Ensure GitHub organization security settings require SSO

Error: GitHub organization security settings do not include SSO
Bridgecrew Policy ID: BC_ORG_GITHUB_2
Checkov Check ID: CKV_GITHUB_2
Severity: HIGH

GitHub organization security settings do not include SSO

Description

Organization owners and admins can enforce SAML SSO so that all organization members must authenticate via an identity provider (IdP). You can also enforce SAML SSO for your organization. When you enforce SAML SSO, all members of the organization must authenticate through your IdP to access the organization's resources. Enforcement removes any members and administrators who have not authenticated via your IdP from the organization. GitHub sends an email notification to each removed user.

Fix - Buildtime

GitHub

Enforce SAML SSO for your organization

  1. Enable and test SAML SSO for your organization, then authenticate with your IdP at least once. For more information, see "Enabling and testing SAML single sign-on for your organization."
  2. Prepare to enforce SAML SSO for your organization. For more information, see "Preparing to enforce SAML single sign-on in your organization."
  3. In the top right corner of GitHub.com, click your profile photo, then click Your organizations.
    Your organizations in the profile menu
  4. Next to the organization, click Settings.
  5. In the "Security" section of the sidebar, click Authentication security.
  6. Under "SAML single sign-on", select Require SAML SSO authentication for all members of the
  7. Under "Single sign-on recovery codes", review your recovery codes. Store the recovery codes in a safe location like a password manager.