Profile Applicability:
Level 1
Description:
The ability to create new repositories within an organization or project must be restricted to a defined set of authorized members or teams. This control helps prevent unauthorized or uncontrolled creation of repositories, which could lead to shadow IT, unmanaged codebases, or security risks.
Rationale:
Limiting repository creation reduces the risk of unmanaged code proliferation, enforces governance over code storage and collaboration, and minimizes potential exposure of sensitive or unvetted projects. It supports organizational compliance and resource management policies.
Impact:
Pros:
Improves governance and control over code repositories.
Reduces risk of unauthorized or unmanaged repositories.
Facilitates compliance with organizational policies.
Cons:
May delay repository creation requests if approval processes are slow.
Requires management and regular review of authorized users.
Default value:
By default, many platforms allow broad repository creation permissions for all organization members.
Audit:
Review organization or project settings to verify that repository creation permissions are limited to specific members or teams. Monitor audit logs for repository creation activities.
Remediation:
Configure platform permissions (e.g., GitHub, GitLab) to restrict repository creation to designated users or teams. Establish approval workflows for repository requests. Educate members on repository governance policies.
References:
GitHub Organization Settings – Repository Creation Permissions: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/managing-repository-creation-permissions-in-your-organization
GitLab Group Settings – Repository Creation: https://docs.gitlab.com/ee/user/group/settings.html#repository-creation
CIS Controls v8, Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/