ..._using_visibility_change_disable_policy.md | 5 +- ...res_allowed_repository_move_or_deletion.md | 3 +- ...itory_no_permission_enforced_by_default.md | 9 +- .../organization_has_too_many_admins.md | 4 +- docs/github/member/stale_admin_found.md | 2 +- docs/github/member/stale_member_found.md | 2 +- ...fault_repository_permission_is_not_none.md | 8 +- ...n_admins_can_create_public_repositories.md | 10 +-- .../organization_not_using_single_sign_on.md | 8 +- .../organization_secret_is_stale.md | 31 +++++++ ...organization_webhook_doesnt_require_ssl.md | 8 +- .../organization_webhook_no_secret.md | 4 +- ...tor_authentication_not_required_for_org.md | 8 +- .../actions_can_approve_pull_requests.md | 4 +- ...code_review_by_two_members_not_required.md | 20 ++--- .../code_review_not_limited_to_code_owners.md | 18 ++-- .../repository/code_review_not_required.md | 20 ++--- .../repository/dismisses_stale_reviews.md | 18 ++-- .../forking_allowed_for_repository.md | 5 +- .../ghas_dependency_review_not_enabled.md | 4 +- .../missing_default_branch_protection.md | 10 +-- ...sing_default_branch_protection_deletion.md | 9 +- ...ng_default_branch_protection_force_push.md | 16 ++-- .../repository/no_conversation_resolution.md | 18 ++-- docs/github/repository/no_signed_commits.md | 16 ++-- docs/github/repository/non_linear_history.md | 16 ++-- .../repository/pushes_are_not_restricted.md | 18 ++-- .../repository_has_too_many_admins.md | 6 +- .../repository/repository_secret_is_stale.md | 31 +++++++ .../repository_webhook_doesnt_require_ssl.md | 12 +-- .../repository_webhook_no_secret.md | 6 +- ...quires_branches_up_to_date_before_merge.md | 18 ++-- .../repository/requires_status_checks.md | 20 ++--- .../repository/review_dismissal_allowed.md | 11 +-- .../repository/scorecard_score_too_low.md | 3 +- ...token_default_permissions_is_read_write.md | 2 +- .../users_allowed_to_bypass_ruleset.md | 6 +- .../vulnerability_alerts_not_enabled.md | 4 +- ...roup_can_be_used_by_public_repositories.md | 1 - ...up_not_limited_to_selected_repositories.md | 1 - ...s_are_allowed_to_create_public_projects.md | 8 +- ...branch_protection_not_globally_enforced.md | 8 +- .../default_group_visibility_is_public.md | 8 +- .../default_project_visibility_is_public.md | 8 +- ...thentication_enabled_for_git_is_enabled.md | 8 +- ...or_authentication_not_globally_enforced.md | 8 +- ...end_user_confirmation_email_not_enabled.md | 8 +- .../throttle_authenticated_api_not_enabled.md | 8 +- ...tle_unauthenticated_request_not_enabled.md | 8 +- .../unauthenticated_signup_enabled.md | 8 +- ...are_allowed_to_be_sent_to_local_network.md | 8 +- ...ork_repositories_to_external_namespaces.md | 6 +- ...group_allows_excessive_mfa_grace_period.md | 8 +- ...ot_enforce_branch_protection_by_default.md | 6 +- ...organization_webhook_doesnt_require_ssl.md | 10 +-- ...r_authentication_not_required_for_group.md | 8 +- docs/gitlab/index.md | 1 - docs/gitlab/member/stale_admin_found.md | 12 +-- ...tication_is_disabled_for_a_collaborator.md | 6 +- ...s_disabled_for_an_external_collaborator.md | 6 +- ...code_review_by_two_members_not_required.md | 11 ++- .../project/code_review_not_required.md | 11 ++- .../project/forking_allowed_for_repository.md | 9 +- .../missing_default_branch_protection.md | 7 +- ...ng_default_branch_protection_force_push.md | 7 +- .../project/no_conversation_resolution.md | 8 +- docs/gitlab/project/no_signed_commits.md | 5 +- .../project/project_has_too_many_admins.md | 2 +- .../project_webhook_doesnt_require_ssl.md | 10 +-- ...itory_allows_committer_approvals_policy.md | 7 +- .../repository_allows_overriding_approvers.md | 7 +- ..._requester_to_approve_their_own_request.md | 7 +- .../repository_dismiss_stale_reviews.md | 7 +- ...itory_require_code_owner_reviews_policy.md | 7 +- docs/gitlab/project/requires_status_checks.md | 6 +- 87 files changed, 390 insertions(+), 441 deletions(-) delete mode 100644 docs/Gemfile delete mode 100644 docs/Gemfile.lock create mode 100644 docs/github/organization/organization_secret_is_stale.md create mode 100644 docs/github/repository/repository_secret_is_stale.md diff --git a/docs/CNAME b/docs/CNAME index 1ed0a393..e6dd0513 100644 --- a/docs/CNAME +++ b/docs/CNAME @@ -1 +1 @@ -policies.legitify.dev +legitify.dev \ No newline at end of file diff --git a/docs/Gemfile b/docs/Gemfile deleted file mode 100644 index 8b3dbcdc..00000000 --- a/docs/Gemfile +++ /dev/null @@ -1,11 +0,0 @@ -source 'https://rubygems.org' - -#gem "github-pages", "~> 231", group: :jekyll_plugins - -# Specify your Jekyll version here -gem 'jekyll', '3.9.5' - -# If you're using any GitHub Pages-supported plugins, list them here -gem "just-the-docs" -gem "jekyll-remote-theme" -gem "kramdown-parser-gfm" diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock deleted file mode 100644 index 7f9749c2..00000000 --- a/docs/Gemfile.lock +++ /dev/null @@ -1,84 +0,0 @@ -GEM - remote: https://rubygems.org/ - specs: - addressable (2.8.6) - public_suffix (>= 2.0.2, < 6.0) - colorator (1.1.0) - concurrent-ruby (1.2.3) - em-websocket (0.5.3) - eventmachine (>= 0.12.9) - http_parser.rb (~> 0) - eventmachine (1.2.7) - ffi (1.16.3) - forwardable-extended (2.6.0) - http_parser.rb (0.8.0) - i18n (1.14.4) - concurrent-ruby (~> 1.0) - jekyll (3.9.5) - addressable (~> 2.4) - colorator (~> 1.0) - em-websocket (~> 0.5) - i18n (>= 0.7, < 2) - jekyll-sass-converter (~> 1.0) - jekyll-watch (~> 2.0) - kramdown (>= 1.17, < 3) - liquid (~> 4.0) - mercenary (~> 0.3.3) - pathutil (~> 0.9) - rouge (>= 1.7, < 4) - safe_yaml (~> 1.0) - jekyll-include-cache (0.2.1) - jekyll (>= 3.7, < 5.0) - jekyll-remote-theme (0.4.3) - addressable (~> 2.0) - jekyll (>= 3.5, < 5.0) - jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0) - rubyzip (>= 1.3.0, < 3.0) - jekyll-sass-converter (1.5.2) - sass (~> 3.4) - jekyll-seo-tag (2.8.0) - jekyll (>= 3.8, < 5.0) - jekyll-watch (2.2.1) - listen (~> 3.0) - just-the-docs (0.8.2) - jekyll (>= 3.8.5) - jekyll-include-cache - jekyll-seo-tag (>= 2.0) - rake (>= 12.3.1) - kramdown (2.4.0) - rexml - kramdown-parser-gfm (1.1.0) - kramdown (~> 2.0) - liquid (4.0.4) - listen (3.9.0) - rb-fsevent (~> 0.10, >= 0.10.3) - rb-inotify (~> 0.9, >= 0.9.10) - mercenary (0.3.6) - pathutil (0.16.2) - forwardable-extended (~> 2.6) - public_suffix (5.0.5) - rake (13.2.1) - rb-fsevent (0.11.2) - rb-inotify (0.10.1) - ffi (~> 1.0) - rexml (3.2.6) - rouge (3.30.0) - rubyzip (2.3.2) - safe_yaml (1.0.5) - sass (3.7.4) - sass-listen (~> 4.0.0) - sass-listen (4.0.0) - rb-fsevent (~> 0.9, >= 0.9.4) - rb-inotify (~> 0.9, >= 0.9.7) - -PLATFORMS - x86_64-darwin-20 - -DEPENDENCIES - jekyll (= 3.9.5) - jekyll-remote-theme - just-the-docs - kramdown-parser-gfm - -BUNDLED WITH - 2.3.16 diff --git a/docs/github/actions/actions_can_approve_pull_requests.md b/docs/github/actions/actions_can_approve_pull_requests.md index 8c0d3aa5..e71dcd7e 100644 --- a/docs/github/actions/actions_can_approve_pull_requests.md +++ b/docs/github/actions/actions_can_approve_pull_requests.md @@ -22,9 +22,9 @@ Attackers can exploit this misconfiguration to bypass code-review restrictions b ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter "Actions - General" tab +3. Enter 'Actions - General' tab 4. Under 'Workflow permissions' -5. Uncheck 'Allow GitHub actions to create and approve pull requests. +5. Uncheck 'Allow GitHub actions to create and approve pull requests' 6. Click 'Save' diff --git a/docs/github/actions/all_github_actions_are_allowed.md b/docs/github/actions/all_github_actions_are_allowed.md index 53b31c30..e2badb28 100644 --- a/docs/github/actions/all_github_actions_are_allowed.md +++ b/docs/github/actions/all_github_actions_are_allowed.md @@ -15,7 +15,6 @@ severity: MEDIUM It is recommended to only use GitHub Actions by Marketplace verified creators or explicitly trusted actions. By not restricting which actions are permitted, developers may use actions that were not audited and may be malicious, thus exposing your pipeline to supply chain attacks. ### Threat Example(s) -This misconfiguration could lead to the following attack: 1. Attacker creates a repository with a tempting but malicious custom GitHub Action 2. An innocent developer / DevOps engineer uses this malicious action 3. The malicious action has access to the developer repository and could steal its secrets or modify its content @@ -25,12 +24,11 @@ This misconfiguration could lead to the following attack: ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter "Actions - General" tab -4. Under "Policies" -5. Select "Allow enterprise, and select non-enterprise, actions and reusable workflows" -6. Check "Allow actions created by GitHub" and "Allow actions by Marketplace verified creators" -7. Set any other used trusted actions under "Allow specified actions and reusable workflows" -8. Click "Save" +3. Enter 'Actions - General' tab +4. Under 'Policies', Select 'Allow enterprise, and select non-enterprise, actions and reusable workflows' +5. Check 'Allow actions created by GitHub' and 'Allow actions by Marketplace verified creators' +6. Set any other used trusted actions under 'Allow specified actions and reusable workflows' +7. Click 'Save' diff --git a/docs/github/actions/all_repositories_can_run_github_actions.md b/docs/github/actions/all_repositories_can_run_github_actions.md index b69c54c1..55c2e11d 100644 --- a/docs/github/actions/all_repositories_can_run_github_actions.md +++ b/docs/github/actions/all_repositories_can_run_github_actions.md @@ -15,8 +15,6 @@ severity: MEDIUM By not limiting GitHub Actions to specific repositories, every user in the organization is able to run arbitrary workflows. This could enable malicious activity such as accessing organization secrets, crypto-mining, etc. ### Threat Example(s) -This misconfiguration could lead to the following attack: -1. Prerequisite: the attacker is part of your GitHub organization 2. Attacker creates new repository in the organization 3. Attacker creates a workflow file that reads all organization secrets and exfiltrate them 4. Attacker trigger the workflow @@ -27,10 +25,9 @@ This misconfiguration could lead to the following attack: ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter the "Actions - General" tab -4. Under "Policies" -5. Change "All repositories" to "Selected repositories" and select repositories that should be able to run actions -6. Click "Save" +3. Enter the 'Actions - General' tab +4. Under 'Policies', Change 'All repositories' to 'Selected repositories' and select repositories that should be able to run actions +5. Click 'Save' diff --git a/docs/github/actions/token_default_permissions_is_read_write.md b/docs/github/actions/token_default_permissions_is_read_write.md index c2959e92..a77ce6eb 100644 --- a/docs/github/actions/token_default_permissions_is_read_write.md +++ b/docs/github/actions/token_default_permissions_is_read_write.md @@ -22,7 +22,7 @@ In case of token compromise (due to a vulnerability or malicious third-party Git ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter "Actions - General" tab +3. Enter 'Actions - General' tab 4. Under 'Workflow permissions' 5. Select 'Read repository contents permission' 6. Click 'Save' diff --git a/docs/github/enterprise/enterprise_allows_creating_public_repos.md b/docs/github/enterprise/enterprise_allows_creating_public_repos.md index fcabb627..c7549fb2 100644 --- a/docs/github/enterprise/enterprise_allows_creating_public_repos.md +++ b/docs/github/enterprise/enterprise_allows_creating_public_repos.md @@ -1,29 +1,28 @@ --- layout: default -title: Enterprise Should Prevent Members From Creating public Repositories +title: Enterprise Should Prevent Members From Creating Public Repositories parent: Enterprise Policies grand_parent: GitHub Policies --- -## Enterprise Should Prevent Members From Creating public Repositories +## Enterprise Should Prevent Members From Creating Public Repositories policy name: enterprise_allows_creating_public_repos severity: MEDIUM ### Description -The enterprise's repository creation policy should be set to private/internal repositories only. This will prevents non-admin users from creating public repositories and potentially exposing source code. +The enterprise's repository creation policy should be set to private/internal repositories only. This will prevent non-admin users from creating public repositories and potentially exposing source code. ### Threat Example(s) -Users can accidentaly create public repositories and expose source code. +Users can accidentally create public repositories and expose source code. ### Remediation 1. Make sure you are an enterprise owner 2. Go to the policies page -3. Under the "Repository creation" section -4. Choose the "Members can create repositories" option and uncheck 'Public' +3. Under the 'Repository creation' section, Choose the 'Members can create repositories' option and uncheck 'Public' diff --git a/docs/github/enterprise/enterprise_allows_forking_repos.md b/docs/github/enterprise/enterprise_allows_forking_repos.md index bf61ddf7..da6b8ec4 100644 --- a/docs/github/enterprise/enterprise_allows_forking_repos.md +++ b/docs/github/enterprise/enterprise_allows_forking_repos.md @@ -22,8 +22,7 @@ Forking to external namespaces could result in loss of control over proprietary ### Remediation 1. Make sure you are an enterprise owner 2. Go to the policies page -3. Under the "Repository Forking" section -4. Choose the "Disabled" option +3. Under the 'Repository Forking' section, Choose the 'Disabled' option diff --git a/docs/github/enterprise/enterprise_allows_inviting_externals_collaborators.md b/docs/github/enterprise/enterprise_allows_inviting_externals_collaborators.md index 37ad0212..5d5b4a10 100644 --- a/docs/github/enterprise/enterprise_allows_inviting_externals_collaborators.md +++ b/docs/github/enterprise/enterprise_allows_inviting_externals_collaborators.md @@ -12,7 +12,7 @@ policy name: enterprise_allows_inviting_externals_collaborators severity: MEDIUM ### Description -The enterprise's external collaborators invite policy should be set to enterprise/organization owners only. Allowing members to invite external collaborators might result in unauthorized access to the internal projects. +The enterprise's external collaborators invite policy should be set to enterprise/organization owners only. Allowing members to invite external collaborators might result in unauthorized access to internal projects. ### Threat Example(s) Inviting external collaborators could result in a loss of control over proprietary information and potentially expose the organization to security risks, such as data leaks. @@ -22,7 +22,7 @@ Inviting external collaborators could result in a loss of control over proprieta ### Remediation 1. Make sure you are an enterprise owner 2. Go to the policies page -3. Under the "Repository outside collaborators" section - choose the "Enterprise Owners Only" or the "Organization Owners Only" option +3. Under the 'Repository outside collaborators' section, choose the 'Enterprise Owners Only' or the 'Organization Owners Only' option diff --git a/docs/github/enterprise/enterprise_enforce_two_factor_authentication.md b/docs/github/enterprise/enterprise_enforce_two_factor_authentication.md index 2f87bf21..76758068 100644 --- a/docs/github/enterprise/enterprise_enforce_two_factor_authentication.md +++ b/docs/github/enterprise/enterprise_enforce_two_factor_authentication.md @@ -12,10 +12,10 @@ policy name: enterprise_enforce_two_factor_authentication severity: HIGH ### Description -The two-factor authentication requirement should be enforced at the enterprise level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option to reduce the risk of a deliberate or accidental user creation without MFA. +The two-factor authentication requirement should be enforced at the enterprise level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option to reduce the risk of deliberate or accidental user creation without MFA. ### Threat Example(s) -If an attacker gets the valid credentials for one of the enterprise’s users they can authenticate to your GitHub enterprise. +If an attacker gets valid credentials for one of the enterprise’s users they can authenticate to your GitHub enterprise. @@ -23,7 +23,7 @@ If an attacker gets the valid credentials for one of the enterprise’s users th 1. Make sure you are an enterprise owner 2. Go to the Settings page 3. Go to the Authentication security tab -4. Check the "Require two-factor authentication for all organizations in the enterprise" checkbox +4. Check the 'Require two-factor authentication for all organizations in the enterprise' checkbox diff --git a/docs/github/enterprise/enterprise_not_using_single_sign_on.md b/docs/github/enterprise/enterprise_not_using_single_sign_on.md index 75db7c78..f76d17f4 100644 --- a/docs/github/enterprise/enterprise_not_using_single_sign_on.md +++ b/docs/github/enterprise/enterprise_not_using_single_sign_on.md @@ -12,7 +12,7 @@ policy name: enterprise_not_using_single_sign_on severity: MEDIUM ### Description -It is recommended to enable access to an enterprise via SAML single sign-on (SSO) by authenticating through an identity provider (IdP). This allows for central account control and for timely access revocations. +It is recommended to enable access to an enterprise via SAML single sign-on (SSO) by authenticating through an identity provider (IdP). This allows for central account control and timely access revocations. ### Threat Example(s) Not using an SSO solution makes it more difficult to track a potentially compromised user's actions across different systems, prevents common password policy throughout the enterprise, and makes it challenging to audit different aspects of the user's behavior. @@ -23,9 +23,9 @@ Not using an SSO solution makes it more difficult to track a potentially comprom 1. Make sure you are an enterprise owner 2. Go to the Settings page 3. Go to the Authentication security tab -4. Toggle on "Enable SAML authentication" +4. Toggle on 'Enable SAML authentication' 5. Fill in the remaining SSO configuration as instructed on the screen -6. Click "Save" +6. Click 'Save' diff --git a/docs/github/enterprise/enterprise_not_using_visibility_change_disable_policy.md b/docs/github/enterprise/enterprise_not_using_visibility_change_disable_policy.md index 49876c4d..b912455f 100644 --- a/docs/github/enterprise/enterprise_not_using_visibility_change_disable_policy.md +++ b/docs/github/enterprise/enterprise_not_using_visibility_change_disable_policy.md @@ -12,7 +12,7 @@ policy name: enterprise_not_using_visibility_change_disable_policy severity: MEDIUM ### Description -The enterprise's Repository visibility change policy should be set to DISABLED. This will prevents users from creating private repositories and change them to be public. Malicous actors could leak code if enabled. +The enterprise's Repository visibility change policy should be set to DISABLED. This will prevent users from creating private repositories and changing them to be public. Malicious actors could leak code if enabled. ### Threat Example(s) A member of the organization could inadvertently or maliciously make public an internal repository exposing confidential data. @@ -22,8 +22,7 @@ A member of the organization could inadvertently or maliciously make public an i ### Remediation 1. Make sure you are an enterprise owner 2. Go to the policies page -3. Under the "Repository visibility change" section -4. choose the "Disabled" option +3. Under the 'Repository visibility change' section, choose the 'Disabled' option diff --git a/docs/github/enterprise/memberes_allowed_repository_move_or_deletion.md b/docs/github/enterprise/memberes_allowed_repository_move_or_deletion.md index ae1c0bc2..f36f17c0 100644 --- a/docs/github/enterprise/memberes_allowed_repository_move_or_deletion.md +++ b/docs/github/enterprise/memberes_allowed_repository_move_or_deletion.md @@ -23,8 +23,7 @@ A member of the organization could inadvertently or maliciously transfer a repos 1. Make sure you are an enterprise owner 2. Go to the Enterprise Settings page 3. Under the ‘Policies’ tab choose ‘Repositories’ -4. Go to the ‘Admin repository permissions' section -5. under ‘Repository deletion and transfer' and select 'Disabled' +4. Go to the ‘Admin repository permissions' section, under ‘Repository deletion and transfer' and select 'Disabled' diff --git a/docs/github/enterprise/repository_no_permission_enforced_by_default.md b/docs/github/enterprise/repository_no_permission_enforced_by_default.md index 831d3667..7f8565e0 100644 --- a/docs/github/enterprise/repository_no_permission_enforced_by_default.md +++ b/docs/github/enterprise/repository_no_permission_enforced_by_default.md @@ -1,12 +1,12 @@ --- layout: default -title: Enterprise Should Define Base Permissions As “No Permission” For All Members +title: Enterprise Should Define Base Permissions As 'No Permission' For All Members parent: Enterprise Policies grand_parent: GitHub Policies --- -## Enterprise Should Define Base Permissions As “No Permission” For All Members +## Enterprise Should Define Base Permissions As 'No Permission' For All Members policy name: repository_no_permission_enforced_by_default severity: MEDIUM @@ -22,9 +22,8 @@ An adversary will have access to all repositories in the enterprise, instead of ### Remediation 1. Make sure you are an enterprise owner 2. Go to the Settings page -3. Under the ‘Policies’ tab -4. choose ‘Repositories’ -5. Under ‘Base Permission’ choose ‘No Permission’ +3. Under the 'Policies' tab, choose 'Repositories' +4. Under 'Base Permission' choose 'No Permission' diff --git a/docs/github/member/organization_has_too_many_admins.md b/docs/github/member/organization_has_too_many_admins.md index 6fa8a341..d1f5c943 100644 --- a/docs/github/member/organization_has_too_many_admins.md +++ b/docs/github/member/organization_has_too_many_admins.md @@ -15,7 +15,7 @@ severity: MEDIUM Organization owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Organizational Admins to the minimum needed (recommended