New check: Do contributors and maintainers have 2fa enabled? #7
Comments
inferno-chromium
changed the title
|
I think the more practical would be "Do top 5/10contributors have 2FA enabled"? |
probably depends on how many contributors the project has? In terms of scoring, it could be:
Not sure this is possible with a reasonable number of API calls, though. We cannot go back in history too much either, so this may be done over the last n months, for example. |
|
API for org https://docs.github.com/en/rest/reference/orgs#members. May require special permission to use. |
This API allows querying for users in your organization that do not have 2FA enabled. It wouldn't fit our needs of being able to tell if an arbitrary user has 2FA enabled. I would be surprised if Github ever published an API allowing querying whether arbitrary users have 2FA enabled. I think a lot of people wouldn't be comfortable with it being public knowledge that they don't use 2FA. We might not ever be able to do this issue. |
|
if we could query the list of maintainers for a repo/org, we could then cross-check which maintainers don't have 2FA enabled. I've not looked closely at the API, though. We don't really need all users, we mostly need maintainers of the project, or devs that can reviews PRs, etc |
|
A side note - might be a good fit for AllStar i.e an AllStar policy can check all org members have 2fa enabled and bring this to the org's attention (in a private manner). @jeffmendoza fyi. |
It looks like this API is only available if you are the owner of that organization, so I don't think it would be useful in Scorecard. It might work for AllStar; that's a good idea, Azeem. |
|
ok, yes allstar works well too. I'm adding these issues in scorecard repo first and allstar is the fallback solution in my mind, since allstar is for orgs but scorecard can be more broadly used. Here's another one that I would like to have in scorecard, but may only be viable for allstar #1655 :/ |
We already have another (experimental) measure in Scorecard that requires this. So I think it is appropriate to add it, and only measure it when it's possible. Also, Scorecard isn't limited to GitHub; we're adding GitLab, and more may follow (I hope). Just include some sort of marker indicating in a machine-processable way that "we could not get this data" in those cases. |
|
GitHub is requiring MFA for all contributors by the end of 2023 and project documentation states limitations in creating this check with a strong recommendation for using MFA generally so this issue can probably be closed. If there is no feedback in the next 7 days to the contrary, then this issue will be closed. |
|
afmarcum : I don't think it's required for GitLab though. |
|
@raghavkaul found this bug on GitLab: https://forum.gitlab.com/t/retrieving-mfa-status-via-api/89759/4 It looks like this is not available in normal means via GitLab [except for GitLab instance admins]. |
Update docs on 2FA Closes #7 Signed-off-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Update docs on 2FA Closes #7 Signed-off-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
…github.com/onsi/ginkgo/v2-2.19.0
Do all contributors have 2 factor authentication enabled on their accounts?
The text was updated successfully, but these errors were encountered: