More Info:

MFA should be enabled and enforced for all members of an organization.

Risk Level

High

Address

Security

Compliance Standards

Remediation

Using Console

To remediate the “Members MFA required” misconfiguration in GitHub using the GitHub console, follow these steps:
  1. Log in to your GitHub account and navigate to the organization or repository that you want to remediate.
  2. Click on the “Settings” tab.
  3. In the left-hand menu, click on “Security & analysis”.
  4. Scroll down to the “Enforce two-factor authentication” section.
  5. Check the box next to “Require two-factor authentication for all members”.
  6. Click on “Save” to apply the changes.
This will enforce two-factor authentication for all members of the organization or repository, ensuring that their accounts are protected by an additional layer of security.

Using CLI

To remediate the “Members MFA required” misconfiguration in GitHub using GitHub CLI, please follow these steps:
  1. Install GitHub CLI on your local machine by following the instructions provided in the GitHub CLI documentation.
  2. Open a terminal or command prompt and authenticate with GitHub using the following command: 
gh auth login
  1. Once you are authenticated, run the following command to enable MFA enforcement for all members of your organization:
gh api -X PUT /orgs/<organization-name>/members -f members_can_enable_or_disable_multifactor_auth_required=true
Note: Replace <organization-name> with the name of your GitHub organization.
  1. Verify that MFA enforcement is enabled for all members of your organization by running the following command:
gh api /orgs/<organization-name>/members
This command will return a list of all members in your organization and their MFA status. Make sure that all members have MFA enabled. By following these steps, you have successfully remediated the “Members MFA required” misconfiguration for GitHub using GitHub CLI.

Using Python

To remediate the “Members MFA required” misconfiguration for GitHub using Python, you can follow these steps:
  1. Install the PyGithub package using pip:
pip install PyGithub
  1. Authenticate with your GitHub account using an access token. You can create a personal access token by following these instructions: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
from github import Github

# Replace YOUR_ACCESS_TOKEN with your personal access token
g = Github("YOUR_ACCESS_TOKEN")
  1. Get the organization for which you want to enforce MFA:
org_name = "your-org-name"
org = g.get_organization(org_name)
  1. Get all the members of the organization:
members = org.get_members()
  1. For each member, check if they have MFA enabled. If not, enable it:
for member in members:
    if not member.has_two_factor_authentication():
        member.create_two_factor_authentication()
  1. Save the Python script and run it to enforce MFA for all members of the organization.
Note: This script assumes that you have administrative access to the organization and that you want to enforce MFA for all members. If you want to enforce MFA for only a subset of members, you will need to modify the script accordingly.

Additional Reading: