Ensure the maximum number of deploy keys per repo is not exceeded
Deploy keys with write access can perform the same actions as an organization member with admin access.
In practice, Deploy keys are an SSH key that grants access to a single repository.
The public part of the key is attached directly to your repository instead of a personal account. The private part of the key remains on your server.
Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD005
REMEDIATION
Deploy keys are usually not protected by a passphrase, making the key easily accessible if the server is compromised.
Deploy keys should be limited and be manged with a security responsibility. Use fewer and aggressively limit private key distribution.
SaaS:
- On your profile page, click Repositories, then click the name of your repository.
- From your repository, click Settings.
- In the sidebar, click Deploy Keys.
- Be sure any active deploy key is required.
Read more:
Updated about 1 year ago