mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
fix(github): skip archived repos in CODEOWNERS check (#11735)
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
@@ -32,6 +32,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
|
||||
### 🐞 Fixed
|
||||
|
||||
- GitHub `repository_has_codeowners_file` check no longer flags archived repositories, since they are read-only and cannot be updated without first being unarchived, making the finding not actionable [(#11735)](https://github.com/prowler-cloud/prowler/pull/11735)
|
||||
- Report secret-scanning checks as `MANUAL` instead of `PASS` when the scanner fails (non-zero exit, timeout, unparseable output or missing binary), so a scanner failure is no longer indistinguishable from "no secrets found" [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694)
|
||||
- Avoid a false `FAIL` in `cloudwatch_log_group_no_secrets_in_logs` when a multiline event's secrets are all removed by `secrets_ignore_patterns` during the rescan [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694)
|
||||
- Key the `cloudwatch_log_group_no_secrets_in_logs` secret scan by log group ARN instead of name, so same-named log groups and streams in different regions no longer collide and reuse each other's findings [(#11694)](https://github.com/prowler-cloud/prowler/pull/11694)
|
||||
|
||||
+3
@@ -22,6 +22,9 @@ class repository_has_codeowners_file(Check):
|
||||
"""
|
||||
findings = []
|
||||
for repo in repository_client.repositories.values():
|
||||
if repo.archived:
|
||||
continue
|
||||
|
||||
if repo.codeowners_exists is not None:
|
||||
report = CheckReportGithub(metadata=self.metadata(), resource=repo)
|
||||
if repo.codeowners_exists:
|
||||
|
||||
+52
@@ -145,3 +145,55 @@ class Test_repository_has_codeowners_file:
|
||||
result[0].status_extended
|
||||
== f"Repository {repo_name} does have a CODEOWNERS file."
|
||||
)
|
||||
|
||||
def test_archived_repository_no_codeowners_is_skipped(self):
|
||||
repository_client = mock.MagicMock
|
||||
repo_name = "archived-repo"
|
||||
repository_client.repositories = {
|
||||
3: Repo(
|
||||
id=3,
|
||||
name=repo_name,
|
||||
owner="account-name",
|
||||
full_name="account-name/archived-repo",
|
||||
default_branch=Branch(
|
||||
name="main",
|
||||
protected=False,
|
||||
default_branch=True,
|
||||
require_pull_request=False,
|
||||
approval_count=0,
|
||||
required_linear_history=False,
|
||||
allow_force_pushes=True,
|
||||
branch_deletion=True,
|
||||
status_checks=False,
|
||||
enforce_admins=False,
|
||||
require_code_owner_reviews=False,
|
||||
require_signed_commits=False,
|
||||
conversation_resolution=False,
|
||||
),
|
||||
private=False,
|
||||
securitymd=True,
|
||||
codeowners_exists=False,
|
||||
secret_scanning_enabled=False,
|
||||
archived=True,
|
||||
pushed_at=datetime.now(timezone.utc),
|
||||
delete_branch_on_merge=False,
|
||||
),
|
||||
}
|
||||
|
||||
with (
|
||||
mock.patch(
|
||||
"prowler.providers.common.provider.Provider.get_global_provider",
|
||||
return_value=set_mocked_github_provider(),
|
||||
),
|
||||
mock.patch(
|
||||
"prowler.providers.github.services.repository.repository_has_codeowners_file.repository_has_codeowners_file.repository_client",
|
||||
new=repository_client,
|
||||
),
|
||||
):
|
||||
from prowler.providers.github.services.repository.repository_has_codeowners_file.repository_has_codeowners_file import (
|
||||
repository_has_codeowners_file,
|
||||
)
|
||||
|
||||
check = repository_has_codeowners_file()
|
||||
result = check.execute()
|
||||
assert len(result) == 0
|
||||
|
||||
Reference in New Issue
Block a user