diff --git a/policies/gh_org_public_repos.rego b/policies/gh_org_public_repos.rego index fae6355..e7f91f5 100644 --- a/policies/gh_org_public_repos.rego +++ b/policies/gh_org_public_repos.rego @@ -1,3 +1,5 @@ + +package compliance_framework.public_repos # METADATA # title: Github Settings - Organizations - Public Repos and Gists # description: "The organization should not have any public repos or gists if it is a sensitive organization" @@ -7,7 +9,6 @@ # schedule: "* * * * *" -package compliance_framework.public_repos checks["repos"] if { input.organization.public_repos > 0 diff --git a/policies/gh_org_secret_dependabot_alerts.rego b/policies/gh_org_secret_dependabot_alerts.rego new file mode 100644 index 0000000..52a02e3 --- /dev/null +++ b/policies/gh_org_secret_dependabot_alerts.rego @@ -0,0 +1,35 @@ +package compliance_framework.dependabot_alerts +# METADATA +# title: Github Settings - Organizations - Dependabot alerts enabled for new repos +# description: "All new repositories should be set up for Dependabot alerts as the default. Note: Endpoint is closing down at some point and moving to code security configurations: See https://docs.github.com/rest/code-security/configurations" +# custom: +# controls: +# - +# schedule: "* * * * *" + + +violation[{}] if { + input.organization.dependabot_alerts_enabled_for_new_repositories == false +} + +title := "Dependabot alerts enabled for new repositories" +description := "All new repositories should be set up to alert for any dependabot alerts that are coming from the repositories" +remarks := "Endpoint is closing down at some point and moving to code security configurations: See https://docs.github.com/rest/code-security/configurations" + +controls := [ + { + "class": "SP800-53", + "control-id": "ra-5.4", # Discoverable Information + "statement-ids": [] + }, + { + "class": "SP800-218", + "control_id": "RV-1.1", + "statement-ids": [] + }, + { + "class": "OWASP_DSOMM_3", + "control_id": "IG-3.3", + "statement-ids": [] + }, +] \ No newline at end of file diff --git a/policies/gh_org_secret_dependabot_alerts_test.rego b/policies/gh_org_secret_dependabot_alerts_test.rego new file mode 100644 index 0000000..4253e90 --- /dev/null +++ b/policies/gh_org_secret_dependabot_alerts_test.rego @@ -0,0 +1,17 @@ +package compliance_framework.dependabot_alerts + +test_scanning_enabled_new_repos if { + count(violation) == 0 with input as { + "organization": { + "dependabot_alerts_enabled_for_new_repositories": true + } + } +} + +test_secret_scanning_enabled_new_repos_violate_if_disabled if { + count(violation) > 0 with input as { + "organization": { + "dependabot_alerts_enabled_for_new_repositories": false + } + } +} \ No newline at end of file