feat: Add rego checks for teams

example-data/testorg-unremediated.json

@@ -1,4 +1,5 @@
 {
+  "settings": {
     "login": "test-org",
     "id": 1234567,
     "node_id": "O_abcdefg",
@@ -43,11 +44,11 @@
     "members_can_create_public_pages": true,
     "members_can_create_private_pages": true,
     "plan": {
-        "name": "free",
-        "space": 976562499,
-        "private_repos": 10000,
-        "filled_seats": 2,
-        "seats": 1
+      "name": "free",
+      "space": 976562499,
+      "private_repos": 10000,
+      "filled_seats": 2,
+      "seats": 1
     },
     "advanced_security_enabled_for_new_repositories": false,
     "dependabot_alerts_enabled_for_new_repositories": false,
@@ -58,4 +59,5 @@
     "secret_scanning_push_protection_custom_link_enabled": false,
     "secret_scanning_push_protection_custom_link": null,
     "secret_scanning_validity_checks_enabled": false
-}
+  }
+}

example-data/testorg.json

@@ -1,4 +1,5 @@
 {
+  "settings": {
     "login": "test-org",
     "id": 1234567,
     "node_id": "O_abcdefg",
@@ -43,11 +44,11 @@
     "members_can_create_public_pages": false,
     "members_can_create_private_pages": true,
     "plan": {
-        "name": "free",
-        "space": 976562499,
-        "private_repos": 10000,
-        "filled_seats": 2,
-        "seats": 1
+      "name": "free",
+      "space": 976562499,
+      "private_repos": 10000,
+      "filled_seats": 2,
+      "seats": 1
     },
     "advanced_security_enabled_for_new_repositories": true,
     "dependabot_alerts_enabled_for_new_repositories": true,
@@ -58,4 +59,5 @@
     "secret_scanning_push_protection_custom_link_enabled": true,
     "secret_scanning_push_protection_custom_link": null,
     "secret_scanning_validity_checks_enabled": true
-}
+  }
+}

policies/gh_org_mfa_enabled.rego

@@ -1,7 +1,7 @@
 package compliance_framework.mfa_enabled
 
 violation[{}] if {
-    input.two_factor_requirement_enabled == false
+    input.settings.two_factor_requirement_enabled == false
 }
 
 title := "Two Factor Authentication is required at an organization level"

policies/gh_org_mfa_enabled_test.rego

@@ -2,12 +2,16 @@ package compliance_framework.mfa_enabled
 
 test_mfa_enabled if {
     count(violation) == 0 with input as {
-        "two_factor_requirement_enabled": true
+        "settings": {
+            "two_factor_requirement_enabled": true
+        }
     }
 }
 
 test_mfa_violate_if_disabled if {
     count(violation) > 0 with input as {
-        "two_factor_requirement_enabled": false
+        "settings": {
+            "two_factor_requirement_enabled": false
+        }
     }
 }

policies/gh_org_public_repos.rego

@@ -1,15 +1,15 @@
 package compliance_framework.public_repos
 
-checks["repos"] if {
-	input.public_repos > 0
+_checks["repos"] if {
+	input.settings.public_repos > 0
 }
 
-checks["gists"] if {
-	input.public_gists > 0
+_checks["gists"] if {
+	input.settings.public_gists > 0
 }
 
 violation[{}] if {
-	some check in checks
+	some check in _checks
 }
 
 

policies/gh_org_public_repos_test.rego

@@ -2,14 +2,18 @@ package compliance_framework.public_repos
 
 test_public_repos_is_zero if {
     count(violation) == 0 with input as {
-        "pubic_repos": 0,
-        "public_gists": 0
+        "settings": {
+            "public_repos": 0,
+            "public_gists": 0
+        }
     }
 }
 
 test_public_repos_violate_when_higher if {
     count(violation) > 0 with input as {
-        "public_repos": 10,
-        "public_gists": 0
+        "settings": {
+            "public_repos": 10,
+            "public_gists": 0
+        }
     }
 }

policies/gh_teams_privacy_closed.rego

@@ -0,0 +1,9 @@
+package compliance_framework.teams_privacy_closed
+
+violation[{}] if {
+    some team in input.teams
+    team.privacy != "closed"
+}
+
+title := "All teams are private within the organization"
+description := "All teams within the organization must be set to private to ensure sensitive information is not exposed."

policies/gh_teams_privacy_closed_test.rego

@@ -0,0 +1,31 @@
+package compliance_framework.teams_privacy_closed
+
+test_teams_privacy_closed if {
+    count(violation) == 0 with input as {
+        "teams": [
+            {
+                "name": "team1",
+                "privacy": "closed"
+            },
+            {
+                "name": "team2",
+                "privacy": "closed"
+            }
+        ]
+    }
+}
+
+test_teams_privacy_open if {
+    count(violation) > 0 with input as {
+        "teams": [
+            {
+                "name": "team1",
+                "privacy": "open"
+            },
+            {
+                "name": "team2",
+                "privacy": "closed"
+            }
+        ]
+    }
+}

policies/gh_teams_security_found.rego

@@ -0,0 +1,18 @@
+package compliance_framework.teams_security_found
+
+_team_with_security if {
+    some team in input.teams
+    contains(lower(team.name), "security")
+}
+
+_team_with_security if {
+    some team in input.teams
+    contains(lower(team.description), "security")
+}
+
+violation[{}] if {
+    not _team_with_security
+}
+
+title := "Security Teams are present within Github"
+description := "A dedicated security team should be created in the organization to manage security-related tasks and incidents, as well as provide consulting when required."