Control: 1.3.7 Ensure two administrators are set for each repository
Description
Ensure every repository has two users with administrative permissions.
Rationale
Repository administrators have the highest permissions to said repository. These include the ability to add/remove collaborators, change branch protection policy, and convert to a publicly accessible repository. Due to the liberal access granted to a repository administrator, it is highly recommended that only two contributors occupy this role.
Note: Removing administrative users from a repository would result in them losing high-level access to that repository.
Audit
For every repository in use, verify there are two administrators.
Remediation
For every repository in use, set two administrators.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_3_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_3_7 --shareSQL
This control uses a named query:
with repo_admins as ( select name_with_owner, url, count(user_login) as admins from github_my_repository r join github_repository_collaborator c on r.name_with_owner = c.repository_full_name and c.permission = 'ADMIN'group by name_with_owner, url)select url as resource, case when admins >= 2 then 'ok' else 'alarm' end as status, name_with_owner || case when admins >= 2 then ' has ' || admins::text || ' administrators.' else ' has only ' || admins::text || ' administrators.' end as reason, name_with_ownerfrom repo_admins;