Profile Applicability:
Level 1
Description:
The ability to delete issues within a repository or project must be limited to designated users or teams. This control prevents unauthorized or accidental removal of issue records, preserving the integrity of the project’s history, audit trails, and collaboration transparency.
Rationale:
Restricting issue deletion minimizes the risk of loss of important discussion, bug reports, or feature requests. It ensures accountability and maintains a reliable record of project activities, supporting audit and compliance requirements.
Impact:
Pros:
Protects important project documentation and history.
Prevents unauthorized or accidental deletions.
Supports transparency and accountability in project management.
Cons:
May require additional management of user permissions.
Could delay removal of obsolete or irrelevant issues if too restrictive.
Default value:
By default, many platforms allow broad permissions for issue deletion, sometimes including all project maintainers or admins.
Audit:
Review repository or project permission settings to verify that issue deletion rights are limited. Monitor audit logs for issue deletion events and investigate any unauthorized activity.
Remediation:
Configure permissions to restrict issue deletion to a specific group of trusted users. Implement approval workflows if needed. Educate team members about issue management policies.
References:
GitHub Issue Permissions: https://docs.github.com/en/issues/tracking-your-work-with-issues/assigning-issues-and-pull-requests-to-other-github-users
GitLab Issue Management: https://docs.gitlab.com/ee/user/project/issues/
CIS Controls v8, Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/