Skip to content

feat(github): Add 2FA enforcement check#2521

Merged
tofikwest merged 7 commits intomainfrom
feat/github-2fa-check
Apr 13, 2026
Merged

feat(github): Add 2FA enforcement check#2521
tofikwest merged 7 commits intomainfrom
feat/github-2fa-check

Conversation

@tofikwest
Copy link
Copy Markdown
Contributor

@tofikwest tofikwest commented Apr 13, 2026

What

Adds a new 2FA Enforcement check to the GitHub integration that verifies all organization members have two-factor authentication enabled.

How it works

  1. Fetches all organizations the connected GitHub user belongs to
  2. For each org, calls GET /orgs/{org}/members?filter=2fa_disabled
  3. Emits a PASS per org if all members have 2FA
  4. Emits a FAIL per member without 2FA + an org-level summary with remediation steps
  5. Handles 403 gracefully (guides user to reconnect with proper scope)

Changes

  • New check: packages/integration-platform/src/manifests/github/checks/two-factor-auth.ts
  • Updated index.ts: added check to manifest, upgraded OAuth scope read:org -> admin:org

Scope change

The admin:org scope is required by GitHub to use the filter=2fa_disabled parameter. This is a superset of read:org, so existing functionality (branch protection, dependabot, sanitized inputs) continues to work. Existing connections will need to be reconnected to grant the new scope - the check handles the missing scope gracefully with a clear remediation message.

Task mapping

Maps to TASK_TEMPLATES.twoFactorAuth (frk_tt_68406cd9dde2d8cd4c463fe0)

@tofikwest
feat(github): add 2FA enforcement check
090eb62 
- Add new two_factor_auth check that verifies all org members have 2FA enabled
- Uses GET /orgs/{org}/members?filter=2fa_disabled endpoint
- Iterates all orgs the connected user belongs to
- Emits individual findings per member without 2FA + org summary
- Gracefully handles 403 (insufficient permissions) with clear remediation
- Maps to TASK_TEMPLATES.twoFactorAuth evidence task
- Upgrade OAuth scope from read:org to admin:org (required for 2fa_disabled filter)

Note: Existing GitHub connections will need to be reconnected to grant
the admin:org scope. The check handles the 403 gracefully if the scope
is missing and guides users to reconnect.
@cursor
Copy link
Copy Markdown

cursor bot commented Apr 13, 2026
edited
Loading

PR Summary

Medium Risk
Adds a new GitHub org-level check that makes additional API calls and emits potentially many findings, with nuanced handling of permission/SSO/rate-limit failures. Risk is mainly around GitHub API behavior/permissions causing unexpected fail states or noisy output, not core auth or data writes.

Overview
Adds a new GitHub 2FA enforcement compliance check (twoFactorAuthCheck) that lists the connected user’s orgs, queries each org’s members with filter=2fa_disabled, and emits PASS when none are found.

When non-compliant members exist, it emits FAIL findings per user plus an org-level summary finding, and includes targeted failure messaging for SSO authorization, rate limiting, and insufficient owner permissions. The check is exported and added to the GitHub manifest’s checks list so it runs alongside existing checks.

Reviewed by Cursor Bugbot for commit 30d09c4. Bugbot is set up for automated code reviews on this repo. Configure here.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app Ready Ready Preview, Comment Apr 13, 2026 4:26pm
comp-framework-editor Ready Ready Preview, Comment Apr 13, 2026 4:26pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal Skipped Skipped Apr 13, 2026 4:26pm

Request Review

cursor[bot]
cursor bot reviewed Apr 13, 2026
View reviewed changes
Comment thread packages/integration-platform/src/manifests/github/checks/two-factor-auth.ts
Comment thread packages/integration-platform/src/manifests/github/checks/two-factor-auth.ts
@tofikwest
fix: keep read:org scope, don't escalate to admin:org
667809d 
The 2FA check handles 403 gracefully and guides org owners to
reconnect if needed. No reason to request broader permissions
for all users when only org owners can use the 2FA filter anyway.
cursor[bot]
cursor bot reviewed Apr 13, 2026
View reviewed changes
Comment thread packages/integration-platform/src/manifests/github/index.ts
@vercel vercel bot temporarily deployed to Preview – portal April 13, 2026 15:55 Inactive
@vercel vercel bot temporarily deployed to Preview – app April 13, 2026 15:55 Inactive
cursor[bot]
cursor bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 901e45d. Configure here.

Comment thread packages/integration-platform/src/manifests/github/checks/two-factor-auth.ts Outdated
@vercel vercel bot temporarily deployed to Preview – portal April 13, 2026 16:06 Inactive
@vercel vercel bot temporarily deployed to Preview – portal April 13, 2026 16:16 Inactive
@vercel vercel bot temporarily deployed to Preview – portal April 13, 2026 16:24 Inactive
@tofikwest tofikwest merged commit 78b415c into main Apr 13, 2026
11 checks passed
@tofikwest tofikwest deleted the feat/github-2fa-check branch April 13, 2026 16:33
@claudfuen
Copy link
Copy Markdown
Contributor

claudfuen commented Apr 14, 2026

🎉 This PR is included in version 3.22.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tofikwest @claudfuen