Profile Applicability:
Level 1
Description:
Only a minimal number of authorized users should have permission to upload new artifacts to the package registry. Limiting upload rights reduces the risk of unauthorized or malicious artifact publication, protecting the integrity and security of the software supply chain.
Rationale:
By enforcing the principle of least privilege on upload permissions, organizations reduce the attack surface and prevent accidental or deliberate introduction of compromised or unvetted artifacts. This control supports accountability, auditability, and compliance with security policies.
Impact:
Pros:
Reduces risk of unauthorized or malicious uploads.
Enhances supply chain security.
Simplifies monitoring and auditing of artifact publishing.
Supports regulatory and policy compliance.
Cons:
May create bottlenecks if upload responsibilities are too narrowly assigned.
Requires effective user management and approval workflows.
Default value:
Some package registries may allow broad upload permissions by default.
Audit:
Review user access and permission settings for artifact uploads. Verify that only essential users have upload privileges and conduct periodic access reviews.
Remediation:
Define and enforce policies to restrict artifact upload permissions. Remove unnecessary upload rights and implement approval or review processes for granting upload access. Educate users on secure publishing practices.
References:
npm Access Control and Teams: https://docs.npmjs.com/using-npm/organizations-and-teams
Sonatype Nexus Repository Roles and Privileges: https://help.sonatype.com/repomanager3/security/roles-and-privileges
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/