maximum 3 owners). ### Threat Example(s) -1. An organization has a permissive attitude and provides an owner role to all developers. +1. An organization has a permissive attitude and provides an owner role to all developers 2. One of the developers has decided to collaborate with an evil ransomware gang, and uses his high privileges to add a malicious external collaborator 3. The malicious collaborator, being an owner, has a wide range of destructive operations he can do (e.g. remove security settings) @@ -25,7 +25,7 @@ Organization owners are highly privileged and could create great damage if they 1. Make sure you have admin permissions 2. Go to the organization People page 3. Select the unwanted owners -4. Using the "X members selected" - change role to member +4. Using the 'X members selected' - change role to member diff --git a/docs/github/member/stale_admin_found.md b/docs/github/member/stale_admin_found.md index a3773932..b80f742d 100644 --- a/docs/github/member/stale_admin_found.md +++ b/docs/github/member/stale_admin_found.md @@ -23,7 +23,7 @@ Stale admins are most likely not managed and monitored, increasing the possibili 1. Make sure you have admin permissions 2. Go to the org's People page 3. Select all stale admins -4. Using the "X members selected" - remove members from organization +4. Using the 'X members selected' - remove members from organization diff --git a/docs/github/member/stale_member_found.md b/docs/github/member/stale_member_found.md index 7ac948b9..72a6edee 100644 --- a/docs/github/member/stale_member_found.md +++ b/docs/github/member/stale_member_found.md @@ -23,7 +23,7 @@ Stale members are most likely not managed and monitored, increasing the possibil 1. Make sure you have admin permissions 2. Go to the org's People page 3. Select all stale members -4. Using the "X members selected" - remove members from organization +4. Using the 'X members selected' - remove members from organization diff --git a/docs/github/organization/default_repository_permission_is_not_none.md b/docs/github/organization/default_repository_permission_is_not_none.md index 7f30c4da..cc80c0b0 100644 --- a/docs/github/organization/default_repository_permission_is_not_none.md +++ b/docs/github/organization/default_repository_permission_is_not_none.md @@ -22,10 +22,10 @@ Organization members can see the content of freshly created repositories, even i ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Enter "Member privileges" tab -4. Under "Base permissions" -5. Set permissions to "No permissions" -6. Click "Save" +3. Enter 'Member privileges' tab +4. Under 'Base permissions' +5. Set permissions to 'No permissions' +6. Click 'Save' diff --git a/docs/github/organization/non_admins_can_create_public_repositories.md b/docs/github/organization/non_admins_can_create_public_repositories.md index d98dab29..b9aad2d5 100644 --- a/docs/github/organization/non_admins_can_create_public_repositories.md +++ b/docs/github/organization/non_admins_can_create_public_repositories.md @@ -12,7 +12,7 @@ policy name: non_admins_can_create_public_repositories severity: MEDIUM ### Description -The organization should be configured to prevent non-admin members creating public repositories. Creating a public repository may expose sensitive organization code, which, once exposed, may be copied, cached or stored by external parties. Therefore, it is highly recommended to restrict the option to create public repositories to admins only and reduce the risk of unintentional code exposure. NOTE: You should also verify that repositories owners can't change existing repositories visibility to be public. If allowed, a malicious user could create a private repo and change it to public. See: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization for further information +The organization should be configured to prevent non-admin members from creating public repositories. Creating a public repository may expose sensitive organization code, which, once exposed, may be copied, cached, or stored by external parties. Therefore, it is highly recommended to restrict the option to create public repositories to admins only and reduce the risk of unintentional code exposure. NOTE: You should also verify that repository owners can't change existing repository visibility to be public. If allowed, a malicious user could create a private repo and change it to public. See: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization for further information ### Threat Example(s) A member of the organization could inadvertently or maliciously make public an internal repository exposing confidential data. @@ -22,10 +22,10 @@ A member of the organization could inadvertently or maliciously make public an i ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Enter "Member privileges" tab -4. Under "Repository creation" -5. Toggle off "Public" -6. Click "Save" +3. Enter 'Member privileges' tab +4. Under 'Repository creation' +5. Toggle off 'Public' +6. Click 'Save' diff --git a/docs/github/organization/organization_not_using_single_sign_on.md b/docs/github/organization/organization_not_using_single_sign_on.md index 7b915ead..4764b330 100644 --- a/docs/github/organization/organization_not_using_single_sign_on.md +++ b/docs/github/organization/organization_not_using_single_sign_on.md @@ -15,17 +15,17 @@ severity: MEDIUM It is recommended to enable access to an organization via SAML single sign-on (SSO) by authenticating through an identity provider (IdP). This allows for central account control and for timely access revocations. ### Threat Example(s) -Not using an SSO solution makes it more difficult to track a potentially compromised user's actions accross different systems, prevents the organization from defining a common password policy, and makes it challenging to audit different aspects of the user's behavior. +Not using an SSO solution makes it more difficult to track a potentially compromised user's actions across different systems, prevents the organization from defining a common password policy, and makes it challenging to audit different aspects of the user's behavior. ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Enter "Authentication security" tab -4. Toggle on "Enable SAML authentication" +3. Enter 'Authentication security' tab +4. Toggle on 'Enable SAML authentication' 5. Fill in the remaining SSO configuration as instructed on the screen -6. Click "Save" +6. Click 'Save' diff --git a/docs/github/organization/organization_secret_is_stale.md b/docs/github/organization/organization_secret_is_stale.md new file mode 100644 index 00000000..41034f49 --- /dev/null +++ b/docs/github/organization/organization_secret_is_stale.md @@ -0,0 +1,31 @@ +--- +layout: default +title: Organization Secrets Should Be Updated At Least Yearly +parent: Organization Policies +grand_parent: GitHub Policies +--- + + +## Organization Secrets Should Be Updated At Least Yearly +policy name: organization_secret_is_stale + +severity: MEDIUM + +### Description +Some of the organizations secrets have not been updated for over a year. It is recommended to refresh secret values regularly in order to minimize the risk of breach in case of an information leak. + +### Threat Example(s) +Sensitive data may have been inadvertently made public in the past, and an attacker who holds this data may gain access to your current CI and services. In addition, there may be old or unnecessary tokens that have not been inspected and can be used to access sensitive information. + + + +### Remediation +Enter your organization's landing page +Go to the settings tab +Under the 'Security' title on the left, choose 'Secrets and variables' +Click 'Actions' +Sort secrets by 'Last Updated' +Regenerate every secret older than one year and add the new value to GitHub's secret manager + + + diff --git a/docs/github/organization/organization_webhook_doesnt_require_ssl.md b/docs/github/organization/organization_webhook_doesnt_require_ssl.md index 937c91cb..90aff7cf 100644 --- a/docs/github/organization/organization_webhook_doesnt_require_ssl.md +++ b/docs/github/organization/organization_webhook_doesnt_require_ssl.md @@ -23,11 +23,11 @@ In the case of GitHub Enterprise Server instances, it may be sufficient only to ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Select "Webhooks" +3. Select 'Webhooks' 4. Press on the insecure webhook -5. Verify url starts with https -6. Enable "SSL verification" -7. Click "Update webhook" +5. Verify URL starts with https +6. Enable 'SSL verification' +7. Click 'Update webhook' diff --git a/docs/github/organization/organization_webhook_no_secret.md b/docs/github/organization/organization_webhook_no_secret.md index 34cac760..53285dc8 100644 --- a/docs/github/organization/organization_webhook_no_secret.md +++ b/docs/github/organization/organization_webhook_no_secret.md @@ -23,10 +23,10 @@ This allows attackers to masquerade as your organization, potentially creating a ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Select "Webhooks" +3. Select 'Webhooks' 4. Press on the insecure webhook 5. Configure a secret -6. Click "Update webhook" +6. Click 'Update webhook' diff --git a/docs/github/organization/two_factor_authentication_not_required_for_org.md b/docs/github/organization/two_factor_authentication_not_required_for_org.md index 5b79e9cd..53949a23 100644 --- a/docs/github/organization/two_factor_authentication_not_required_for_org.md +++ b/docs/github/organization/two_factor_authentication_not_required_for_org.md @@ -22,10 +22,10 @@ If an attacker gets the valid credentials for one of the organization’s users ### Remediation 1. Make sure you have admin permissions 2. Go to the organization settings page -3. Enter "Authentication security" tab -4. Under "Two-factor authentication" -5. Toggle on "Require two-factor authentication for everyone in the organization" -6. Click "Save" +3. Enter 'Authentication security' tab +4. Under 'Two-factor authentication' +5. Toggle on 'Require two-factor authentication for everyone in the organization' +6. Click 'Save' diff --git a/docs/github/repository/actions_can_approve_pull_requests.md b/docs/github/repository/actions_can_approve_pull_requests.md index d3d44430..0e9a05cd 100644 --- a/docs/github/repository/actions_can_approve_pull_requests.md +++ b/docs/github/repository/actions_can_approve_pull_requests.md @@ -22,9 +22,9 @@ Attackers can exploit this misconfiguration to bypass code-review restrictions b ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter "Actions - General" tab +3. Enter 'Actions - General' tab 4. Under 'Workflow permissions' -5. Uncheck 'Allow GitHub actions to create and approve pull requests. +5. Uncheck 'Allow GitHub actions to create and approve pull requests.' 