mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-02-08 04:57:03 +00:00
Compare commits
2 Commits
PROWLER-51
...
review_met
| Author | SHA1 | Date | |
|---|---|---|---|
|
9aa70182db | ||
|
|
9fa6f0c162 |
@@ -17,6 +17,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
|
||||
- Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
|
||||
- Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
|
||||
- Update GitHub Repository service metadata to new format [(#9659)](https://github.com/prowler-cloud/prowler/pull/9659)
|
||||
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_branch_delete_on_merge_enabled",
|
||||
"CheckTitle": "Check if a repository deletes the branch after merging",
|
||||
"CheckTitle": "Repository deletes branches after pull request merge",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that the repository deletes the branch after merging.",
|
||||
"Risk": "Inactive branches pose a security risk as they can accumulate outdated code, dependencies, and potential vulnerabilities over time. Malicious actors may exploit these branches, and they can clutter the repository, making it harder to manage and track the active code. Additionally, stale branches may unintentionally be accessed or used inappropriately, leading to potential security breaches.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
|
||||
"Severity": "low",
|
||||
"ResourceType": "",
|
||||
"Description": "**GitHub repository** setting that enables **automatic deletion of head branches** when pull requests merge into the default branch (`delete_branch_on_merge`).",
|
||||
"Risk": "Without automatic deletion, merged branches persist, weakening **integrity** and **confidentiality**: outdated code may be reused, secret remnants can linger, and reviews become ambiguous. Stale refs can still trigger CI with obsolete workflows, raising risks of supply-chain tampering and faulty deployments.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PATCH repos/<OWNER>/<REPO> -f delete_branch_on_merge=true",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and click Settings\n2. Under General, scroll to Pull Requests\n3. Check Automatically delete head branches\n4. Click Save",
|
||||
"Terraform": "```hcl\nresource \"github_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n delete_branch_on_merge = true # Enables automatic deletion of PR head branches after merge\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Regularly review and remove inactive branches from your repositories. This helps reduce the risk of malicious code injection, sensitive data leaks, and unnecessary clutter in the repository. By keeping branches active and up to date, you ensure that your codebase remains secure and manageable.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches"
|
||||
"Text": "Enable **automatic head-branch deletion** after merges to minimize stale refs and confusion.\n- Enforce **least privilege** for branch creation\n- Apply **branch protection** and rulesets\n- Prefer short-lived feature branches with periodic pruning\n- Guard CI to avoid runs from obsolete branches",
|
||||
"Url": "https://hub.prowler.com/check/repository_branch_delete_on_merge_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,37 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_deletion_disabled",
|
||||
"CheckTitle": "Check if a repository denies default branch deletion",
|
||||
"CheckTitle": "Repository denies default branch deletion",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that the repository denies default branch deletion.",
|
||||
"Risk": "Allowing the deletion of protected branches by users with push access increases the risk of accidental or intentional branch removal, potentially resulting in significant data loss or disruption to the development process.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-deletions",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "",
|
||||
"Description": "**Default branch deletion** setting in GitHub repositories; evaluates whether branch protections or rulesets have `Allow deletions` disabled for the default branch.",
|
||||
"Risk": "Permitting default branch deletion undermines **availability** by breaking CI/CD, releases, and PR targets.\n\nIt also impacts **integrity**: the canonical ref can be removed, enabling history tampering, branch hijacking, and harder audits/rollbacks.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-deletions"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X DELETE repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/allow_deletions",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and go to Settings > Branches\n2. Edit the branch protection rule for the default branch (or Add rule if none exists)\n3. Ensure \"Allow deletions\" is unchecked\n4. Click Save changes",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository_id = \"<example_resource_name>\"\n pattern = \"<default_branch>\"\n allows_deletions = false # Critical: disables deletion of the default branch\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Deny the ability to delete protected branches to ensure the preservation of critical branch data. This prevents accidental or malicious deletions and helps maintain the integrity and stability of the repository.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Disable deletions on the **default branch** using **branch protection** or **rulesets** (`Allow deletions=false`). Apply controls to admins, minimize bypass lists, and enforce **least privilege**. Combine with required pull requests and status checks for **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_deletion_disabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_disallows_force_push",
|
||||
"CheckTitle": "Check if repository denies force push",
|
||||
"CheckTitle": "Repository default branch denies force pushes",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GithubRepository",
|
||||
"Description": "Ensure that the repository denies force push to protected branches.",
