From 7ae14ea1acc162f796cdbff2a4cddbdc4749e631 Mon Sep 17 00:00:00 2001 From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:02:45 +0100 Subject: [PATCH] chore(github): enhance metadata for 'organization' service (#10273) --- prowler/CHANGELOG.md | 1 + ...repository_permission_strict.metadata.json | 2 +- ...ization_members_mfa_required.metadata.json | 2 +- ..._repository_creation_limited.metadata.json | 19 +++++++++++-------- .../organization_verified_badge.metadata.json | 12 ++++++------ 5 files changed, 20 insertions(+), 16 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 4f2a437c42..884587f06d 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -20,6 +20,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update MongoDB Atlas Organizations service metadata to new format [(#9658)](https://github.com/prowler-cloud/prowler/pull/9658) - Update MongoDB Atlas clusters service metadata to new format [(#9657)](https://github.com/prowler-cloud/prowler/pull/9657) - Update GitHub Repository service metadata to new format [(#9659)](https://github.com/prowler-cloud/prowler/pull/9659) +- Update GitHub Organization service metadata to new format [(#10273)](https://github.com/prowler-cloud/prowler/pull/10273) --- diff --git a/prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json b/prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json index 49c958bde3..fd41aa03ec 100644 --- a/prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json +++ b/prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json @@ -7,7 +7,7 @@ "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "GitHubOrganization", + "ResourceType": "NotDefined", "ResourceGroup": "governance", "Description": "**GitHub organization** base repository permission for members uses a **strict setting** such as `read` or `none` rather than permissive options like `write` or `admin`. *Applies to members, not outside collaborators.*", "Risk": "**Excessive default permissions** (`write`/`admin`) erode code **integrity** and **availability**.\n\nAny member-or a compromised account-can alter many repos, inject malicious commits, change tags/releases, or delete branches, enabling supply-chain compromise and large-scale disruptions.", diff --git a/prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json b/prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json index ad4af4eb84..7388171ba0 100644 --- a/prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json +++ b/prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json @@ -7,7 +7,7 @@ "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "critical", - "ResourceType": "GitHubOrganization", + "ResourceType": "NotDefined", "ResourceGroup": "governance", "Description": "GitHub organization settings require all members to use **two-factor authentication** (2FA).\n\nThe evaluation determines whether access to organization resources is conditioned on members having 2FA enabled.", "Risk": "Without enforced **2FA**, stolen or reused passwords enable account takeover, leading to:\n- Loss of code integrity via unauthorized commits\n- Confidential data exposure from repos and secrets\n- Availability impact from settings changes, token revocation, or deletions", diff --git a/prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json b/prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json index 3a0f07bdbd..be2f7ab50f 100644 --- a/prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json +++ b/prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json @@ -1,27 +1,30 @@ { "Provider": "github", "CheckID": "organization_repository_creation_limited", - "CheckTitle": "Ensure repository creation is limited to trusted organization members.", + "CheckTitle": "Organization repository creation is limited to trusted members", "CheckType": [], "ServiceName": "organization", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "GitHubOrganization", + "ResourceType": "NotDefined", "ResourceGroup": "governance", - "Description": "Ensure that repository creation is restricted so that only trusted owners or specific teams can create new repositories within the organization.", - "Risk": "Allowing all members to create repositories increases the likelihood of shadow repositories, data leakage, or malicious projects being introduced without oversight.", - "RelatedUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "Description": "**GitHub organization** repository creation is restricted so that only trusted owners or specific teams can create new repositories within the organization.", + "Risk": "**Excessive default permissions** (`write`/`admin`) erode code **integrity** and **availability**.Any member-or a compromised account-can alter many repos, inject malicious commits, change tags/releases, or delete branches, enabling supply-chain compromise and large-scale disruptions.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to GitHub as an organization owner\n2. Go to your organization > Settings\n3. In the left sidebar, click \"Access\" > \"Member privileges\"\n4. Under \"Repository creation\", select \"Restrict repository creation\"\n5. Click \"Save\"", "Terraform": "" }, "Recommendation": { - "Text": "Disable repository creation for members or limit it to specific trusted teams by adjusting Member privileges in the organization's settings.", - "Url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization" + "Text": "Disable repository creation for members or limit it to specific trusted teams by adjusting **Member privileges** in the organization's settings.", + "Url": "https://hub.prowler.com/check/organization_repository_creation_limited" } }, "Categories": [], diff --git a/prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.metadata.json b/prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.metadata.json index 83bcb7a9dd..719e63af1e 100644 --- a/prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.metadata.json +++ b/prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.metadata.json @@ -1,16 +1,16 @@ { "Provider": "github", "CheckID": "organization_verified_badge", - "CheckTitle": "Ensure GitHub organization has a verified badge", + "CheckTitle": "Organization has a verified badge", "CheckType": [], "ServiceName": "organization", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "GitHubOrganization", + "ResourceType": "NotDefined", "ResourceGroup": "governance", - "Description": "Checks whether a GitHub organization has a verified badge.", - "Risk": "Unverified organizations may be easier to impersonate, increasing the risk of phishing or trust abuse.", + "Description": "**GitHub organization** has a **verified badge**.", + "Risk": "**Unverified organizations** may be easier to impersonate, increasing the risk of phishing or trust abuse.", "RelatedUrl": "", "AdditionalURLs": [ "https://docs.github.com/en/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization" @@ -19,11 +19,11 @@ "Code": { "CLI": "", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to GitHub as an organization owner\n2. Go to your organization > Settings\n3. In the left sidebar, click \"Verification\"\n4. Click \"Verify\"", "Terraform": "" }, "Recommendation": { - "Text": "Verify the organization identity by completing GitHub organization verification.", + "Text": "Verify the organization identity by completing **GitHub organization verification**.", "Url": "https://hub.prowler.com/check/organization_verified_badge" } },