6. Click 'Save' diff --git a/docs/github/repository/code_review_by_two_members_not_required.md b/docs/github/repository/code_review_by_two_members_not_required.md index 786575c9..b5bf65f8 100644 --- a/docs/github/repository/code_review_by_two_members_not_required.md +++ b/docs/github/repository/code_review_by_two_members_not_required.md @@ -21,16 +21,16 @@ Requiring code review by at least two reviewers further decreases the risk of an ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require a pull request before merging" -8. Check "Require approvals" -9. Set "Required number of approvals before merging" to 1 or more -10. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require a pull request before merging' +7. Check 'Require approvals' +8. Set 'Required number of approvals before merging' to 2 or more +9. Click 'Save changes' diff --git a/docs/github/repository/code_review_not_limited_to_code_owners.md b/docs/github/repository/code_review_not_limited_to_code_owners.md index 561b8afb..b53e5c5a 100644 --- a/docs/github/repository/code_review_not_limited_to_code_owners.md +++ b/docs/github/repository/code_review_not_limited_to_code_owners.md @@ -20,15 +20,15 @@ A pull request may be approved by any contributor with write access. Specifying ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require a pull request before merging" -8. Check "Require review from Code Owners" -9. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require a pull request before merging' +7. Check 'Require review from Code Owners' +8. Click 'Save changes' diff --git a/docs/github/repository/code_review_not_required.md b/docs/github/repository/code_review_not_required.md index 924a3169..71358aa2 100644 --- a/docs/github/repository/code_review_not_required.md +++ b/docs/github/repository/code_review_not_required.md @@ -20,16 +20,16 @@ Users can merge code without being reviewed, which can lead to insecure code rea ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require a pull request before merging" -8. Check "Require approvals" -9. Set "Required number of approvals before merging" to 1 or more -10. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require a pull request before merging' +7. Check 'Require approvals' +8. Set 'Required number of approvals before merging' to 1 or more +9. Click 'Save changes' diff --git a/docs/github/repository/dismisses_stale_reviews.md b/docs/github/repository/dismisses_stale_reviews.md index 4835061d..b05a7de7 100644 --- a/docs/github/repository/dismisses_stale_reviews.md +++ b/docs/github/repository/dismisses_stale_reviews.md @@ -20,15 +20,15 @@ Buggy or insecure code may be committed after approval and will reach the main b ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require a pull request before merging" -8. Check "Dismiss stale pull request approvals when new commits are pushed" -9. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require a pull request before merging' +7. Check 'Dismiss stale pull request approvals when new commits are pushed' +8. Click 'Save changes' diff --git a/docs/github/repository/forking_allowed_for_repository.md b/docs/github/repository/forking_allowed_for_repository.md index d86d6355..c46200cf 100644 --- a/docs/github/repository/forking_allowed_for_repository.md +++ b/docs/github/repository/forking_allowed_for_repository.md @@ -22,9 +22,8 @@ Forked repositories cause more code and secret sprawl in the organization as for ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "General" tab -4. Under "Features" -5. Toggle off "Allow forking" +3. Enter 'General' tab +4. Under 'Features', Toggle off 'Allow forking' diff --git a/docs/github/repository/ghas_dependency_review_not_enabled.md b/docs/github/repository/ghas_dependency_review_not_enabled.md index 42a2a18f..b94db0ae 100644 --- a/docs/github/repository/ghas_dependency_review_not_enabled.md +++ b/docs/github/repository/ghas_dependency_review_not_enabled.md @@ -22,8 +22,8 @@ A contributor may add vulnerable third-party dependencies to the repository, int ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Code security and analysis" tab -4. Set "Dependency graph" as Enabled +3. Enter 'Code security and analysis' tab +4. Set 'Dependency graph' as Enabled diff --git a/docs/github/repository/missing_default_branch_protection.md b/docs/github/repository/missing_default_branch_protection.md index a5919dfc..cfa85f28 100644 --- a/docs/github/repository/missing_default_branch_protection.md +++ b/docs/github/repository/missing_default_branch_protection.md @@ -22,12 +22,12 @@ Any contributor with write access may push potentially dangerous code to this re ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Branches" tab -4. Under "Branch protection rules" -5. Click "Add rule" -6. Set "Branch name pattern" as the default branch name (usually "main" or "master") +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Add rule' +6. Set 'Branch name pattern' as the default branch name (usually 'main' or 'master') 7. Set desired protections -8. Click "Create" and save the rule +8. Click 'Create' and save the rule diff --git a/docs/github/repository/missing_default_branch_protection_deletion.md b/docs/github/repository/missing_default_branch_protection_deletion.md index 09c9da56..6536df11 100644 --- a/docs/github/repository/missing_default_branch_protection_deletion.md +++ b/docs/github/repository/missing_default_branch_protection_deletion.md @@ -20,12 +20,13 @@ Rewriting project history can make it difficult to trace back when bugs or secur ### Remediation +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Branches" tab -4. Under "Branch protection rules" -5. Click "Edit" on the default branch rule -6. Uncheck "Allow deletions", Click "Save changes" +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Uncheck 'Allow deletions', Click 'Save changes' diff --git a/docs/github/repository/missing_default_branch_protection_force_push.md b/docs/github/repository/missing_default_branch_protection_force_push.md index 5f66bbb6..aa870047 100644 --- a/docs/github/repository/missing_default_branch_protection_force_push.md +++ b/docs/github/repository/missing_default_branch_protection_force_push.md @@ -20,14 +20,14 @@ Rewriting project history can make it difficult to trace back when bugs or secur ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Uncheck "Allow force pushes" -8. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Uncheck 'Allow force pushes' +7. Click 'Save changes' diff --git a/docs/github/repository/no_conversation_resolution.md b/docs/github/repository/no_conversation_resolution.md index 799631a2..97f6e295 100644 --- a/docs/github/repository/no_conversation_resolution.md +++ b/docs/github/repository/no_conversation_resolution.md @@ -12,7 +12,7 @@ policy name: no_conversation_resolution severity: LOW ### Description -Require all Pull Request conversations to be resolved before merging. Check this to avoid bypassing/missing a Pull Reuqest comment. +Require all Pull Request conversations to be resolved before merging. Check this to avoid bypassing/missing a Pull Request comment. ### Threat Example(s) Allowing the merging of code without resolving all conversations can promote poor and vulnerable code, as important comments may be forgotten or deliberately ignored when the code is merged. @@ -20,14 +20,14 @@ Allowing the merging of code without resolving all conversations can promote poo ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require conversation resolution before merging" -8. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require conversation resolution before merging' +7. Click 'Save changes' diff --git a/docs/github/repository/no_signed_commits.md b/docs/github/repository/no_signed_commits.md index ad908c62..ba64b370 100644 --- a/docs/github/repository/no_signed_commits.md +++ b/docs/github/repository/no_signed_commits.md @@ -20,14 +20,14 @@ A commit containing malicious code may be crafted by a malicious actor that has ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require signed commits" -8. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require signed commits' +7. Click 'Save changes' diff --git a/docs/github/repository/non_linear_history.md b/docs/github/repository/non_linear_history.md index 8f228b09..7a794be4 100644 --- a/docs/github/repository/non_linear_history.md +++ b/docs/github/repository/non_linear_history.md @@ -20,14 +20,14 @@ Having a non-linear history makes it harder to reverse changes, making recovery ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require linear history" -8. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require linear history' +7. Click 'Save changes' diff --git a/docs/github/repository/pushes_are_not_restricted.md b/docs/github/repository/pushes_are_not_restricted.md index 4052d861..f3e1e9ed 100644 --- a/docs/github/repository/pushes_are_not_restricted.md +++ b/docs/github/repository/pushes_are_not_restricted.md @@ -20,15 +20,15 @@ An attacker with write credentials may introduce vulnerabilities to your code wi ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Restrict who can push to matching branches" -8. Choose who should be allowed to push -9. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Restrict who can push to matching branches' +7. Choose who should be allowed to push +8. Click 'Save changes' diff --git a/docs/github/repository/repository_has_too_many_admins.md b/docs/github/repository/repository_has_too_many_admins.md index 43f068e4..d6b00603 100644 --- a/docs/github/repository/repository_has_too_many_admins.md +++ b/docs/github/repository/repository_has_too_many_admins.md @@ -12,7 +12,7 @@ policy name: repository_has_too_many_admins severity: LOW ### Description -Repository admins are highly privileged and could create great damage if they are compromised. It is recommeneded to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins). +Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins). ### Threat Example(s) A compromised user with admin permissions can initiate a supply chain attack in a plethora of ways. @@ -23,9 +23,9 @@ Having many admin users increases the overall risk of user compromise, and makes ### Remediation 1. Make sure you have admin permissions 2. Go to the repository settings page -3. Press "Collaborators and teams" +3. Press 'Collaborators and teams' 4. Select the unwanted admin users -5. Select "Change Role" +5. Select 'Change Role' diff --git a/docs/github/repository/repository_secret_is_stale.md b/docs/github/repository/repository_secret_is_stale.md new file mode 100644 index 00000000..b020d132 --- /dev/null +++ b/docs/github/repository/repository_secret_is_stale.md @@ -0,0 +1,31 @@ +--- +layout: default +title: Repository Secrets Should Be Updated At Least Yearly +parent: Repository Policies +grand_parent: GitHub Policies +--- + + +## Repository Secrets Should Be Updated At Least Yearly +policy name: repository_secret_is_stale + +severity: MEDIUM + +### Description +Some of the repository secrets have not been updated for over a year. It is recommended to refresh secret values regularly in order to minimize the risk of breach in case of an information leak. + +### Threat Example(s) +Sensitive data may have been inadvertently made public in the past, and an attacker who