|
||||
"Risk": "Permitting force pushes to branches can lead to accidental or intentional overwrites of the commit history, resulting in potential data loss, code inconsistencies, or the introduction of malicious changes. This compromises the stability and security of the repository.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes",
|
||||
"ResourceType": "",
|
||||
"Description": "**GitHub repository default branch** blocks **force pushes** through branch protection.\n\nEvaluates whether the default branch permits force pushes.",
|
||||
"Risk": "Allowing **force pushes on the default branch** erodes **integrity** and **auditability** by enabling history rewrites and deletion of commits. Attackers or insiders can inject unreviewed code, bypass reviews and status checks, and corrupt PRs, risking supply-chain compromise and reduced **availability**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and go to Settings\n2. In the sidebar, click Branches\n3. Edit the protection rule for the default branch (or Add rule with the default branch name)\n4. Ensure Allow force pushes is unchecked/disabled\n5. Click Save changes",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository_id = \"<example_resource_id>\"\n pattern = \"<default_branch_name>\"\n\n allows_force_pushes = false # Critical: disallows force pushes on the default branch\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Disable force pushes on protected branches to preserve the commit history and ensure the integrity of the repository. This measure helps prevent unintentional data loss and protects the repository from malicious changes.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Disable `Allow force pushes` on the default branch. Enforce PR-based changes with required reviews and status checks, require signed commits and linear history, and restrict bypass to minimal actors. Apply protections to admins too to uphold **least privilege** and **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_disallows_force_push"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,38 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_protection_applies_to_admins",
|
||||
"CheckTitle": "Check if repository enforces admin branch protection",
|
||||
"CheckTitle": "Repository default branch protection applies to administrators",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GithubRepository",
|
||||
"Description": "Ensure that the repository enforces branch protection rules for administrators.",
|
||||
"Risk": "Excluding administrators from branch protection rules introduces a significant risk of unauthorized or unreviewed changes being pushed to protected branches. This can lead to vulnerabilities, including the potential insertion of malicious code, especially if an administrator account is compromised.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings",
|
||||
"ResourceType": "",
|
||||
"Description": "Repository default branch applies **branch protection rules** to **administrators** via `enforce_admins`, holding admin pushes to the same requirements as other contributors (reviews, status checks, and push restrictions).",
|
||||
"Risk": "Without admin enforcement, privileged users can bypass reviews and checks, enabling **unauthorized code changes**. A compromised admin token can inject backdoors, alter dependencies, or disable safeguards, undermining **integrity**, exposing secrets (**confidentiality**), and causing outages (**availability**).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://spectralops.io/blog/how-to-set-up-git-branch-protection-rules/",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings",
|
||||
"https://pkg.go.dev/github.com/cdktf/cdktf-provider-github-go/github/v15/branchprotectionv3",
|
||||
"https://mattbrictson.com/blog/github-repo-setup"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X POST /repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/enforce_admins",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, go to the repository > Settings > Branches\n2. Edit the branch protection rule that targets the default branch (or Add rule for <DEFAULT_BRANCH>)\n3. Enable: \"Do not allow bypassing the above settings\" (or \"Include administrators\")\n4. Click Save",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository = \"<example_resource_name>\"\n branch = \"<DEFAULT_BRANCH>\"\n enforce_admins = true # Critical: applies branch protection to administrators\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enforce branch protection rules for administrators to ensure they adhere to the same security and quality standards as other users. This mitigates the risk of unreviewed or untrusted code being introduced, enhancing the overall integrity of the codebase.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Enable **branch protection for administrators** and disallow bypasses. Apply **least privilege** and **separation of duties** by requiring PR reviews, required status checks, and signed commits on critical branches. Limit force pushes and deletions, and regularly review admin roles and audit logs.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_protection_applies_to_admins"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,40 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_protection_enabled",
|
||||
"CheckTitle": "Check if branch protection is enforced on the default branch ",
|
||||
"CheckTitle": "Repository enforces branch protection on the default branch",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure branch protection is enforced on the default branch",
|
||||
"Risk": "The absence of branch protection on the default branch increases the risk of unauthorized, unreviewed, or untested changes being merged. This can compromise the stability, security, and reliability of the codebase, which is especially critical for production deployments.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "",
|
||||
