Initial implementation of Github APIs for the plugin

.gitignore

@@ -2,4 +2,6 @@
 dist/
 .DS_Store
 # TODO: Change this to match the specific plugin name
+/plugin
 /plugin-*
+.envrc

README.md

@@ -1,12 +1,15 @@
-# Compliance Framework Plugin Template
+# Compliance Framework Plugin For Github
 
-This is a template for building a compliance framework plugin.
+This is the individual plugin for polling github settings for organizations and repositories to test for configuration flags that are going to fail compliance checks. 
 
-Inspect main.go for a detailed description of how to build the plugin.
+For the moment, it is solely limited to authenticated Github organizations with a Github PAT, but in the future it should query security plans & repositories for specific settings 
 
 ## Prerequisites
 
 * GoReleaser https://goreleaser.com/install/
+* Github Fine Grain Personal Access Token with the following scopes:
+    * `read:org` for the organization to be queried. Note - you *might* need to be an administrator of the GH Org to work correctly
+
 
 ## Building
 
@@ -24,6 +27,19 @@ You can use this plugin by passing it to the compliiance agent
 agent --plugin=[PATH_TO_YOUR_BINARY]
 ```
 
+## Plugin Configuration
+
+The plugin configuration must be created and managed by the agent, but expects the following configuration keys to be set, otherwise it will fail
+```yaml
+...
+plugins:
+    github:
+        config:
+            token: github_pat_1234....  # The configured Github PAT for the organization scopes
+            organization: test-org  # The name of the organization
+...
+```
+
 ## Releasing
 
 This plugin is released using goreleaser to build binaries, and Docker to build OCI artifacts (WIP), which will ensure a binary is built for most OS and Architecture combinations.
@@ -38,3 +54,10 @@ You can find the OCI implementations in the GitHub Packages page.
 concom agent --plugin=https://github.com/compliance-framework/plugin-template/releases/tag/0.0.1
 ```
 
+## Todo
+
+- [X] Pull Organization settings as an authenticated user 
+- [ ] Pull repository information for the listed Organization
+- [ ] Populate Security Plans and map them to the repositories to ensure that settings are enabled
+- [ ] Sensible defaults for the configuration
+- [ ] Better error handling for sending issues back to the agent

examples/data/organization.json

@@ -0,0 +1,58 @@
+{
+  "login": "compliance-framework",
+  "id": 141143892,
+  "node_id": "O_kgDOCGmvVA",
+  "avatar_url": "https://avatars.githubusercontent.com/u/141143892?v=4",
+  "html_url": "https://github.com/compliance-framework",
+  "name": "Compliance Framework",
+  "description": "",
+  "public_repos": 53,
+  "public_gists": 0,
+  "followers": 35,
+  "following": 0,
+  "created_at": "2023-08-01T11:59:15Z",
+  "updated_at": "2024-11-22T13:28:00Z",
+  "total_private_repos": 4,
+  "owned_private_repos": 4,
+  "private_gists": 0,
+  "disk_usage": 175119,
+  "collaborators": 2,
+  "billing_email": "ccf@example.com",
+  "type": "Organization",
+  "plan": {
+    "name": "free",
+    "space": 976562499,
+    "private_repos": 10000,
+    "filled_seats": 19,
+    "seats": 2
+  },
+  "two_factor_requirement_enabled": false,
+  "is_verified": false,
+  "has_organization_projects": true,
+  "has_repository_projects": true,
+  "default_repository_permission": "write",
+  "members_can_create_repositories": true,
+  "members_can_create_public_repositories": true,
+  "members_can_create_private_repositories": true,
+  "members_can_create_internal_repositories": false,
+  "members_can_fork_private_repositories": false,
+  "members_allowed_repository_creation_type": "all",
+  "members_can_create_pages": true,
+  "members_can_create_public_pages": true,
+  "members_can_create_private_pages": true,
+  "web_commit_signoff_required": false,
+  "advanced_security_enabled_for_new_repositories": false,
+  "dependabot_alerts_enabled_for_new_repositories": false,
+  "dependabot_security_updates_enabled_for_new_repositories": false,
+  "dependency_graph_enabled_for_new_repositories": false,
+  "secret_scanning_enabled_for_new_repositories": false,
+  "secret_scanning_push_protection_enabled_for_new_repositories": false,
+  "secret_scanning_validity_checks_enabled": false,
+  "url": "https://api.github.com/orgs/compliance-framework",
+  "events_url": "https://api.github.com/orgs/compliance-framework/events",
+  "hooks_url": "https://api.github.com/orgs/compliance-framework/hooks",
+  "issues_url": "https://api.github.com/orgs/compliance-framework/issues",
+  "members_url": "https://api.github.com/orgs/compliance-framework/members{/member}",
+  "public_members_url": "https://api.github.com/orgs/compliance-framework/public_members{/member}",
+  "repos_url": "https://api.github.com/orgs/compliance-framework/repos"
+}

examples/policies/gh_org_mfa_enabled.rego

@@ -0,0 +1,9 @@
+package compliance_framework.mfa_enabled
+
+violation[{
+    "title": "Two Factor Authentication is required at an organization level",
+    "description": "Two factor authentication should be enabled and enforced for all users within the Github Organization to make it harder for malicious actors to gain access to the organizations settings and repositories & settings",
+    "remarks": "More information from Github can be found here: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+}] if {
+    input.organization.two_factor_requirement_enabled == false
+}

go.mod

@@ -1,44 +1,74 @@
-module github.com/compliance-framework/plugin-template
+module github.com/compliance-framework/plugin-github-settings
 
 go 1.23.6
 
 toolchain go1.24.1
 
 require (
-	github.com/compliance-framework/agent v0.1.2
-	github.com/compliance-framework/configuration-service v0.1.1
+	github.com/compliance-framework/agent v0.1.7
+	github.com/compliance-framework/configuration-service v0.1.2-0.20250327060646-625c895cd99c
+	github.com/google/go-github/v71 v71.0.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
 	google.golang.org/protobuf v1.36.6
 )
 
 require (
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/compliance-framework/gooci v0.0.0-20250113172942-411c6f0468f0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-containerregistry v0.20.2 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/open-policy-agent/opa v1.2.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.21.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/robfig/cron/v3 v3.0.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
@@ -47,11 +77,16 @@ require (
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 	google.golang.org/grpc v1.71.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )