diff --git a/core/mondoo-github-security.mql.yaml b/core/mondoo-github-security.mql.yaml index 9e561d95..3610aebc 100644 --- a/core/mondoo-github-security.mql.yaml +++ b/core/mondoo-github-security.mql.yaml @@ -1,7 +1,7 @@ policies: - uid: mondoo-github-organization-security name: GitHub Organization Security by Mondoo - version: 1.3.0 + version: 1.4.0 authors: - name: Mondoo, Inc email: hello@mondoo.com @@ -12,49 +12,67 @@ policies: desc: | ## Overview - The GitHub Organization Security policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations. + GitHub Organization Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations. - ## Remote scan + ## About remote scanning - Remote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. - - For a complete list of native transports run: + Remote scans with cnspec provide on demand security assessments of infrastructure and services without the need to install any agents, or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. + + A complete list of providers can be found by running the following command: ```bash cnspec scan --help ``` - ### Prerequisites + ### cnspec GitHub provider + + This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running the following command: + + ```bash + cnspec scan github --help + ``` + + ## Configuring the GitHub provider - Remote scans of GitHub organizations and repositories requires a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with permissions for the organization or repository. + The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. Access to an organization is determined by the level of access the token cnspec is configured with when it runs. - ### Scan a GitHub Organization + ### Create a personal access token + + To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site. + + ### Configure a GITHUB_TOKEN environment variable + + You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. + + #### Linux / MacOS - Open a terminal and configure an environment variable with your GitHub personal access token: - ```bash export GITHUB_TOKEN= ``` + + #### Windows + + ```powershell + $Env:GITHUB_TOKEN = "" + ``` + + ## Scan a GitHub organization - Run a scan of the GitHub organization: + To scan the configuration of your GitHub organization, run the following command: ```bash cnspec scan github org ``` - ### Scan a GitHub repository: + ## Scan a GitHub organization and all repositories + + cnspec can also scan a GitHub organization and all of its repositories using the `--discover all` flag. To scan your GitHub organization and discover and scan all of the repositories within your organization, run the following command: - Open a terminal and configure an environment variable with your GitHub personal access token: - ```bash - export GITHUB_TOKEN= + cnspec scan github org --discover all ``` - - Run a scan of the GitHub repository: - ```bash - cnspec scan github repo - ``` + > Note: Scanning large GitHub organizations may exceed GitHub API rate limits. For more information see [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation. ## Join the community! @@ -64,71 +82,106 @@ policies: scoring_system: 2 specs: - asset_filter: - query: platform.name == "github-org" + query: asset.platform == "github-org" scoring_queries: mondoo-github-organization-security-two-factor-auth: null mondoo-github-organization-security-verified-domain: null mondoo-github-organization-security-default-permission-level: null - uid: mondoo-github-repository-security name: GitHub Repository Security by Mondoo - version: 1.0.0 + version: 1.4.0 authors: - name: Mondoo, Inc email: hello@mondoo.com docs: desc: | - The GitHub Repository Security by Mondoo policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitHub repositories. + # Overview - __Configuration__ + GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure a minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments. - To scan a GitHub repository from your workstation: + ## About remote scanning - 1. Enable the GitHub Repository Best-Practices policy in the Policy Hub. - 2. Create a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). - 3. Open a terminal and configure an environment variable with your personal access token: - - ```bash - export GITHUB_TOKEN= - ``` - - 4. Run a scan: + Remote scans with cnspec provide on demand security assessments of infrastructure and services without the need to install any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. - ```bash - cnspec scan github repo - ``` + A complete list of providers can be found by running the following command: + + ```bash + cnspec scan --help + ``` + + ### cnspec GitHub Provider + + This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running the following command: + + ```bash + cnspec scan github --help + ``` + + ## Configuring the GitHub provider + + The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs. + + ### Create a personal access token + + To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site. + + ### Configure a GITHUB_TOKEN environment variable + + You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable. + + #### Linux / MacOS + + ```bash + export GITHUB_TOKEN= + ``` + + #### Windows + + ```powershell + $Env:GITHUB_TOKEN = "" + ``` + + ## Scanning GitHub repositories + + To scan the configuration of a GitHub repository: + + ```bash + cnspec scan github repo + ``` + + ## Join the community! + + Our goal is to build policies that are simple to deploy, accurate, and actionable. + + If you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. props: requiredPullRequestReviews: scoring_system: 2 specs: - asset_filter: query: | - platform.name == "github-repo" + asset.platform == "github-repo" scoring_queries: - mondoo-github-repository-security-prevent-force-pushes: null + mondoo-github-repository-security-ensure-default-branch-protection: null + mondoo-github-repository-security-ensure-release-branch-protection: null + mondoo-github-repository-security-prevent-force-pushes-default-branch: null + mondoo-github-repository-security-prevent-force-pushes-release-branch: null + mondoo-github-repository-security-require-conversation-resolution: null mondoo-github-repository-security-require-status-checks-before-merging: null mondoo-github-repository-security-required-signed-commits: null mondoo-github-repository-security-binary-artifacts: null mondoo-github-repository-security-enforce-branch-protection: null - mondoo-github-repository-security-security-policy: null - mondoo-github-repository-security-license: null - mondoo-github-repository-security-code-of-conduct: null - mondoo-github-repository-security-support-resources: null - mondoo-github-repository-security-include-authors: null - mondoo-github-repository-security-pull-request-template: null - mondoo-github-repository-security-readme-getting-started: null props: - uid: requiredPullRequestReviews - title: Define the required number of reviewers on pull request + title: Define the required number of reviewers on pull requests query: 1 - -queries: +queries: - uid: mondoo-github-organization-security-two-factor-auth title: Enable Two-factor authentication for all users in the organization severity: 90 docs: desc: | - Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to. - + Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to. It is highly recommended that GitHub Organizations are configured to require all users to configure 2FA. audit: | __cnspec shell__ @@ -144,15 +197,13 @@ queries: refs: - title: "GitHub Docs" url: https://github.com/organizations/mondoolabs/settings/security - query: | - github.organization.twoFactorRequirementEnabled + query: github.organization.twoFactorRequirementEnabled - uid: mondoo-github-organization-security-verified-domain title: Organization should have a verified domain attached severity: 80 docs: desc: | - You can verify your ownership of domains with GitHub to confirm your organization's identity. You can also approve domains that GitHub can send email notifications to for members of your organization. After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile. - + You can verify your ownership of domains with GitHub to confirm your organization's identity. You can also approve domains that GitHub can send email notifications to members of your organization. After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile. audit: | __cnspec shell__ @@ -164,21 +215,19 @@ queries: github.organization.isVerified ``` remediation: | - GitHub has several options for configuring 2FA for your organization. To enable 2FA, see [Configuring two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) in GitHub's documentation. + To achieve verified status for your GitHub organization, see [Verifying or approving a domain for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization) in the GitHub documentation site. refs: - - title: "GitHub Docs" - url: https://github.com/organizations/mondoolabs/settings/domains - query: | - github.organization.isVerified + - title: "Verifying or approving a domain for your organization" + url: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization + query: github.organization.isVerified - uid: mondoo-github-organization-security-default-permission-level - title: Verify GitHub Organization Base Permissions + title: Ensure GitHub Organization has base permissions configured severity: 50 docs: desc: | You can set base permissions that apply to all members of an organization when accessing any of the organization's repositories. Base permissions do not apply to outside collaborators. By default, members of an organization will have Read permissions to the organization's repositories. - audit: | __cnspec shell__ @@ -192,16 +241,51 @@ queries: remediation: | To set base permissions for GitHub, see [Setting base permissions for an organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/setting-base-permissions-for-an-organization) in GitHub's documentation. refs: - - title: "GitHub Docs" + - title: "Setting base permissions for an organization" url: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization + query: github.organization.defaultRepositoryPermission == "read" + - uid: mondoo-github-repository-security-ensure-default-branch-protection + title: Ensure GitHub repository default branch is protected + severity: 90 + docs: + desc: | + This check ensures that the default branch for the repository has branch protection enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended that the default branch has branch protection enabled, with branch protection rules applied. + remediation: | + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. + refs: + - title: About Branch protection + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + - title: Changing the default branch + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch query: | - github.organization.defaultRepositoryPermission == "none" || github.organization.defaultRepositoryPermission == "read" - - uid: mondoo-github-repository-security-prevent-force-pushes - title: Ensure repository does not allow force pushes to the default and release branches + github.repository.branches + .where( isDefault == true ) + .all( protected == true ) + - uid: mondoo-github-repository-security-ensure-release-branch-protection + title: Ensure GitHub repository release branches are protected + severity: 90 + docs: + desc: | + This check ensures that any release branches (i.e. 'release-x.y.z') have branch protection rules enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that any release branches have branch protection enabled, with branch protection rules applied. + remediation: | + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. + query: | + github.repository.branches + .where( name == /^release/ ) + .all( protected == true ) + - uid: mondoo-github-repository-security-prevent-force-pushes-default-branch + title: Ensure repository does not allow force pushes to the default branch severity: 80 docs: desc: | - Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. + This check ensures that the default branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended to not allow force pushes to the default branch. By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push: + + - Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions. + - Allow only specific people or teams to force push to the branch. + + If someone force pushes to a