From 4484e16283fa3cb162d91e752893d4c4f145209c Mon Sep 17 00:00:00 2001 From: Philippe Moore Date: Thu, 19 Dec 2024 11:40:04 -0500 Subject: [PATCH] Adding rule type for OSPS-QA-01 (#248) --- rule-types/github/repo_visibility.test.yaml | 47 +++ .../repo_visibility.testdata/notfound.json | 5 + .../repo_visibility.testdata/private.json | 353 ++++++++++++++++++ .../repo_visibility.testdata/public.json | 353 ++++++++++++++++++ rule-types/github/repo_visibility.yaml | 77 ++++ 5 files changed, 835 insertions(+) create mode 100644 rule-types/github/repo_visibility.test.yaml create mode 100644 rule-types/github/repo_visibility.testdata/notfound.json create mode 100644 rule-types/github/repo_visibility.testdata/private.json create mode 100644 rule-types/github/repo_visibility.testdata/public.json create mode 100644 rule-types/github/repo_visibility.yaml diff --git a/rule-types/github/repo_visibility.test.yaml b/rule-types/github/repo_visibility.test.yaml new file mode 100644 index 0000000..cf32a8a --- /dev/null +++ b/rule-types/github/repo_visibility.test.yaml @@ -0,0 +1,47 @@ +tests: + - name: "Should be public" + def: + visibility: "public" + params: {} + expect: "pass" + entity: &test-repo + type: repository + entity: + owner: "coolhead" + name: "haze-wave" + http: + body_file: public.json + - name: "Should be private" + def: + visibility: "private" + params: {} + expect: "pass" + entity: *test-repo + http: + body_file: private.json + - name: "Should be public" + def: + visibility: "public" + params: {} + expect: "fail" + entity: *test-repo + http: + body_file: private.json + - name: "Not found should fail" + def: + visibility: "public" + params: {} + expect: "fail" + entity: *test-repo + http: + status: 404 + body_file: notfound.json + - name: "Internal server error should fail" + def: {} + params: {} + expect: "fail" + entity: *test-repo + http: + status: 500 + body: | + { "message": "Internal server error" } diff --git a/rule-types/github/repo_visibility.testdata/notfound.json b/rule-types/github/repo_visibility.testdata/notfound.json new file mode 100644 index 0000000..d62b205 --- /dev/null +++ b/rule-types/github/repo_visibility.testdata/notfound.json @@ -0,0 +1,5 @@ +{ + "message": "Not Found", + "documentation_url": "https://docs.github.com/rest/repos/repos#get-a-repository", + "status": "404" +} diff --git a/rule-types/github/repo_visibility.testdata/private.json b/rule-types/github/repo_visibility.testdata/private.json new file mode 100644 index 0000000..e91eebd --- /dev/null +++ b/rule-types/github/repo_visibility.testdata/private.json @@ -0,0 +1,353 @@ +{ + "id": 666.5, + "node_id": "R_kgDOJGa8UQ", + "name": "haze-wave", + "full_name": "coolhead/haze-wave", + "private": true, + "owner": { + "login": "coolhead", + "id": 777, + "node_id": "MDQ6VXNlcjE0NTU2NA==", + "gravatar_id": "", + "url": "https://api.github.com/users/coolhead", + "html_url": "https://github.com/coolhead", + "followers_url": "https://api.github.com/users/coolhead/followers", + "following_url": "https://api.github.com/users/coolhead/following{/other_user}", + "gists_url": "https://api.github.com/users/coolhead/gists{/gist_id}", + "starred_url": "https://api.github.com/users/coolhead/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/coolhead/subscriptions", + "organizations_url": "https://api.github.com/users/coolhead/orgs", + "repos_url": "https://api.github.com/users/coolhead/repos", + "events_url": "https://api.github.com/users/coolhead/events{/privacy}", + "received_events_url": "https://api.github.com/users/coolhead/received_events", + "type": "User", + "site_admin": false + }, + "html_url": "https://github.com/coolhead/haze-wave", + "description": "A daemon that will help you with your user audit needs for linux", + "fork": true, + "url": "https://api.github.com/repos/coolhead/haze-wave", + "forks_url": "https://api.github.com/repos/coolhead/haze-wave/forks", + "keys_url": "https://api.github.com/repos/coolhead/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/coolhead/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/coolhead/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/coolhead/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/coolhead/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/coolhead/haze-wave/events", + "assignees_url": "https://api.github.com/repos/coolhead/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/coolhead/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/coolhead/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/coolhead/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/coolhead/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/coolhead/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/coolhead/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