Skip to content

Demo updates #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chris-cmsoft merged 3 commits into from
Apr 13, 2025
Merged

Demo updates #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e7c3e10
Update input structure
chris-cmsoft Apr 13, 2025
14fc18a
Update plugin structures for flat org structure
chris-cmsoft Apr 13, 2025
a55e32b
Update policies
chris-cmsoft Apr 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 59 additions & 61 deletions example-data/testorg-unremediated.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,61 @@
{
"organization": {
"login": "test-org",
"id": 1234567,
"node_id": "O_abcdefg",
"url": "https://api.github.com/orgs/test-org",
"repos_url": "https://api.github.com/orgs/test-org/repos",
"events_url": "https://api.github.com/orgs/test-org/events",
"hooks_url": "https://api.github.com/orgs/test-org/hooks",
"issues_url": "https://api.github.com/orgs/test-org/issues",
"members_url": "https://api.github.com/orgs/test-org/members{/member}",
"public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
"avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
"description": null,
"is_verified": false,
"has_organization_projects": true,
"has_repository_projects": true,
"public_repos": 0,
"public_gists": 0,
"followers": 0,
"following": 0,
"html_url": "https://github.com/test-org",
"created_at": "2025-04-09T15:36:21Z",
"updated_at": "2025-04-09T15:38:25Z",
"archived_at": null,
"type": "Organization",
"total_private_repos": 0,
"owned_private_repos": 0,
"private_gists": 0,
"disk_usage": 0,
"collaborators": 0,
"billing_email": "test@example.com",
"default_repository_permission": "read",
"members_can_create_repositories": true,
"two_factor_requirement_enabled": false,
"members_allowed_repository_creation_type": "all",
"members_can_create_public_repositories": true,
"members_can_create_private_repositories": true,
"members_can_create_internal_repositories": false,
"members_can_create_pages": true,
"members_can_fork_private_repositories": false,
"web_commit_signoff_required": false,
"deploy_keys_enabled_for_repositories": false,
"members_can_create_public_pages": true,
"members_can_create_private_pages": true,
"plan": {
"name": "free",
"space": 976562499,
"private_repos": 10000,
"filled_seats": 2,
"seats": 1
},
"advanced_security_enabled_for_new_repositories": false,
"dependabot_alerts_enabled_for_new_repositories": false,
"dependabot_security_updates_enabled_for_new_repositories": false,
"dependency_graph_enabled_for_new_repositories": false,
"secret_scanning_enabled_for_new_repositories": false,
"secret_scanning_push_protection_enabled_for_new_repositories": false,
"secret_scanning_push_protection_custom_link_enabled": false,
"secret_scanning_push_protection_custom_link": null,
"secret_scanning_validity_checks_enabled": false
}
"login": "test-org",
"id": 1234567,
"node_id": "O_abcdefg",
"url": "https://api.github.com/orgs/test-org",
"repos_url": "https://api.github.com/orgs/test-org/repos",
"events_url": "https://api.github.com/orgs/test-org/events",
"hooks_url": "https://api.github.com/orgs/test-org/hooks",
"issues_url": "https://api.github.com/orgs/test-org/issues",
"members_url": "https://api.github.com/orgs/test-org/members{/member}",
"public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
"avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
"description": null,
"is_verified": false,
"has_organization_projects": true,
"has_repository_projects": true,
"public_repos": 0,
"public_gists": 0,
"followers": 0,
"following": 0,
"html_url": "https://github.com/test-org",
"created_at": "2025-04-09T15:36:21Z",
"updated_at": "2025-04-09T15:38:25Z",
"archived_at": null,
"type": "Organization",
"total_private_repos": 0,
"owned_private_repos": 0,
"private_gists": 0,
"disk_usage": 0,
"collaborators": 0,
"billing_email": "test@example.com",
"default_repository_permission": "read",
"members_can_create_repositories": true,
"two_factor_requirement_enabled": false,
"members_allowed_repository_creation_type": "all",
"members_can_create_public_repositories": true,
"members_can_create_private_repositories": true,
"members_can_create_internal_repositories": false,
"members_can_create_pages": true,
"members_can_fork_private_repositories": false,
"web_commit_signoff_required": false,
"deploy_keys_enabled_for_repositories": false,
"members_can_create_public_pages": true,
"members_can_create_private_pages": true,
"plan": {
"name": "free",
"space": 976562499,
"private_repos": 10000,
"filled_seats": 2,
"seats": 1
},
"advanced_security_enabled_for_new_repositories": false,
"dependabot_alerts_enabled_for_new_repositories": false,
"dependabot_security_updates_enabled_for_new_repositories": false,
"dependency_graph_enabled_for_new_repositories": false,
"secret_scanning_enabled_for_new_repositories": false,
"secret_scanning_push_protection_enabled_for_new_repositories": false,
"secret_scanning_push_protection_custom_link_enabled": false,
"secret_scanning_push_protection_custom_link": null,
"secret_scanning_validity_checks_enabled": false
}
