envoyproxy / java-control-plane

Java implementation of an Envoy gRPC control plane
Apache License 2.0
293 stars 136 forks source link

Security Policy violation Outside Collaborators #173

Closed allstar-app[bot] closed 2 years ago

allstar-app[bot] commented 3 years ago

Security Policy Outside Collaborators is out of compliance, status: Found 1 outside collaborators with admin access.

Issue created by Allstar. https://github.com/ossf/allstar

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

slonka commented 3 years ago

What can we do about it? Why isn't this issue actionable? @snowp can you help? (pinging you because the PR was merged by you)

allstar-app[bot] commented 3 years ago

Updating issue after ping interval, status: Found 1 outside collaborators with admin access.

snowp commented 3 years ago

@jeffmendoza Can you advise here? The description isn't super clear

It might also be good to increase the ping interval, this is a bit spammy as is

jeffmendoza commented 3 years ago

The idea here is that outside collaborators (non-org members) shouldn't be administrators on repos. Either they should be part of the org, or only have push access. Administrators can change security related settings like branch protection.

snowp commented 3 years ago

@alyssawilk @mattklein123 Can either of you check up on this? I don't think I have the visibility into the repo settings.

Maybe there is some bot with admin access?

mattklein123 commented 3 years ago

I think I fixed it. If there are any follow on permissions issues please let me know.

allstar-app[bot] commented 3 years ago

In compliance, closing.

allstar-app[bot] commented 2 years ago

Reopening issue. Status: Did not find any owners of this repository This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access. (For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

allstar-app[bot] commented 2 years ago

Updating issue after ping interval. Status: Did not find any owners of this repository This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access. (For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

jeffmendoza commented 2 years ago

@mattklein123 This is a new policy, can you check that it is working correctly? Are there any users or groups assigned to this repo with "admin" permissions? Thanks!

allstar-app[bot] commented 2 years ago

Updating issue after ping interval. Status: Did not find any owners of this repository This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access. (For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

allstar-app[bot] commented 2 years ago

Updating issue after ping interval. Status: Did not find any owners of this repository This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access. (For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

mattklein123 commented 2 years ago

I made a change which will hopefully fix this.

allstar-app[bot] commented 2 years ago

Reopening issue. Status: Did not find any owners of this repository This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access. (For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

allstar-app[bot] commented 2 years ago

Policy is now in compliance. Closing issue.