/coolhead/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/coolhead/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/coolhead/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/coolhead/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/coolhead/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/coolhead/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/coolhead/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/coolhead/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/coolhead/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/coolhead/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/coolhead/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/coolhead/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/coolhead/haze-wave/merges", + "archive_url": "https://api.github.com/repos/coolhead/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/coolhead/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/coolhead/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/coolhead/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/coolhead/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/coolhead/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/coolhead/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/coolhead/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/coolhead/haze-wave/deployments", + "created_at": "2023-03-07T10:29:53Z", + "updated_at": "2024-06-17T08:00:06Z", + "pushed_at": "2024-08-05T15:40:18Z", + "git_url": "git://github.com/coolhead/haze-wave.git", + "ssh_url": "git@github.com:coolhead/haze-wave.git", + "clone_url": "https://github.com/coolhead/haze-wave.git", + "svn_url": "https://github.com/coolhead/haze-wave", + "homepage": null, + "size": 504, + "stargazers_count": 0, + "watchers_count": 0, + "language": "Go", + "has_issues": false, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 0, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 6, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "private", + "forks": 0, + "open_issues": 6, + "watchers": 0, + "default_branch": "main", + "permissions": { + "admin": true, + "maintain": true, + "push": true, + "triage": true, + "pull": true + }, + "temp_clone_token": "", + "allow_squash_merge": true, + "allow_merge_commit": true, + "allow_rebase_merge": true, + "allow_auto_merge": false, + "delete_branch_on_merge": false, + "allow_update_branch": false, + "use_squash_pr_title_as_default": false, + "squash_merge_commit_message": "COMMIT_MESSAGES", + "squash_merge_commit_title": "COMMIT_OR_PR_TITLE", + "merge_commit_message": "PR_TITLE", + "merge_commit_title": "MERGE_MESSAGE", + "parent": { + "id": 666.7, + "node_id": "R_kgDOJE5eUA", + "name": "haze-wave", + "full_name": "JAORMX/haze-wave", + "private": false, + "owner": { + "login": "JAORMX", + "id": 666.2, + "node_id": "MDEyOk9yZ2FuaXphdGlvbjg4MTM1NjAw", + "gravatar_id": "", + "url": "https://api.github.com/users/JAORMX", + "html_url": "https://github.com/JAORMX", + "followers_url": "https://api.github.com/users/JAORMX/followers", + "following_url": "https://api.github.com/users/JAORMX/following{/other_user}", + "gists_url": "https://api.github.com/users/JAORMX/gists{/gist_id}", + "starred_url": "https://api.github.com/users/JAORMX/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/JAORMX/subscriptions", + "organizations_url": "https://api.github.com/users/JAORMX/orgs", + "repos_url": "https://api.github.com/users/JAORMX/repos", + "events_url": "https://api.github.com/users/JAORMX/events{/privacy}", + "received_events_url": "https://api.github.com/users/JAORMX/received_events", + "type": "Organization", + "site_admin": false + }, + "html_url": "https://github.com/JAORMX/haze-wave", + "description": "haze-wave is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.", + "fork": false, + "url": "https://api.github.com/repos/JAORMX/haze-wave", + "forks_url": "https://api.github.com/repos/JAORMX/haze-wave/forks", + "keys_url": "https://api.github.com/repos/JAORMX/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/JAORMX/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/JAORMX/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/JAORMX/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/JAORMX/haze-wave/events", + "assignees_url": "https://api.github.com/repos/JAORMX/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/JAORMX/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/JAORMX/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/JAORMX/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/JAORMX/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/JAORMX/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/JAORMX/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/JAORMX/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/JAORMX/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/JAORMX/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/JAORMX/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/JAORMX/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/JAORMX/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/JAORMX/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/JAORMX/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/JAORMX/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/JAORMX/haze-wave/merges", + "archive_url": "https://api.github.com/repos/JAORMX/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/JAORMX/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/JAORMX/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/JAORMX/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/JAORMX/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/JAORMX/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/JAORMX/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/JAORMX/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/JAORMX/haze-wave/deployments", + "created_at": "2023-03-03T12:08:37Z", + "updated_at": "2023-12-08T22:51:08Z", + "pushed_at": "2024-10-15T11:46:11Z", + "git_url": "git://github.com/JAORMX/haze-wave.git", + "ssh_url": "git@github.com:JAORMX/haze-wave.git", + "clone_url": "https://github.com/JAORMX/haze-wave.git", + "svn_url": "https://github.com/JAORMX/haze-wave", + "homepage": "", + "size": 609, + "stargazers_count": 2, + "watchers_count": 2, + "language": "Go", + "has_issues": true, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 5, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 12, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "public", + "forks": 5, + "open_issues": 12, + "watchers": 2, + "default_branch": "main" + }, + "source": { + "id": 666.7, + "node_id": "R_kgDOJE5eUA", + "name": "haze-wave", + "full_name": "JAORMX/haze-wave", + "private": false, + "owner": { + "login": "JAORMX", + "id": 777, + "node_id": "MDEyOk9yZ2FuaXphdGlvbjg4MTM1NjAw", + "gravatar_id": "", + "url": "https://api.github.com/users/JAORMX", + "html_url": "https://github.com/JAORMX", + "followers_url": "https://api.github.com/users/JAORMX/followers", + "following_url": "https://api.github.com/users/JAORMX/following{/other_user}", + "gists_url": "https://api.github.com/users/JAORMX/gists{/gist_id}", + "starred_url": "https://api.github.com/users/JAORMX/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/JAORMX/subscriptions", + "organizations_url": "https://api.github.com/users/JAORMX/orgs", + "repos_url": "https://api.github.com/users/JAORMX/repos", + "events_url": "https://api.github.com/users/JAORMX/events{/privacy}", + "received_events_url": "https://api.github.com/users/JAORMX/received_events", + "type": "Organization", + "site_admin": false + }, + "html_url": "https://github.com/JAORMX/haze-wave", + "description": "haze-wave is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.", + "fork": false, + "url": "https://api.github.com/repos/JAORMX/haze-wave", + "forks_url": "https://api.github.com/repos/JAORMX/haze-wave/forks", + "keys_url": "https://api.github.com/repos/JAORMX/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/JAORMX/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/JAORMX/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/JAORMX/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/JAORMX/haze-wave/events", + "assignees_url": "https://api.github.com/repos/JAORMX/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/JAORMX/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/JAORMX/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/JAORMX/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/JAORMX/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/JAORMX/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/JAORMX/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/JAORMX/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/JAORMX/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/JAORMX/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/JAORMX/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/JAORMX/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/JAORMX/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/JAORMX/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/JAORMX/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/JAORMX/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/JAORMX/haze-wave/merges", + "archive_url": "https://api.github.com/repos/JAORMX/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/JAORMX/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/JAORMX/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/JAORMX/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/JAORMX/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/JAORMX/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/JAORMX/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/JAORMX/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/JAORMX/haze-wave/deployments", + "created_at": "2023-03-03T12:08:37Z", + "updated_at": "2023-12-08T22:51:08Z", + "pushed_at": "2024-10-15T11:46:11Z", + "git_url": "git://github.com/JAORMX/haze-wave.git", + "ssh_url": "git@github.com:JAORMX/haze-wave.git", + "clone_url": "https://github.com/JAORMX/haze-wave.git", + "svn_url": "https://github.com/JAORMX/haze-wave", + "homepage": "", + "size": 