New check: Do contributors and maintainers have 2fa enabled? about scorecard HOT 9 CLOSED

A side note - might be a good fit for AllStar i.e an AllStar policy can check all org members have 2fa enabled and bring this to the org's attention (in a private manner). @jeffmendoza fyi.

from scorecard.

I think the more practical would be "Do top 5/10contributors have 2FA enabled"?

from scorecard.

I think the more practical would be "Do top 5/10contributors have 2FA enabled"?

probably depends on how many contributors the project has?
We could also check that reviewers have 2FA. A compromised contributor may try to push bad code but would be detected by reviewers. Having a score instead of a binary pass/fail check would also help in general. It would encourage developers to make incremental improvements towards a long-term goal.

In terms of scoring, it could be:

1. Find all contributors that have 2FA, and compute the percentage of the code they have contributed to. That would be the score.
2. Alternatively, find the reviewers that have 2FA and compute the percentage of code they reviewed.

Not sure this is possible with a reasonable number of API calls, though. We cannot go back in history too much either, so this may be done over the last n months, for example.

from scorecard.

API for org https://docs.github.com/en/rest/reference/orgs#members. May require special permission to use.

from scorecard.

API for org https://docs.github.com/en/rest/reference/orgs#members. May require special permission to use.

This API allows querying for users in your organization that do not have 2FA enabled. It wouldn't fit our needs of being able to tell if an arbitrary user has 2FA enabled. I would be surprised if Github ever published an API allowing querying whether arbitrary users have 2FA enabled. I think a lot of people wouldn't be comfortable with it being public knowledge that they don't use 2FA. We might not ever be able to do this issue.

from scorecard.

if we could query the list of maintainers for a repo/org, we could then cross-check which maintainers don't have 2FA enabled. I've not looked closely at the API, though.

We don't really need all users, we mostly need maintainers of the project, or devs that can reviews PRs, etc

from scorecard.

if we could query the list of maintainers for a repo/org, we could then cross-check which maintainers don't have 2FA enabled.

It looks like this API is only available if you are the owner of that organization, so I don't think it would be useful in Scorecard. It might work for AllStar; that's a good idea, Azeem.

from scorecard.

ok, yes allstar works well too. I'm adding these issues in scorecard repo first and allstar is the fallback solution in my mind, since allstar is for orgs but scorecard can be more broadly used. Here's another one that I would like to have in scorecard, but may only be viable for allstar #1655 :/

from scorecard.

It looks like this API is only available if you are the owner of that organization, so I don't think it would be useful in Scorecard.

We already have another (experimental) measure in Scorecard that requires this. So I think it is appropriate to add it, and only measure it when it's possible. Also, Scorecard isn't limited to GitHub; we're adding GitLab, and more may follow (I hope). Just include some sort of marker indicating in a machine-processable way that "we could not get this data" in those cases.

from scorecard.