holds this data may gain access to your current CI and services. In addition, there may be old or unnecessary tokens that have not been inspected and can be used to access sensitive information. + + + +### Remediation +1. Enter your repository's landing page +2. Go to the settings tab +3. Under the 'Security' title on the left, choose 'Secrets and variables' +4. Click 'Actions' +5. Sort secrets by 'Last Updated' +6. Regenerate every secret older than one year and add the new value to GitHub's secret manager + + + diff --git a/docs/github/repository/repository_webhook_doesnt_require_ssl.md b/docs/github/repository/repository_webhook_doesnt_require_ssl.md index de8aef47..aabca1ee 100644 --- a/docs/github/repository/repository_webhook_doesnt_require_ssl.md +++ b/docs/github/repository/repository_webhook_doesnt_require_ssl.md @@ -12,10 +12,10 @@ policy name: repository_webhook_doesnt_require_ssl severity: LOW ### Description -Webhooks that are not configured with SSL enabled could expose your sofware to man in the middle attacks (MITM). +Webhooks that are not configured with SSL enabled could expose your software to man-in-the-middle attacks (MITM). ### Threat Example(s) -If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it freely read and affect the response of any webhook request. +If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it to freely read and affect the response of any webhook request. In the case of GitHub Enterprise Server instances, it may be sufficient only to control the DNS configuration of the network where the instance is deployed, as an attacker can redirect traffic to the target domain in your internal network directly to them, and this is often much easier than compromising an internet-facing domain. @@ -23,11 +23,11 @@ In the case of GitHub Enterprise Server instances, it may be sufficient only to ### Remediation 1. Make sure you can manage webhooks for the repository 2. Go to the repository settings page -3. Select "Webhooks" -4. Verify url starts with https +3. Select 'Webhooks' +4. Verify URL starts with https 5. Press on the insecure webhook -6. Enable "SSL verfication" -7. Click "Update webhook" +6. Enable 'SSL verification' +7. Click 'Update webhook' diff --git a/docs/github/repository/repository_webhook_no_secret.md b/docs/github/repository/repository_webhook_no_secret.md index 85dabf02..59b0ea70 100644 --- a/docs/github/repository/repository_webhook_no_secret.md +++ b/docs/github/repository/repository_webhook_no_secret.md @@ -23,10 +23,10 @@ This allows attackers to masquerade as your repository, potentially creating an ### Remediation 1. Make sure you can manage webhooks for the repository 2. Go to the repository settings page -3. Select "Webhooks" +3. Select 'Webhooks' 4. Press on the insecure webhook -5. Confiure a secret -6. Click "Update webhook" +5. Configure a secret +6. Click 'Update webhook' diff --git a/docs/github/repository/requires_branches_up_to_date_before_merge.md b/docs/github/repository/requires_branches_up_to_date_before_merge.md index d1fe9b39..706ccfb4 100644 --- a/docs/github/repository/requires_branches_up_to_date_before_merge.md +++ b/docs/github/repository/requires_branches_up_to_date_before_merge.md @@ -20,15 +20,15 @@ Required status checks may be failing on the latest version after passing on an ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require status checks to pass before merging" -8. Check "Require branches to be up to date before merging" -9. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require status checks to pass before merging' +7. Check 'Require branches to be up to date before merging' +8. Click 'Save changes' diff --git a/docs/github/repository/requires_status_checks.md b/docs/github/repository/requires_status_checks.md index f52efb99..52476d57 100644 --- a/docs/github/repository/requires_status_checks.md +++ b/docs/github/repository/requires_status_checks.md @@ -12,7 +12,7 @@ policy name: requires_status_checks severity: MEDIUM ### Description -Branch protection is enabled. However, the checks which validate the quality and security of the code are not required to pass before submitting new changes. The default check ensures code is up-to-date in order to prevent faulty merges and unexpected behaviors, as well as other custom checks that test security and quality. It is advised to turn this control on to ensure any existing or future check will be required to pass. +Branch protection is enabled. However, the checks that validate the quality and security of the code are not required to pass before submitting new changes. The default check ensures the code is up-to-date to prevent faulty merges and unexpected behaviors, as well as other custom checks that test security and quality. It is advised to turn this control on to ensure any existing or future check will be required to pass. ### Threat Example(s) Not defining a set of required status checks can make it easy for contributors to introduce buggy or insecure code as manual review, whether mandated or optional, is the only line of defense. @@ -20,15 +20,15 @@ Not defining a set of required status checks can make it easy for contributors t ### Remediation -1. Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page -2. Make sure you have admin permissions -3. Go to the repo's settings page -4. Enter "Branches" tab -5. Under "Branch protection rules" -6. Click "Edit" on the default branch rule -7. Check "Require status checks to pass before merging" -8. Add the required checks that must pass before merging (tests, lint, etc...) -9. Click "Save changes" +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page +1. Make sure you have admin permissions +2. Go to the repo's settings page +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Require status checks to pass before merging' +7. Add the required checks that must pass before merging (tests, lint, etc...) +8. Click 'Save changes' diff --git a/docs/github/repository/review_dismissal_allowed.md b/docs/github/repository/review_dismissal_allowed.md index 6cc4f822..a2781937 100644 --- a/docs/github/repository/review_dismissal_allowed.md +++ b/docs/github/repository/review_dismissal_allowed.md @@ -20,13 +20,14 @@ Allowing the dismissal of reviews can promote poor and vulnerable code, as impor ### Remediation +Note: The remediation steps apply to legacy branch protections, rules set-based protection should be updated from the rules set page 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Branches" tab -4. Under "Branch protection rules" -5. Click "Edit" on the default branch rule -6. Check "Restrict who can dismiss pull request reviews" -7. Click "Save changes" +3. Enter 'Branches' tab +4. Under 'Branch protection rules' +5. Click 'Edit' on the default branch rule +6. Check 'Restrict who can dismiss pull request reviews' +7. Click 'Save changes' diff --git a/docs/github/repository/scorecard_score_too_low.md b/docs/github/repository/scorecard_score_too_low.md index ce7bbc61..6e40feb4 100644 --- a/docs/github/repository/scorecard_score_too_low.md +++ b/docs/github/repository/scorecard_score_too_low.md @@ -12,7 +12,7 @@ policy name: scorecard_score_too_low severity: MEDIUM ### Description -Scorecard is an open-source tool from the OSSF that helps to asses the security posture of repositories. A low scorecard score means your repository may be at risk. +Scorecard is an open-source tool from the OSSF that helps to assess the security posture of repositories. A low scorecard score means your repository may be at risk. ### Threat Example(s) A low Scorecard score can indicate that the repository is more vulnerable to attack than others, making it a prime attack target. @@ -20,7 +20,6 @@ A low Scorecard score can indicate that the repository is more vulnerable to att ### Remediation -1. Get scorecard output by either: 2. - Run legitify with --scorecard verbose 3. - Run scorecard manually 4. Fix the failed checks diff --git a/docs/github/repository/token_default_permissions_is_read_write.md b/docs/github/repository/token_default_permissions_is_read_write.md index c0301128..dfb4a69b 100644 --- a/docs/github/repository/token_default_permissions_is_read_write.md +++ b/docs/github/repository/token_default_permissions_is_read_write.md @@ -22,7 +22,7 @@ In case of token compromise (due to a vulnerability or malicious third-party Git ### Remediation 1. Make sure you have admin permissions 2. Go to the org's settings page -3. Enter "Actions - General" tab +3. Enter 'Actions - General' tab 4. Under 'Workflow permissions' 5. Select 'Read repository contents permission' 6. Click 'Save' diff --git a/docs/github/repository/users_allowed_to_bypass_ruleset.md b/docs/github/repository/users_allowed_to_bypass_ruleset.md index dffa7e1a..39c144a4 100644 --- a/docs/github/repository/users_allowed_to_bypass_ruleset.md +++ b/docs/github/repository/users_allowed_to_bypass_ruleset.md @@ -21,10 +21,10 @@ Attackers that gain access to a user that can bypass the ruleset rules can compr ### Remediation 1. Go to the repository settings page -2. Under "Code and automation", select "Rules -> Rulesets" +2. Under 'Code and automation', select 'Rules -> Rulesets' 3. Find the relevant ruleset -4. Empty the "Bypass list" -5. Press "Save Changes" +4. Empty the 'Bypass list' +5. Press 'Save Changes' diff --git a/docs/github/repository/vulnerability_alerts_not_enabled.md b/docs/github/repository/vulnerability_alerts_not_enabled.md index 7531bd9c..1246a546 100644 --- a/docs/github/repository/vulnerability_alerts_not_enabled.md +++ b/docs/github/repository/vulnerability_alerts_not_enabled.md @@ -22,8 +22,8 @@ An open source vulnerability may be affecting your code without your knowledge, ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Code security and analysis" tab -4. Set "Dependabot alerts" as Enabled +3. Enter 'Code security and analysis' tab +4. Set 'Dependabot alerts' as Enabled diff --git a/docs/github/runner_group/runner_group_can_be_used_by_public_repositories.md b/docs/github/runner_group/runner_group_can_be_used_by_public_repositories.md index 1378ff7d..f60b8202 100644 --- a/docs/github/runner_group/runner_group_can_be_used_by_public_repositories.md +++ b/docs/github/runner_group/runner_group_can_be_used_by_public_repositories.md @@ -23,7 +23,6 @@ that create a workflow that exploits these vulnerabilities and move laterally in ### Threat Example(s) Hosted runners are usually part of the organization's private network and can be easily misconfigured. -If the hosted runner is insecurely configured, any GitHub user could: 1. Create a workflow that runs on the public hosted runner 2. Exploit the misconfigurations to execute code inside the private network diff --git a/docs/github/runner_group/runner_group_not_limited_to_selected_repositories.md b/docs/github/runner_group/runner_group_not_limited_to_selected_repositories.md index 001c210d..0301f5c9 100644 --- a/docs/github/runner_group/runner_group_not_limited_to_selected_repositories.md +++ b/docs/github/runner_group/runner_group_not_limited_to_selected_repositories.md @@ -19,7 +19,6 @@ malicious insider could create a repository with a workflow that exploits the ru ### Threat Example(s) Hosted runners are usually part of the organization's private network and can be easily misconfigured. -If the hosted runner is insecurely configured, any user in the organization could: 1. Create a workflow that runs on the hosted runner 2. Exploit the runner misconfigurations/known CVE's to execute code inside the private network diff --git a/docs/gitlab/enterprise/all_users_are_allowed_to_create_public_projects.md b/docs/gitlab/enterprise/all_users_are_allowed_to_create_public_projects.md index 4742188c..0721b9fa 100644 --- a/docs/gitlab/enterprise/all_users_are_allowed_to_create_public_projects.md +++ b/docs/gitlab/enterprise/all_users_are_allowed_to_create_public_projects.md @@ -17,10 +17,10 @@ Your server allows non-admin members to create public repositories. Creating a p ### Remediation -1. Press Settings -> General -2. Expand "Visibility and access controls" section -3. Under "Restricted visibility levels" toggle "Public" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Visibility and access controls' section +4. Under 'Restricted visibility levels' toggle 'Public' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/default_branch_protection_not_globally_enforced.md b/docs/gitlab/enterprise/default_branch_protection_not_globally_enforced.md index 3cc88624..55358e2f 100644 --- a/docs/gitlab/enterprise/default_branch_protection_not_globally_enforced.md +++ b/docs/gitlab/enterprise/default_branch_protection_not_globally_enforced.md @@ -17,10 +17,10 @@ Branch protection is not enabled for the entire server or account by default. An ### Remediation -1. Press Settings -> Repository -2. Expand "Default Branch" section -3. Toggle "Fully protected" -4. Press "Save Changes" +2. Press Settings -> Repository +3. Expand 'Default Branch' section +4. Toggle 'Fully protected' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/default_group_visibility_is_public.md b/docs/gitlab/enterprise/default_group_visibility_is_public.md index f6a7e1e5..cabcdf4a 100644 --- a/docs/gitlab/enterprise/default_group_visibility_is_public.md +++ b/docs/gitlab/enterprise/default_group_visibility_is_public.md @@ -17,10 +17,10 @@ Your server is configured by default that every new group is created public. Thi ### Remediation -1. Press Settings -> General -2. Expand "Visibility and access controls" section -3. Under "Default group visibility" toggle "Private" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Visibility and access controls' section +4. Under 'Default group visibility' toggle 'Private' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/default_project_visibility_is_public.md b/docs/gitlab/enterprise/default_project_visibility_is_public.md index e5bc90b7..27357043 100644 --- a/docs/gitlab/enterprise/default_project_visibility_is_public.md +++ b/docs/gitlab/enterprise/default_project_visibility_is_public.md @@ -18,10 +18,10 @@ Your server is configured by default that every new project is created public. T ### Remediation -1. Press Settings -> General -2. Expand "Visibility and access controls" section -3. Under "Default project visibility" toggle "Private" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Visibility and access controls' section +4. Under 'Default project visibility' toggle 'Private' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/password_authentication_enabled_for_git_is_enabled.md b/docs/gitlab/enterprise/password_authentication_enabled_for_git_is_enabled.md index 276c29ec..689ef47e 100644 --- a/docs/gitlab/enterprise/password_authentication_enabled_for_git_is_enabled.md +++ b/docs/gitlab/enterprise/password_authentication_enabled_for_git_is_enabled.md @@ -17,10 +17,10 @@ Password authentication for Git protocol operations (pull / push) is discouraged ### Remediation -1. Press Settings -> General -2. Expand "Sign-in restrictions" section -3. Un toggle "Allow password authentication for Git over HTTP(S)" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Sign-in restrictions' section +4. Un toggle 'Allow password authentication for Git over HTTP(S)' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/require_two_factor_authentication_not_globally_enforced.md b/docs/gitlab/enterprise/require_two_factor_authentication_not_globally_enforced.md index 09a842ae..f5ae2dc7 100644 --- a/docs/gitlab/enterprise/require_two_factor_authentication_not_globally_enforced.md +++ b/docs/gitlab/enterprise/require_two_factor_authentication_not_globally_enforced.md @@ -17,10 +17,10 @@ It is recommended to turn on MFA at the server or account level, and proactively ### Remediation -1. Press Settings -> General -2. Expand "Sign-in restrictions" section -3. Toggle "Two-factor authentication" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Sign-in restrictions' section +4. Toggle 'Two-factor authentication' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/send_user_confirmation_email_not_enabled.md b/docs/gitlab/enterprise/send_user_confirmation_email_not_enabled.md index 94ccfa16..c3e22bea 100644 --- a/docs/gitlab/enterprise/send_user_confirmation_email_not_enabled.md +++ b/docs/gitlab/enterprise/send_user_confirmation_email_not_enabled.md @@ -17,10 +17,10 @@ This security option enforces any new user to confirm their email address, and e ### Remediation -1. Press Settings -> General -2. Expand "Sign-up restrictions" section -3. Toggle "Send confirmation email on sign-up" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Sign-up restrictions' section +4. Toggle 'Send confirmation email on sign-up' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/throttle_authenticated_api_not_enabled.md b/docs/gitlab/enterprise/throttle_authenticated_api_not_enabled.md index 3e5f909f..9bd4f84b 100644 --- a/docs/gitlab/enterprise/throttle_authenticated_api_not_enabled.md +++ b/docs/gitlab/enterprise/throttle_authenticated_api_not_enabled.md @@ -17,10 +17,10 @@ Enabling authenticated request rate-limit on APIs reduces volume of requests, an ### Remediation -1. Press Settings -> Network -2. Expand "User and IP rate limit" section -3. Toggle "Enable authenticated API request rate limit -4. Press "Save Changes" +2. Press Settings -> Network +3. Expand 'User and IP rate limit' section +4. Toggle 'Enable authenticated API request rate limit' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/throttle_unauthenticated_request_not_enabled.md b/docs/gitlab/enterprise/throttle_unauthenticated_request_not_enabled.md index c15908f8..dc68e1a5 100644 --- a/docs/gitlab/enterprise/throttle_unauthenticated_request_not_enabled.md +++ b/docs/gitlab/enterprise/throttle_unauthenticated_request_not_enabled.md @@ -17,10 +17,10 @@ The server allows restricting the limit of unauthenticated requests. It is recom ### Remediation -1. Press Settings -> Network -2. Expand "User and IP rate limit" section -3. Toggle "Enable unauthenticated API request rate limit" and "Enable unauthenticated web request rate limit" -4. Press "Save Changes" +2. Press Settings -> Network +3. Expand 'User and IP rate limit' section +4. Toggle 'Enable unauthenticated API request rate limit' and 'Enable unauthenticated web request rate limit' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/unauthenticated_signup_enabled.md b/docs/gitlab/enterprise/unauthenticated_signup_enabled.md index 54f18ad8..c5ab9dc8 100644 --- a/docs/gitlab/enterprise/unauthenticated_signup_enabled.md +++ b/docs/gitlab/enterprise/unauthenticated_signup_enabled.md @@ -16,10 +16,10 @@ The server allows any person with network access to sign up, create a user and a ### Remediation -1. Press Settings -> General -2. Expand "Sign-up restrictions" section -3. Un toggle "Sign-up enabled" -4. Press "Save Changes" +2. Press Settings -> General +3. Expand 'Sign-up restrictions' section +4. Un toggle 'Sign-up enabled' +5. Press 'Save Changes' diff --git a/docs/gitlab/enterprise/webhooks_are_allowed_to_be_sent_to_local_network.md b/docs/gitlab/enterprise/webhooks_are_allowed_to_be_sent_to_local_network.md index 494b5855..4f78e897 100644 --- a/docs/gitlab/enterprise/webhooks_are_allowed_to_be_sent_to_local_network.md +++ b/docs/gitlab/enterprise/webhooks_are_allowed_to_be_sent_to_local_network.md @@ -17,10 +17,10 @@ Webhooks sent by GitLab servers are authenticated, and can cause potential damag ### Remediation -1. Press Settings -> Network -2. Expand "Outbound requests" section -3. Un toggle "Allow requests to the local network from web hooks and services" -4. Press "Save Changes" +2. Press Settings -> Network +3. Expand 'Outbound requests' section +4. Un toggle 'Allow requests to the local network from web hooks and services' +5. Press 'Save Changes' diff --git a/docs/gitlab/group/collaborators_can_fork_repositories_to_external_namespaces.md b/docs/gitlab/group/collaborators_can_fork_repositories_to_external_namespaces.md index 9baef090..808a412b 100644 --- a/docs/gitlab/group/collaborators_can_fork_repositories_to_external_namespaces.md +++ b/docs/gitlab/group/collaborators_can_fork_repositories_to_external_namespaces.md @@ -12,7 +12,7 @@ policy name: collaborators_can_fork_repositories_to_external_namespaces severity: MEDIUM ### Description -The ability to fork project to external namespaces is turned on. Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork. +The ability to fork a project to external namespaces is turned on. Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork. ### Threat Example(s) Forking to external namespaces could result in loss of control over proprietary information and potentially expose the organization to security risks, such as data leaks. @@ -22,8 +22,8 @@ Forking to external namespaces could result in loss of control over proprietary ### Remediation 1. Go to the top-level groups Settings > General page 2. Expand the Permissions and group features section -3. Check Prevent project forking outside current group -4. Select Save changes +3. Check 'Prevent project forking outside current group' +4. Select 'Save changes' diff --git a/docs/gitlab/group/group_allows_excessive_mfa_grace_period.md b/docs/gitlab/group/group_allows_excessive_mfa_grace_period.md index f8afa350..547d9ec8 100644 --- a/docs/gitlab/group/group_allows_excessive_mfa_grace_period.md +++ b/docs/gitlab/group/group_allows_excessive_mfa_grace_period.md @@ -15,16 +15,16 @@ severity: MEDIUM New members added to your group are allowed longer than a week to enable MFA. The time frame should be lowered to one week or less. ### Threat Example(s) -Any new group membmer effectivly acts as an attack surface until two-factor authentication is enabled. The risk is compounded as new members may be more vulnerable to phising and identity theft attacks. +Any new group member effectively acts as an attack surface until two-factor authentication is enabled. The risk is compounded as new members may be more vulnerable to phishing and identity theft attacks. ### Remediation 1. Go to the group page 2. Press Settings -> General -3. Expand "Permissions and group features" -4. In the box titled: "Delay 2FA enforcement (hours)", enter a number under 168 (preferably 0) -5. Press "Save Changes" +3. Expand 'Permissions and group features' +4. In the box titled: 'Delay 2FA enforcement (hours)', enter a number under 168 (preferably 0) +5. Press 'Save Changes' diff --git a/docs/gitlab/group/group_does_not_enforce_branch_protection_by_default.md b/docs/gitlab/group/group_does_not_enforce_branch_protection_by_default.md index df882bba..2b828881 100644 --- a/docs/gitlab/group/group_does_not_enforce_branch_protection_by_default.md +++ b/docs/gitlab/group/group_does_not_enforce_branch_protection_by_default.md @@ -16,16 +16,16 @@ The default branch should be protected in each group so that any new repository ### Threat Example(s) A developer creates a repository without any branch protection rules -Attacker that get access to the repository can modify its main branch without any restrictions +An attacker that gains access to the repository can modify its main branch without any restrictions ### Remediation 1. Go to the group page 2. Press Settings -> Repository -3. Expand "Default Branch" section +3. Expand 'Default Branch' section 4. Toggle the required protection rule -5. Press "Save Changes" +5. Press 'Save Changes' diff --git a/docs/gitlab/group/organization_webhook_doesnt_require_ssl.md b/docs/gitlab/group/organization_webhook_doesnt_require_ssl.md index 045fc27a..1efcd0c1 100644 --- a/docs/gitlab/group/organization_webhook_doesnt_require_ssl.md +++ b/docs/gitlab/group/organization_webhook_doesnt_require_ssl.md @@ -12,19 +12,19 @@ policy name: organization_webhook_doesnt_require_ssl severity: LOW ### Description -Webhooks that are not configured with SSL enabled could expose your sofware to man in the middle attacks (MITM). +Webhooks that are not configured with SSL enabled could expose your software to man-in-the-middle attacks (MITM). ### Threat Example(s) -If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it freely read and affect the response of any webhook request. +Webhooks with SSL verification disabled can be exploited by any party with access to the target DNS domain, allowing them to masquerade as your designated payload URL and freely read and affect the response of any webhook request. In the case of GitLab Self-Managed, it may be sufficient only to control the DNS configuration of the network where the instance is deployed. ### Remediation 1. Go to the group Settings -> Webhooks page -2. Find the misconfigured webhook and press "Edit" -3. Toggle "Enable SSL verification" -4. Press "Save Changes" +2. Find the misconfigured webhook and press 'Edit' +3. Toggle 'Enable SSL verification' +4. Press 'Save Changes' diff --git a/docs/gitlab/group/two_factor_authentication_not_required_for_group.md b/docs/gitlab/group/two_factor_authentication_not_required_for_group.md index 25b1e002..82617d18 100644 --- a/docs/gitlab/group/two_factor_authentication_not_required_for_group.md +++ b/docs/gitlab/group/two_factor_authentication_not_required_for_group.md @@ -15,16 +15,16 @@ severity: HIGH The two-factor authentication requirement is not enabled at the group level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option, to reduce the risk of a deliberate or accidental user creation without MFA. ### Threat Example(s) -If an attacker gets the valid credentials for one of the organization’s users they can authenticate to your GitHub organization. +If an attacker gets valid credentials for one of the organization’s users, they can authenticate to your GitHub organization. ### Remediation 1. Go to the group page 2. Press Settings -> General -3. Expand "Permissions and group features" -4. Toggle "Require all users in this group to set up two-factor authentication" -5. Press "Save Changes" +3. Expand 'Permissions and group features' +4. Toggle 'Require all users in this group to set up two-factor authentication' +5. Press 'Save Changes' diff --git a/docs/gitlab/index.md b/docs/gitlab/index.md index a9ab1758..26a1cbf2 100644 --- a/docs/gitlab/index.md +++ b/docs/gitlab/index.md @@ -3,4 +3,3 @@ layout: default title: GitLab Policies has_children: true --- - diff --git a/docs/gitlab/member/stale_admin_found.md b/docs/gitlab/member/stale_admin_found.md index 0d8e66fd..2df118f0 100644 --- a/docs/gitlab/member/stale_admin_found.md +++ b/docs/gitlab/member/stale_admin_found.md @@ -1,18 +1,18 @@ --- layout: default -title: Admininistrators Should Have Activity in the Last 6 Months +title: Administrators Should Have Activity in the Last 6 Months parent: Member Policies grand_parent: GitLab Policies --- -## Admininistrators Should Have Activity in the Last 6 Months +## Administrators Should Have Activity in the Last 6 Months policy name: stale_admin_found severity: MEDIUM ### Description -A collaborator with global admin permissions didn't do any action in the last 6 months. Admin users are extremely powerful and common compliance standards demand keeping the number of admins at minimum. Consider revoking this collaborator admin credentials (downgrade to regular user), or remove the user completely. +A collaborator with global admin permissions didn't perform any action in the last 6 months. Admin users are extremely powerful, and common compliance standards demand keeping the number of admins to a minimum. Consider revoking this collaborator's admin credentials (downgrade to regular user) or removing the user completely. ### Threat Example(s) Stale admins are most likely not managed and monitored, increasing the possibility of being compromised. @@ -20,9 +20,9 @@ Stale admins are most likely not managed and monitored, increasing the possibili ### Remediation -1. Go to admin menu -2. Select "Overview -> Users" on the left navigation bar -3. Find the stale admin and either delete of block it +1. Go to the admin menu +2. Select 'Overview -> Users' on the left navigation bar +3. Find the stale admin and either delete or block it diff --git a/docs/gitlab/member/two_factor_authentication_is_disabled_for_a_collaborator.md b/docs/gitlab/member/two_factor_authentication_is_disabled_for_a_collaborator.md index 12a353e7..21144c67 100644 --- a/docs/gitlab/member/two_factor_authentication_is_disabled_for_a_collaborator.md +++ b/docs/gitlab/member/two_factor_authentication_is_disabled_for_a_collaborator.md @@ -15,15 +15,15 @@ severity: HIGH A collaborator's two factor authentication is disabled. Turn it on in the collaborator setting, or globally in the account, to prevent any access without MFA. ### Threat Example(s) -Collaborators without two-factor authentication are prime targets for phising and social engineering attacks, as compromise only requires acquiring the collaborator's password. +Collaborators without two-factor authentication are prime targets for phishing and social engineering attacks, as compromise only requires acquiring the collaborator's password. ### Remediation 1. Login with the user credentials 2. Go to the user settings page -3. Select "Account" on the left navigation bar -4. Press "Enable two-factor authentication" +3. Select 'Account' on the left navigation bar +4. Press 'Enable two-factor authentication' diff --git a/docs/gitlab/member/two_factor_authentication_is_disabled_for_an_external_collaborator.md b/docs/gitlab/member/two_factor_authentication_is_disabled_for_an_external_collaborator.md index db5e76e0..cd9e44c9 100644 --- a/docs/gitlab/member/two_factor_authentication_is_disabled_for_an_external_collaborator.md +++ b/docs/gitlab/member/two_factor_authentication_is_disabled_for_an_external_collaborator.md @@ -15,7 +15,7 @@ severity: HIGH An external collaborator's two factor authentication is disabled. Turn it on in the collaborator setting, or globally in the account, to prevent any access without MFA. ### Threat Example(s) -Collaborators without two-factor authentication are prime targets for phising and social engineering attacks, as compromise only requires acquiring the collaborator's password. +Collaborators without two-factor authentication are prime targets for phishing and social engineering attacks, as compromise only requires acquiring the collaborator's password. This is doubly important for external collaborators, as these are identities that aren't likely managed by you or your organization and may be easier to compromise. @@ -23,8 +23,8 @@ This is doubly important for external collaborators, as these are identities tha ### Remediation 1. Login with the user credentials 2. Go to the user settings page -3. Select "Account" on the left navigation bar -4. Press "Enable two-factor authentication" +3. Select 'Account' on the left navigation bar +4. Press 'Enable two-factor authentication' diff --git a/docs/gitlab/project/code_review_by_two_members_not_required.md b/docs/gitlab/project/code_review_by_two_members_not_required.md index 614c1959..050a9012 100644 --- a/docs/gitlab/project/code_review_by_two_members_not_required.md +++ b/docs/gitlab/project/code_review_by_two_members_not_required.md @@ -22,12 +22,11 @@ Users can merge code without being reviewed which can lead to insecure code reac ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Merge request approvals" -5. Click "Add approval rule" on the default branch rule -6. Select "Approvals required" and enter at least 2 approvers" -7. Select "Add approvers" and select the desired members -8. Click "Add approval rule" +3. Enter 'Merge Requests' tab +4. Under 'Merge request approvals', Click 'Add approval rule' on the default branch rule +5. Select 'Approvals required' and enter at least 2 approvers +6. Select 'Add approvers' and select the desired members +7. Click 'Add approval rule' diff --git a/docs/gitlab/project/code_review_not_required.md b/docs/gitlab/project/code_review_not_required.md index b0091ba8..5f476318 100644 --- a/docs/gitlab/project/code_review_not_required.md +++ b/docs/gitlab/project/code_review_not_required.md @@ -22,12 +22,11 @@ Users can merge code without being reviewed which can lead to insecure code reac ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Merge request approvals" -5. Click "Add approval rule" on the default branch rule -6. Select "Approvals required" and enter at least 1 approvers" -7. Select "Add approvers" and select the desired members -8. Click "Add approval rule" +3. Enter 'Merge Requests' tab +4. Under 'Merge request approvals', Click 'Add approval rule' on the default branch rule +5. Select 'Approvals required' and enter at least 1 approvers +6. Select 'Add approvers' and select the desired members +7. Click 'Add approval rule' diff --git a/docs/gitlab/project/forking_allowed_for_repository.md b/docs/gitlab/project/forking_allowed_for_repository.md index 4e184ff8..09938c54 100644 --- a/docs/gitlab/project/forking_allowed_for_repository.md +++ b/docs/gitlab/project/forking_allowed_for_repository.md @@ -15,18 +15,15 @@ severity: LOW Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork. ### Threat Example(s) -Forked repositories may leak important code assets or sensitive secrets embedded in the code to anyone outside your organization, as the code becomes publicy-accessible +Forked repositories may leak important code assets or sensitive secrets embedded in the code to anyone outside your organization, as the code becomes publicly accessible. ### Remediation 1. Make sure you have owner permissions 2. Go to the project's settings page -3. Enter "General" tab -4. Under "Visibility -5. project features -6. permissions" -7. Toggle off "Forks" +3. Enter 'General' tab +4. Under 'Visibility, project features, permissions', Toggle off 'Forks' diff --git a/docs/gitlab/project/missing_default_branch_protection.md b/docs/gitlab/project/missing_default_branch_protection.md index 600f8b54..1d4a325c 100644 --- a/docs/gitlab/project/missing_default_branch_protection.md +++ b/docs/gitlab/project/missing_default_branch_protection.md @@ -21,9 +21,10 @@ Any contributor with write access may push potentially dangerous code to this re ### Remediation 1. Make sure you have owner permissions -2. Go to the projects's settings -> Repository page -3. Enter "Protected branches" tab -4. select the default branch. Set the allowed to merge to "maintainers" and the allowed to push to "No one" +2. Go to the project's settings -> Repository page +3. Enter 'Protected branches' tab +4. Select the default branch +5. Set the allowed to merge to 'maintainers' and the allowed to push to 'No one' diff --git a/docs/gitlab/project/missing_default_branch_protection_force_push.md b/docs/gitlab/project/missing_default_branch_protection_force_push.md index 011e5183..04739284 100644 --- a/docs/gitlab/project/missing_default_branch_protection_force_push.md +++ b/docs/gitlab/project/missing_default_branch_protection_force_push.md @@ -21,9 +21,10 @@ Rewriting project history can make it difficult to trace back when bugs or secur ### Remediation 1. Make sure you have owner permissions -2. Go to the projects's settings -> Repository page -3. Enter "Protected branches" tab -4. select the default branch. Set the allowed to merge to "maintainers" and the allowed to push to "No one" +2. Go to the project's settings -> Repository page +3. Enter 'Protected branches' tab +4. Select the default branch +5. Set the allowed to merge to 'maintainers' and the allowed to push to 'No one' diff --git a/docs/gitlab/project/no_conversation_resolution.md b/docs/gitlab/project/no_conversation_resolution.md index a5dd6bed..18a187cf 100644 --- a/docs/gitlab/project/no_conversation_resolution.md +++ b/docs/gitlab/project/no_conversation_resolution.md @@ -12,7 +12,7 @@ policy name: no_conversation_resolution severity: LOW ### Description -Require all merge request conversations to be resolved before merging. Check this to avoid bypassing/missing a Pull Reuqest comment. +Require all merge request conversations to be resolved before merging. Check this to avoid bypassing/missing a Pull Request comment. ### Threat Example(s) Allowing the merging of code without resolving all conversations can promote poor and vulnerable code, as important comments may be forgotten or deliberately ignored when the code is merged. @@ -22,9 +22,9 @@ Allowing the merging of code without resolving all conversations can promote poo ### Remediation 1. Make sure you can manage project merge requests permissions 2. Go to the project's settings page -3. Select "Merge Requests" -4. Press on the "All threads must be resolved" -5. Click "Save changes" +3. Select 'Merge Requests' +4. Press on the 'All threads must be resolved' +5. Click 'Save changes' diff --git a/docs/gitlab/project/no_signed_commits.md b/docs/gitlab/project/no_signed_commits.md index 574090a6..284d61e9 100644 --- a/docs/gitlab/project/no_signed_commits.md +++ b/docs/gitlab/project/no_signed_commits.md @@ -21,8 +21,9 @@ A commit containing malicious code may be crafted by a malicious actor that has ### Remediation 1. Make sure you have owner permissions -2. Go to the projects's settings -> Repository page -3. Enter "Push Rules" tab. Set the "Reject unsigned commits" checkbox +2. Go to the project's settings -> Repository page +3. Enter 'Push Rules' tab +4. Set the 'Reject unsigned commits' checkbox diff --git a/docs/gitlab/project/project_has_too_many_admins.md b/docs/gitlab/project/project_has_too_many_admins.md index 3762e3f1..19fd4216 100644 --- a/docs/gitlab/project/project_has_too_many_admins.md +++ b/docs/gitlab/project/project_has_too_many_admins.md @@ -12,7 +12,7 @@ policy name: project_has_too_many_admins severity: LOW ### Description -Projects owners are highly privileged and could create great damage if they are compromised. It is recommeneded to limit the number of Project OWners to the minimum required (recommended maximum 3 admins). +Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required (recommended maximum 3 admins). ### Threat Example(s) A compromised user with owner permissions can initiate a supply chain attack in a plethora of ways. diff --git a/docs/gitlab/project/project_webhook_doesnt_require_ssl.md b/docs/gitlab/project/project_webhook_doesnt_require_ssl.md index 2b5b33a6..75974455 100644 --- a/docs/gitlab/project/project_webhook_doesnt_require_ssl.md +++ b/docs/gitlab/project/project_webhook_doesnt_require_ssl.md @@ -12,10 +12,10 @@ policy name: project_webhook_doesnt_require_ssl severity: LOW ### Description -Webhooks that are not configured with SSL verification enabled could expose your sofware to man in the middle attacks (MITM). +Webhooks that are not configured with SSL verification enabled could expose your software to man-in-the-middle attacks (MITM). ### Threat Example(s) -If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it freely read and affect the response of any webhook request. +If SSL verification is disabled, any party with access to the target DNS domain can masquerade as your designated payload URL, allowing it to freely read and affect the response of any webhook request. In the case of GitLab Self-Managed, it may be sufficient only to control the DNS configuration of the network where the instance is deployed, as an attacker can redirect traffic to the target domain in your internal network directly to them, and this is often much easier than compromising an internet-facing domain. @@ -23,9 +23,9 @@ In the case of GitLab Self-Managed, it may be sufficient only to control the DNS ### Remediation 1. Make sure you can manage webhooks for the project 2. Go to the project's settings page -3. Select "Webhooks" -4. Press on the "Enable SSL verfication" -5. Click "Save changes" +3. Select 'Webhooks' +4. Press on the 'Enable SSL verification' +5. Click 'Save changes' diff --git a/docs/gitlab/project/repository_allows_committer_approvals_policy.md b/docs/gitlab/project/repository_allows_committer_approvals_policy.md index 07832717..46d3e33e 100644 --- a/docs/gitlab/project/repository_allows_committer_approvals_policy.md +++ b/docs/gitlab/project/repository_allows_committer_approvals_policy.md @@ -22,10 +22,9 @@ Users can merge code without being reviewed which can lead to insecure code reac ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Approval settings" -5. Check "Prevent approvals by users who add commits" -6. Click "Save Changes" +3. Enter 'Merge Requests' tab +4. Under 'Approval settings', Check 'Prevent approvals by users who add commits' +5. Click 'Save Changes' diff --git a/docs/gitlab/project/repository_allows_overriding_approvers.md b/docs/gitlab/project/repository_allows_overriding_approvers.md index 2c9550f8..cba1489b 100644 --- a/docs/gitlab/project/repository_allows_overriding_approvers.md +++ b/docs/gitlab/project/repository_allows_overriding_approvers.md @@ -22,10 +22,9 @@ Users can merge code without being reviewed which can lead to insecure code reac ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Approval settings" -5. Check "Prevent editing approval rules in merge requests" -6. Click "Save Changes" +3. Enter 'Merge Requests' tab +4. Under 'Approval settings', Check 'Prevent editing approval rules in merge requests' +5. Click 'Save Changes' diff --git a/docs/gitlab/project/repository_allows_review_requester_to_approve_their_own_request.md b/docs/gitlab/project/repository_allows_review_requester_to_approve_their_own_request.md index 73d6965f..32eb7a15 100644 --- a/docs/gitlab/project/repository_allows_review_requester_to_approve_their_own_request.md +++ b/docs/gitlab/project/repository_allows_review_requester_to_approve_their_own_request.md @@ -22,10 +22,9 @@ Users can merge code without being reviewed which can lead to insecure code reac ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Approval settings" -5. Check "Prevent approval by author" -6. Click "Save Changes" +3. Enter 'Merge Requests' tab +4. Under 'Approval settings', Check 'Prevent approval by author' +5. Click 'Save Changes' diff --git a/docs/gitlab/project/repository_dismiss_stale_reviews.md b/docs/gitlab/project/repository_dismiss_stale_reviews.md index 12a701f6..34ee2e00 100644 --- a/docs/gitlab/project/repository_dismiss_stale_reviews.md +++ b/docs/gitlab/project/repository_dismiss_stale_reviews.md @@ -22,10 +22,9 @@ Buggy or insecure code may be committed after approval and will reach the main b ### Remediation 1. Make sure you have admin permissions 2. Go to the repo's settings page -3. Enter "Merge Requests" tab -4. Under "Approval settings" -5. Check "Remove all approvals" -6. Click "Save Changes" +3. Enter 'Merge Requests' tab +4. Under 'Approval settings', Check 'Remove all approvals' +5. Click 'Save Changes' diff --git a/docs/gitlab/project/repository_require_code_owner_reviews_policy.md b/docs/gitlab/project/repository_require_code_owner_reviews_policy.md index d89707f9..d31e75c6 100644 --- a/docs/gitlab/project/repository_require_code_owner_reviews_policy.md +++ b/docs/gitlab/project/repository_require_code_owner_reviews_policy.md @@ -21,9 +21,10 @@ A pull request may be approved by any contributor with write access. Specifying ### Remediation 1. Make sure you have owner permissions -2. Go to the projects's settings -> Repository page -3. Enter "Protected branches" tab -4. select the default branch. Check the "Code owner approval" +2. Go to the project's settings -> Repository page +3. Enter 'Protected branches' tab +4. Select the default branch +5. Check the 'Code owner approval' diff --git a/docs/gitlab/project/requires_status_checks.md b/docs/gitlab/project/requires_status_checks.md index 7e32fc65..179dfef3 100644 --- a/docs/gitlab/project/requires_status_checks.md +++ b/docs/gitlab/project/requires_status_checks.md @@ -22,9 +22,9 @@ Not defining a set of required status checks can make it easy for contributors t ### Remediation 1. Make sure you can manage project merge requests permissions 2. Go to the project's settings page -3. Select "Merge Requests" -4. Press on the "Pipelines must succeed" -5. Click "Save changes" +3. Select 'Merge Requests' +4. Press on the 'Pipelines must succeed' +5. Click 'Save changes'