609, + "stargazers_count": 2, + "watchers_count": 2, + "language": "Go", + "has_issues": true, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 5, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 12, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "public", + "forks": 5, + "open_issues": 12, + "watchers": 2, + "default_branch": "main" + }, + "security_and_analysis": { + "secret_scanning": { + "status": "enabled" + }, + "secret_scanning_push_protection": { + "status": "enabled" + }, + "dependabot_security_updates": { + "status": "disabled" + }, + "secret_scanning_non_provider_patterns": { + "status": "disabled" + }, + "secret_scanning_validity_checks": { + "status": "disabled" + } + }, + "network_count": 5, + "subscribers_count": 1 +} diff --git a/rule-types/github/repo_visibility.testdata/public.json b/rule-types/github/repo_visibility.testdata/public.json new file mode 100644 index 0000000..d813334 --- /dev/null +++ b/rule-types/github/repo_visibility.testdata/public.json @@ -0,0 +1,353 @@ +{ + "id": 666.5, + "node_id": "R_kgDOJGa8UQ", + "name": "haze-wave", + "full_name": "coolhead/haze-wave", + "private": false, + "owner": { + "login": "coolhead", + "id": 145564, + "node_id": "MDQ6VXNlcjE0NTU2NA==", + "gravatar_id": "", + "url": "https://api.github.com/users/coolhead", + "html_url": "https://github.com/coolhead", + "followers_url": "https://api.github.com/users/coolhead/followers", + "following_url": "https://api.github.com/users/coolhead/following{/other_user}", + "gists_url": "https://api.github.com/users/coolhead/gists{/gist_id}", + "starred_url": "https://api.github.com/users/coolhead/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/coolhead/subscriptions", + "organizations_url": "https://api.github.com/users/coolhead/orgs", + "repos_url": "https://api.github.com/users/coolhead/repos", + "events_url": "https://api.github.com/users/coolhead/events{/privacy}", + "received_events_url": "https://api.github.com/users/coolhead/received_events", + "type": "User", + "site_admin": false + }, + "html_url": "https://github.com/coolhead/haze-wave", + "description": "A daemon that will help you with your user audit needs for linux", + "fork": true, + "url": "https://api.github.com/repos/coolhead/haze-wave", + "forks_url": "https://api.github.com/repos/coolhead/haze-wave/forks", + "keys_url": "https://api.github.com/repos/coolhead/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/coolhead/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/coolhead/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/coolhead/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/coolhead/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/coolhead/haze-wave/events", + "assignees_url": "https://api.github.com/repos/coolhead/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/coolhead/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/coolhead/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/coolhead/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/coolhead/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/coolhead/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/coolhead/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/coolhead/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/coolhead/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/coolhead/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/coolhead/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/coolhead/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/coolhead/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/coolhead/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/coolhead/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/coolhead/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/coolhead/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/coolhead/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/coolhead/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/coolhead/haze-wave/merges", + "archive_url": "https://api.github.com/repos/coolhead/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/coolhead/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