120 changes: 59 additions & 61 deletions example-data/testorg.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,61 @@
{
"organization": {
"login": "test-org",
"id": 1234567,
"node_id": "O_abcdefg",
"url": "https://api.github.com/orgs/test-org",
"repos_url": "https://api.github.com/orgs/test-org/repos",
"events_url": "https://api.github.com/orgs/test-org/events",
"hooks_url": "https://api.github.com/orgs/test-org/hooks",
"issues_url": "https://api.github.com/orgs/test-org/issues",
"members_url": "https://api.github.com/orgs/test-org/members{/member}",
"public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
"avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
"description": null,
"is_verified": false,
"has_organization_projects": true,
"has_repository_projects": true,
"public_repos": 0,
"public_gists": 0,
"followers": 0,
"following": 0,
"html_url": "https://github.com/test-org",
"created_at": "2025-04-09T15:36:21Z",
"updated_at": "2025-04-09T15:38:25Z",
"archived_at": null,
"type": "Organization",
"total_private_repos": 0,
"owned_private_repos": 0,
"private_gists": 0,
"disk_usage": 0,
"collaborators": 0,
"billing_email": "test@example.com",
"default_repository_permission": "read",
"members_can_create_repositories": true,
"two_factor_requirement_enabled": true,
"members_allowed_repository_creation_type": "all",
"members_can_create_public_repositories": false,
"members_can_create_private_repositories": true,
"members_can_create_internal_repositories": true,
"members_can_create_pages": false,
"members_can_fork_private_repositories": false,
"web_commit_signoff_required": true,
"deploy_keys_enabled_for_repositories": true,
"members_can_create_public_pages": false,
"members_can_create_private_pages": true,
"plan": {
"name": "free",
"space": 976562499,
"private_repos": 10000,
"filled_seats": 2,
"seats": 1
},
"advanced_security_enabled_for_new_repositories": true,
"dependabot_alerts_enabled_for_new_repositories": true,
"dependabot_security_updates_enabled_for_new_repositories": true,
"dependency_graph_enabled_for_new_repositories": true,
"secret_scanning_enabled_for_new_repositories": true,
"secret_scanning_push_protection_enabled_for_new_repositories": true,
"secret_scanning_push_protection_custom_link_enabled": true,
"secret_scanning_push_protection_custom_link": null,
"secret_scanning_validity_checks_enabled": true
}
"login": "test-org",
"id": 1234567,
"node_id": "O_abcdefg",
"url": "https://api.github.com/orgs/test-org",
"repos_url": "https://api.github.com/orgs/test-org/repos",
"events_url": "https://api.github.com/orgs/test-org/events",
"hooks_url": "https://api.github.com/orgs/test-org/hooks",
"issues_url": "https://api.github.com/orgs/test-org/issues",
"members_url": "https://api.github.com/orgs/test-org/members{/member}",
"public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
"avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
"description": null,
"is_verified": false,
"has_organization_projects": true,
"has_repository_projects": true,
"public_repos": 0,
"public_gists": 0,
"followers": 0,
"following": 0,
"html_url": "https://github.com/test-org",
"created_at": "2025-04-09T15:36:21Z",
"updated_at": "2025-04-09T15:38:25Z",
"archived_at": null,
"type": "Organization",
"total_private_repos": 0,
"owned_private_repos": 0,
"private_gists": 0,
"disk_usage": 0,
"collaborators": 0,
"billing_email": "test@example.com",
"default_repository_permission": "read",
"members_can_create_repositories": true,
"two_factor_requirement_enabled": true,
"members_allowed_repository_creation_type": "all",
"members_can_create_public_repositories": false,
"members_can_create_private_repositories": true,
"members_can_create_internal_repositories": true,
"members_can_create_pages": false,
"members_can_fork_private_repositories": false,
"web_commit_signoff_required": true,
"deploy_keys_enabled_for_repositories": true,
"members_can_create_public_pages": false,
"members_can_create_private_pages": true,
"plan": {
"name": "free",
"space": 976562499,
"private_repos": 10000,
"filled_seats": 2,
"seats": 1
},
"advanced_security_enabled_for_new_repositories": true,
"dependabot_alerts_enabled_for_new_repositories": true,
"dependabot_security_updates_enabled_for_new_repositories": true,
"dependency_graph_enabled_for_new_repositories": true,
"secret_scanning_enabled_for_new_repositories": true,
"secret_scanning_push_protection_enabled_for_new_repositories": true,
"secret_scanning_push_protection_custom_link_enabled": true,
"secret_scanning_push_protection_custom_link": null,
"secret_scanning_validity_checks_enabled": true
}
18 changes: 9 additions & 9 deletions policies/gh_org_mfa_enabled.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,7 @@
package compliance_framework.mfa_enabled
# METADATA
# title: Github Settings - Organizations - Two Factor Authentication Required
# description: Ensure that 2FA is enabled for all users within the organization, making it harder for TAs to gain access to the organization's repos and settings
# custom:
# controls:
# - <control-id>
# schedule: "* * * * *"


violation[{}] if {
input.organization.two_factor_requirement_enabled == false
input.two_factor_requirement_enabled == false
}

title := "Two Factor Authentication is required at an organization level"
Expand Down Expand Up @@ -44,4 +36,12 @@ controls := [
"class": "SP800-53-enhancement",
"control-id": "ia-2.2", # Multi-factor Authentication for Non-privileged Accounts
},
{
"class": "OWASP_DSOMM_3",
"control-id": "IM-3.10",
},
{
"class": "OWASP_DSOMM_3",
"control-id": "IM-3.11",
},
]
8 changes: 2 additions & 6 deletions policies/gh_org_mfa_enabled_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,12 @@ package compliance_framework.mfa_enabled

test_mfa_enabled if {
count(violation) == 0 with input as {
"organization": {
"two_factor_requirement_enabled": true
}
"two_factor_requirement_enabled": true
}
}

test_mfa_violate_if_disabled if {
count(violation) > 0 with input as {
"organization": {
"two_factor_requirement_enabled": false
}
"two_factor_requirement_enabled": false
}
}
16 changes: 3 additions & 13 deletions policies/gh_org_public_repos.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,11 @@

package compliance_framework.public_repos
# METADATA
# title: Github Settings - Organizations - Public Repos and Gists
# description: "The organization should not have any public repos or gists if it is a sensitive organization"
# custom:
# controls:
# - <control-id>
# schedule: "* * * * *"



checks["repos"] if {
input.organization.public_repos > 0
input.public_repos > 0
}

checks["gists"] if {
input.organization.public_gists > 0
input.public_gists > 0
}

violation[{}] if {
Expand All @@ -29,4 +19,4 @@ description := "The Organization should not have any public repositories or gist
# No direct controls in the frameworks at the moment
# But will be useful when we are mapping ISO 27001, data privacy or custom
# IPR frameworks generated either as a standard or a custom catalog
controls := []
controls := []
12 changes: 4 additions & 8 deletions policies/gh_org_public_repos_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,14 @@ package compliance_framework.public_repos

test_public_repos_is_zero if {
count(violation) == 0 with input as {
"organization": {
"pubic_repos": 0,
"public_gists": 0
}
"pubic_repos": 0,
"public_gists": 0
}
}

test_public_repos_violate_when_higher if {
count(violation) > 0 with input as {
"organization": {
"public_repos": 10,
"public_gists": 0
}
"public_repos": 10,
"public_gists": 0
}
}
Loading