branch, the force push may overwrite commits that other collaborators based their work on. People may have merge conflicts or corrupted pull requests. + + Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch. audit: | __cnspec shell__ @@ -213,26 +297,71 @@ queries: github.repository.branches.where( isDefault == true) { protected protectionRules { allowForcePushes['enabled'] } } ``` remediation: | - - Enable branch protection settings in your source hosting provider to avoid force pushes or deletion of your important branches. - - See [Managing a branch protection rule](https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule) on the GitHub documentation site. + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes. refs: - title: "GitHub Docs - About protected branches" url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches query: | - github.repository.branches.where( isDefault == true ) { - name - protected == true - protectionRules != null - protectionRules { - allowForcePushes['enabled'] == false - } - } + github.repository.branches + .where( isDefault == true ) + .all( protectionRules { allowForcePushes['enabled'] == false } ) + - uid: mondoo-github-repository-security-prevent-force-pushes-release-branch + title: Ensure repository does not allow force pushes to any release branches + severity: 80 + docs: + desc: | + This check ensures that the release branch does not allow forces pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended to not allow force pushes to any release branches. + + By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push: + + - Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions. + - Allow only specific people or teams to force push to the branch. + + If someone force pushes to a branch, the force push may overwrite commits that other collaborators based their work on. People may have merge conflicts or corrupted pull requests. + + Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch. + audit: | + __cnspec shell__ + + 1. Open a Terminal. + 2. Connect cnspec shell to GitHub `cnspec shell github repo --token $GITHUB_TOKEN` + 3. Run the following query + + ```mql + github.repository.branches.where( isDefault == true) { protected protectionRules { allowForcePushes['enabled'] } } + ``` + remediation: | + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes. + refs: + - title: "GitHub Docs - About protected branches" + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + query: | + github.repository.branches + .where( name == /^release/ ) + .all( protectionRules { allowForcePushes['enabled'] == false } ) + - uid: mondoo-github-repository-security-require-conversation-resolution + title: Ensure branch protection requires conversation resolution before merging + severity: 80 + docs: + desc: | + This checks that a branch protection rule is configured to require all comments on the pull request to be resolved before it can be merged to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. + remediation: | + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require conversation resolution before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-conversation-resolution-before-merging) on the GitHub documentation site. + refs: + - title: "GitHub Docs - About protected branches" + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + - title: "GitHub Documentation - Require conversation resolution before merging" + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-conversation-resolution-before-merging + query: | + github.repository.branches + .where( isDefault == true ) + .all( protectionRules { requiredConversationResolution['enabled'] == true } ) - uid: mondoo-github-repository-security-require-status-checks-before-merging - title: Ensure status checks are passing before merging PRs on the default and release branches + title: Ensure status checks are passing before merging PRs on the default branch severity: 80 docs: desc: | - Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. + This check ensures that all required CI tests are passing before collaborators can make changes to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. audit: | __cnspec shell__ @@ -244,26 +373,22 @@ queries: github.repository.branches.where( isDefault == true) { protected protectionRules { requiredStatusChecks.length } } ``` remediation: | - - Enable branch protection settings in your source hosting provider to avoid force pushes or deletion of your important branches. - - See [Managing a branch protection rule](https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule) on the GitHub documentation site. + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require status checks before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging) on the GitHub documentation site. refs: - title: "GitHub Docs - About protected branches" url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + - title: Require status checks before merging + url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging query: | - github.repository.branches.where( isDefault == true ) { - name - protected == true - protectionRules != null - protectionRules { - requiredStatusChecks.length > 0 - } - } + github.repository.branches + .where( isDefault == true ) + .all( protectionRules { requiredStatusChecks.length > 0 } ) - uid: mondoo-github-repository-security-required-signed-commits - title: Ensure repository requires signed commits + title: Ensure repository branch protection requires signed commits severity: 80 docs: desc: | - Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. + This check ensures a branch protection rule exists to require signed commits on the default branch. Signing commits and tags locally gives other people confidence about the origin of a changes made to a project. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified." audit: | __cnspec shell__ @@ -275,27 +400,22 @@ queries: github.repository.branches.where( isDefault == true) { protected protectionRules { requiredSignatures } } ``` remediation: | - - Enable branch protection settings in your source hosting provider to avoid force pushes or deletion of your important branches. - - See [Managing a branch protection rule](https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule) on the GitHub documentation site. + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require signed commits](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits) on the GitHub documentation site. refs: - title: "GitHub Docs - About protected branches" url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches + - title: "GitHub Docs - About commit signature verification" + url: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification query: | - github.repository.branches.where( isDefault == true ) { - name - protectionRules {*} - protected == true - protectionRules != null - protectionRules { - requiredSignatures == true - } - } + github.repository.branches + .where( isDefault == true ) + .all( protectionRules { requiredSignatures == true } ) - uid: mondoo-github-repository-security-enforce-branch-protection - title: Ensure repository does not allow bypass branch protections rules + title: Ensure repository does not allow bypassing of branch protections rules severity: 70 docs: desc: | - Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied. + This check ensures branch protection rules cannot be bypassed. By default, the restrictions of a branch protection rule do not apply to people with admin permissions to the repository or custom roles with the "bypass branch protections" permission in a repository. audit: | __cnspec shell__ @@ -307,20 +427,13 @@ queries: github.repository.branches.where( isDefault == true) { protected protectionRules { enforceAdmins['enabled'] } } ``` remediation: | - - Enable branch protection settings in your source hosting provider to avoid force pushes or deletion of your important branches. - - See [Managing a branch protection rule](https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule) on the GitHub documentation site. + To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Do not allow bypassing the above settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#do-not-allow-bypassing-the-above-settings) on the GitHub documentation site. refs: - title: "GitHub Docs - About protected branches" url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches query: | - github.repository.branches.where( isDefault == true ) { - name - protected == true - protectionRules != null - protectionRules { - enforceAdmins['enabled'] == true - } - } + github.repository.branches.where( isDefault == true ) + .all( protectionRules.enforceAdmins['enabled'] == true ) - uid: mondoo-github-repository-security-security-policy title: Ensure repository defines a security policy severity: 30 @@ -346,9 +459,9 @@ queries: url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository query: | if ( github.organization.repositories.one(name == ".github") ) { - github.organization.repositories.where( name == ".github") { + github.organization.repositories.where( name == ".github").all( files.one( name.downcase == "security.md") - } + ) || github.repository.files.one( name.downcase == "security.md") } else { github.repository.files.one( name.downcase == "security.md") } @@ -371,12 +484,11 @@ queries: github.repository.files.where( name == /LICENSE/ ) ``` remediation: | - See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site. + See [Adding a license to a repository](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/adding-a-license-to-a-repository) on the GitHub documentation site. refs: - title: "GitHub Docs - Adding a security policy to your repository" url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository - query: | - github.repository.files.one( name == /LICENSE/ ) + query: github.repository.files.one( name == /LICENSE/ ) - uid: mondoo-github-repository-security-binary-artifacts title: Ensure repository does not generate binary artifacts severity: 90 @@ -399,7 +511,11 @@ queries: - title: "OSSF Scorecard - Binary Artifacts" url: https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts query: | - github.repository { files.all( isBinary == false ) files { files.all( isBinary == false )}} + github.repository.files + .all( isBinary == false ) + github.repository.files + .where( type == "dir" ) + .all( files.where( type != "dir").all( isBinary == false) ) - uid: mondoo-github-repository-security-support-resources title: Ensure repository has a support policy severity: 30 @@ -414,9 +530,9 @@ queries: query: | // if a .github repo exists, then check if the SUPPORT.md is there if ( github.organization.repositories.one(name == ".github") ) { - github.organization.repositories.where( name == ".github") { + github.organization.repositories.where( name == ".github").all( files.one( name.downcase == "support.md") - } + ) || github.repository.files.one( name.downcase == "support.md") } else { github.repository.files.one( name.downcase == "support.md") } @@ -444,9 +560,9 @@ queries: query: | // if a .github repo exists, then check if the CODE_OF_CONDUCT.md is there if ( github.organization.repositories.one(name == ".github") ) { - github.organization.repositories.where( name == ".github") { + github.organization.repositories.where( name == ".github").all( files.one( name.downcase == "code_of_conduct.md") - } + ) || github.repository.files.one( name.downcase == "code_of_conduct.md") } else { github.repository.files.one( name.downcase == "code_of_conduct.md") } @@ -475,15 +591,12 @@ queries: - uid: mondoo-github-repository-security-readme-getting-started title: Ensure the README.md includes getting started guide severity: 30 + docs: + desc: | + This check ensures the repository README file contains a getting started guide. + remediation: | + Update the repository README file with a section titled "Getting Started" for your users. query: | github.repository.files.where(name.downcase == "readme.md") { content == /Getting started/i } - - uid: mondoo-github-repository-security-pull-request-template - title: Ensure a pull request template for your repository exists - severity: 30 - refs: - - title: Creating a pull request template for your repository - url: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repository - query: | - github.repository.files.map(name).one( _ == "pull_request_template.md" || _ == "LICENSE.rst" || _ == "LICENSE.txt" )