Profile Applicability:
 Level 1

Description:
 Repositories must have strict base permissions configured to limit access only to authorized users and roles by default. This includes restricting read, write, and administrative privileges to essential personnel, ensuring that unauthorized users cannot access or modify repository contents.

Rationale:
 Implementing strict base permissions reduces the risk of unauthorized access, accidental changes, and data leaks. It enforces the principle of least privilege, improving the overall security posture and helping to meet compliance and governance requirements.

Impact:
 Pros:

  • Enhances repository security by limiting unnecessary access.

  • Prevents unauthorized modifications or data exposure.

  • Supports compliance with organizational policies and standards.

Cons:

  • May require administrative effort to manage exceptions and access requests.

  • Potential for slowed collaboration if permissions are too restrictive without proper processes.

Default value:
 Many repositories have permissive default permissions that can expose code and data unintentionally.

Audit:
 Review repository permission settings to verify strict default access controls. Check audit logs for unauthorized access attempts or permission changes.

Remediation:
 Configure repository platforms to enforce restrictive default permissions. Establish processes for requesting and approving access. Conduct regular permission reviews and adjust as necessary.

References:

  1. GitHub Repository Permissions: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings

  2. GitLab Permissions and Access Control: https://docs.gitlab.com/ee/user/permissions.html

  3. CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/