/coolhead/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/coolhead/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/coolhead/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/coolhead/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/coolhead/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/coolhead/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/coolhead/haze-wave/deployments", + "created_at": "2023-03-07T10:29:53Z", + "updated_at": "2024-06-17T08:00:06Z", + "pushed_at": "2024-08-05T15:40:18Z", + "git_url": "git://github.com/coolhead/haze-wave.git", + "ssh_url": "git@github.com:coolhead/haze-wave.git", + "clone_url": "https://github.com/coolhead/haze-wave.git", + "svn_url": "https://github.com/coolhead/haze-wave", + "homepage": null, + "size": 504, + "stargazers_count": 0, + "watchers_count": 0, + "language": "Go", + "has_issues": false, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 0, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 6, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "public", + "forks": 0, + "open_issues": 6, + "watchers": 0, + "default_branch": "main", + "permissions": { + "admin": true, + "maintain": true, + "push": true, + "triage": true, + "pull": true + }, + "temp_clone_token": "", + "allow_squash_merge": true, + "allow_merge_commit": true, + "allow_rebase_merge": true, + "allow_auto_merge": false, + "delete_branch_on_merge": false, + "allow_update_branch": false, + "use_squash_pr_title_as_default": false, + "squash_merge_commit_message": "COMMIT_MESSAGES", + "squash_merge_commit_title": "COMMIT_OR_PR_TITLE", + "merge_commit_message": "PR_TITLE", + "merge_commit_title": "MERGE_MESSAGE", + "parent": { + "id": 777, + "node_id": "R_kgDOJE5eUA", + "name": "haze-wave", + "full_name": "JAORMX/haze-wave", + "private": false, + "owner": { + "login": "JAORMX", + "id": 777, + "node_id": "MDEyOk9yZ2FuaXphdGlvbjg4MTM1NjAw", + "gravatar_id": "", + "url": "https://api.github.com/users/JAORMX", + "html_url": "https://github.com/JAORMX", + "followers_url": "https://api.github.com/users/JAORMX/followers", + "following_url": "https://api.github.com/users/JAORMX/following{/other_user}", + "gists_url": "https://api.github.com/users/JAORMX/gists{/gist_id}", + "starred_url": "https://api.github.com/users/JAORMX/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/JAORMX/subscriptions", + "organizations_url": "https://api.github.com/users/JAORMX/orgs", + "repos_url": "https://api.github.com/users/JAORMX/repos", + "events_url": "https://api.github.com/users/JAORMX/events{/privacy}", + "received_events_url": "https://api.github.com/users/JAORMX/received_events", + "type": "Organization", + "site_admin": false + }, + "html_url": "https://github.com/JAORMX/haze-wave", + "description": "haze-wave is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.", + "fork": false, + "url": "https://api.github.com/repos/JAORMX/haze-wave", + "forks_url": "https://api.github.com/repos/JAORMX/haze-wave/forks", + "keys_url": "https://api.github.com/repos/JAORMX/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/JAORMX/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/JAORMX/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/JAORMX/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/JAORMX/haze-wave/events", + "assignees_url": "https://api.github.com/repos/JAORMX/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/JAORMX/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/JAORMX/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/JAORMX/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/JAORMX/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/JAORMX/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/JAORMX/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/JAORMX/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/JAORMX/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/JAORMX/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/JAORMX/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/JAORMX/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/JAORMX/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/JAORMX/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/JAORMX/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/JAORMX/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/JAORMX/haze-wave/merges", + "archive_url": "https://api.github.com/repos/JAORMX/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/JAORMX/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/JAORMX/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/JAORMX/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/JAORMX/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/JAORMX/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/JAORMX/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/JAORMX/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/JAORMX/haze-wave/deployments", + "created_at": "2023-03-03T12:08:37Z", + "updated_at": "2023-12-08T22:51:08Z", + "pushed_at": "2024-10-15T11:46:11Z", + "git_url": "git://github.com/JAORMX/haze-wave.git", + "ssh_url": "git@github.com:JAORMX/haze-wave.git", + "clone_url": "https://github.com/JAORMX/haze-wave.git", + "svn_url": "https://github.com/JAORMX/haze-wave", + "homepage": "", + "size": 609, + "stargazers_count": 2, + "watchers_count": 2, + "language": "Go", + "has_issues": true, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 5, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 12, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "public", + "forks": 5, + "open_issues": 12, + "watchers": 2, + "default_branch": "main" + }, + "source": { + "id": 666.7, + "node_id": "R_kgDOJE5eUA", + "name": "haze-wave", + "full_name": "JAORMX/haze-wave", + "private": false, + "owner": { + "login": "JAORMX", + "id": 666.25, + "node_id": "MDEyOk9yZ2FuaXphdGlvbjg4MTM1NjAw", + "gravatar_id": "", + "url": "https://api.github.com/users/JAORMX", + "html_url": "https://github.com/JAORMX", + "followers_url": "https://api.github.com/users/JAORMX/followers", + "following_url": "https://api.github.com/users/JAORMX/following{/other_user}", + "gists_url": "https://api.github.com/users/JAORMX/gists{/gist_id}", + "starred_url": "https://api.github.com/users/JAORMX/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/JAORMX/subscriptions", + "organizations_url": "https://api.github.com/users/JAORMX/orgs", + "repos_url": "https://api.github.com/users/JAORMX/repos", + "events_url": "https://api.github.com/users/JAORMX/events{/privacy}", + "received_events_url": "https://api.github.com/users/JAORMX/received_events", + "type": "Organization", + "site_admin": false + }, + "html_url": "https://github.com/JAORMX/haze-wave", + "description": "haze-wave is a daemon that monitors OpenSSH server logins and produces structured audit events describing what authenticated users did while logged in.", + "fork": false, + "url": "https://api.github.com/repos/JAORMX/haze-wave", + "forks_url": "https://api.github.com/repos/JAORMX/haze-wave/forks", + "keys_url": "https://api.github.com/repos/JAORMX/haze-wave/keys{/key_id}", + "collaborators_url": "https://api.github.com/repos/JAORMX/haze-wave/collaborators{/collaborator}", + "teams_url": "https://api.github.com/repos/JAORMX/haze-wave/teams", + "hooks_url": "https://api.github.com/repos/JAORMX/haze-wave/hooks", + "issue_events_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/events{/number}", + "events_url": "https://api.github.com/repos/JAORMX/haze-wave/events", + "assignees_url": "https://api.github.com/repos/JAORMX/haze-wave/assignees{/user}", + "branches_url": "https://api.github.com/repos/JAORMX/haze-wave/branches{/branch}", + "tags_url": "https://api.github.com/repos/JAORMX/haze-wave/tags", + "blobs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/blobs{/sha}", + "git_tags_url": "https://api.github.com/repos/JAORMX/haze-wave/git/tags{/sha}", + "git_refs_url": "https://api.github.com/repos/JAORMX/haze-wave/git/refs{/sha}", + "trees_url": "https://api.github.com/repos/JAORMX/haze-wave/git/trees{/sha}", + "statuses_url": "https://api.github.com/repos/JAORMX/haze-wave/statuses/{sha}", + "languages_url": "https://api.github.com/repos/JAORMX/haze-wave/languages", + "stargazers_url": "https://api.github.com/repos/JAORMX/haze-wave/stargazers", + "contributors_url": "https://api.github.com/repos/JAORMX/haze-wave/contributors", + "subscribers_url": "https://api.github.com/repos/JAORMX/haze-wave/subscribers", + "subscription_url": "https://api.github.com/repos/JAORMX/haze-wave/subscription", + "commits_url": "https://api.github.com/repos/JAORMX/haze-wave/commits{/sha}", + "git_commits_url": "https://api.github.com/repos/JAORMX/haze-wave/git/commits{/sha}", + "comments_url": "https://api.github.com/repos/JAORMX/haze-wave/comments{/number}", + "issue_comment_url": "https://api.github.com/repos/JAORMX/haze-wave/issues/comments{/number}", + "contents_url": "https://api.github.com/repos/JAORMX/haze-wave/contents/{+path}", + "compare_url": "https://api.github.com/repos/JAORMX/haze-wave/compare/{base}...{head}", + "merges_url": "https://api.github.com/repos/JAORMX/haze-wave/merges", + "archive_url": "https://api.github.com/repos/JAORMX/haze-wave/{archive_format}{/ref}", + "downloads_url": "https://api.github.com/repos/JAORMX/haze-wave/downloads", + "issues_url": "https://api.github.com/repos/JAORMX/haze-wave/issues{/number}", + "pulls_url": "https://api.github.com/repos/JAORMX/haze-wave/pulls{/number}", + "milestones_url": "https://api.github.com/repos/JAORMX/haze-wave/milestones{/number}", + "notifications_url": "https://api.github.com/repos/JAORMX/haze-wave/notifications{?since,all,participating}", + "labels_url": "https://api.github.com/repos/JAORMX/haze-wave/labels{/name}", + "releases_url": "https://api.github.com/repos/JAORMX/haze-wave/releases{/id}", + "deployments_url": "https://api.github.com/repos/JAORMX/haze-wave/deployments", + "created_at": "2023-03-03T12:08:37Z", + "updated_at": "2023-12-08T22:51:08Z", + "pushed_at": "2024-10-15T11:46:11Z", + "git_url": "git://github.com/JAORMX/haze-wave.git", + "ssh_url": "git@github.com:JAORMX/haze-wave.git", + "clone_url": "https://github.com/JAORMX/haze-wave.git", + "svn_url": "https://github.com/JAORMX/haze-wave", + "homepage": "", + "size": 609, + "stargazers_count": 2, + "watchers_count": 2, + "language": "Go", + "has_issues": true, + "has_projects": true, + "has_downloads": true, + "has_wiki": false, + "has_pages": false, + "has_discussions": false, + "forks_count": 5, + "mirror_url": null, + "archived": false, + "disabled": false, + "open_issues_count": 12, + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0", + "node_id": "MDc6TGljZW5zZTI=" + }, + "allow_forking": true, + "is_template": false, + "web_commit_signoff_required": false, + "topics": [], + "visibility": "public", + "forks": 5, + "open_issues": 12, + "watchers": 2, + "default_branch": "main" + }, + "security_and_analysis": { + "secret_scanning": { + "status": "disabled" + }, + "secret_scanning_push_protection": { + "status": "disabled" + }, + "dependabot_security_updates": { + "status": "disabled" + }, + "secret_scanning_non_provider_patterns": { + "status": "disabled" + }, + "secret_scanning_validity_checks": { + "status": "disabled" + } + }, + "network_count": 5, + "subscribers_count": 1 +} diff --git a/rule-types/github/repo_visibility.yaml b/rule-types/github/repo_visibility.yaml new file mode 100644 index 0000000..855e5d7 --- /dev/null +++ b/rule-types/github/repo_visibility.yaml @@ -0,0 +1,77 @@ +--- +version: v1 +release_phase: alpha +type: rule-type +name: repo_visibility +display_name: Ensure Repository Has Correct Visibility Setting +short_failure_message: Repository visibility does not match required setting +severity: + value: low +context: + provider: github +description: | + Checks if a GitHub repository's visibility (public/private) matches the + required setting. Repository visibility controls are crucial for protecting + sensitive code and intellectual property. Public repositories are accessible + to anyone on the internet, while private repositories restrict access to + specifically invited collaborators. + For more information, see GitHub's documentation on repository visibility: + https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility +guidance: | + Your repository's visibility setting does not match the required + configuration. To fix this: + 1. Navigate to your repository's Settings page + 2. Scroll down to the "Danger Zone" section + 3. Click "Change visibility" + 4. Select the appropriate visibility setting + 5. Confirm the change by typing the repository name + + Note: Changing repository visibility can have significant implications for + your codebase's accessibility. Ensure you understand the impact before + making changes. For more details, refer to: + https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility + +def: + # Defines the section of the pipeline the rule will appear in. + # This will affect the template used to render multiple parts + # of the rule. + in_entity: repository + # Defines the schema for writing a rule with this rule being checked + rule_schema: + properties: + visibility: + type: string + default: "public" + description: | + Specifies the required visibility setting for the repository. Valid values are "public" or "private" + # Defines the configuration for ingesting data relevant for the rule + ingest: + type: rest + rest: + # This is the path to the data source. Given that this will evaluate + # for each repository in the organization, we use a template that + # will be evaluated for each repository. The structure to use is the + # protobuf structure for the entity that is being evaluated. + endpoint: "/repos/{{.Entity.Owner}}/{{.Entity.Name}}" + # This is the method to use to retrieve the data. It should already default to JSON + parse: json + # Defines the configuration for evaluating data ingested against the given profile + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + + default allow := false + default message := "Repository visibility does not match the required setting" + + allow { + input.ingested.visibility == input.profile.visibility + } + + # Defines the configuration for alerting on the rule + alert: + type: security_advisory + security_advisory: {} +