"Description": "**Repository default branch** has **branch protection rules** enabled to restrict direct changes and require reviewed, validated merges. The evaluation determines whether the default branch enforces such rules.",
|
||||
"Risk": "Without default-branch protection, changes can bypass reviews and checks, enabling:\n- Unauthorized direct pushes/force pushes\n- Malicious code injection and workflow tampering\n- Accidental deletions or unstable releases\nThis undermines code **integrity** and service **availability**.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://spectralops.io/blog/how-to-set-up-git-branch-protection-rules/",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule",
|
||||
"https://web.archive.org/web/20210212232912/https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule",
|
||||
"https://dev.to/pixiebrix/disable-a-direct-push-to-github-main-branch-8c2"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PUT repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection -f required_status_checks='null' -f required_pull_request_reviews='null' -f enforce_admins=false -f restrictions='null'",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and go to Settings\n2. Under \"Code and automation\", click Branches\n3. Click Add rule under \"Branch protection rules\"\n4. Set Branch name pattern to the default branch (e.g., main)\n5. Click Create to save the rule",
|
||||
"Terraform": "```hcl\n# Enable branch protection on the default branch\n# Minimal: create a protection rule targeting the default branch\n\ndata \"github_repository\" \"repo\" {\n full_name = \"<OWNER>/<REPO>\"\n}\n\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository_id = data.github_repository.repo.node_id\n pattern = \"<DEFAULT_BRANCH>\" # Critical: protects the default branch so the check passes\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Apply branch protection rules to the default branch to ensure it is safeguarded against unauthorized or improper modifications. This helps maintain code quality, enforces proper review and testing procedures, and reduces the risk of accidental or malicious changes.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule"
|
||||
"Text": "Enforce **branch protection** on the default branch:\n- Require pull requests with approvals (least privilege)\n- Enforce required status checks and conversation resolution\n- Require signed commits and linear history; block force pushes/deletions\n- Restrict push to trusted actors and apply rules to admins\nUse **CODEOWNERS** to strengthen review accountability.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_protection_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"identity-access",
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,40 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_requires_codeowners_review",
|
||||
"CheckTitle": "Check if code owner approval is required for changes to owned code",
|
||||
"CheckTitle": "Repository default branch requires code owner approval for changes to owned code",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that code owners are required to review and approve any proposed changes that affect their respective areas of ownership in the code base.",
|
||||
"Risk": "If code owner approval is not required, unauthorized or unqualified individuals may merge changes to sensitive or critical areas of the codebase, increasing the risk of security vulnerabilities, bugs, or malicious modifications.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#requiring-code-owner-review",
|
||||
"ResourceType": "",
|
||||
"Description": "Repository default branch requires **Code Owners** approval for pull requests that modify paths declared in `CODEOWNERS`",
|
||||
"Risk": "Without required **Code Owners** review, non-owners can merge changes to sensitive code, undermining **integrity**.\nThis increases the chance of **malicious code injection**, hidden backdoors, or fragile changes that enable **data exfiltration** or cause outages, impacting confidentiality and availability.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-review-from-code-owners",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://vercel.com/academy/production-monorepos/code-governance",
|
||||
"https://www.arnica.io/blog/what-every-developer-should-know-about-github-codeowners",
|
||||
"https://stackoverflow.com/questions/77440426/require-only-one-codeowner-on-github-to-review-a-pr",
|
||||
"https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#requiring-code-owner-review",
|
||||
"https://www.baeldung.com/ops/github-block-pull-request-merge"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PATCH repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/required_pull_request_reviews -f require_code_owner_reviews=true",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and go to Settings > Branches\n2. Edit the branch protection rule for <DEFAULT_BRANCH> (or click Add rule)\n3. Set Branch name pattern to <DEFAULT_BRANCH>\n4. Check Require a pull request before merging\n5. Under Pull request reviews, check Require review from Code Owners\n6. Click Create/Save to apply",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection\" \"<example_resource_name>\" {\n repository_id = \"<example_resource_id>\"\n pattern = \"<DEFAULT_BRANCH>\"\n\n required_pull_request_reviews {\n require_code_owner_reviews = true # Critical: enforces CODEOWNERS approval on the default branch\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "To require code owner review, navigate to the repository settings, click on 'Branches', add or edit a branch protection rule, and enable 'Require review from Code Owners'.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-review-from-code-owners"
|
||||
"Text": "Enforce **Code Owners** review on the default branch and keep `CODEOWNERS` accurate and team-based.\nApply **least privilege**, require **status checks** and **signed commits**, extend protections to admins, and audit ownership regularly. Co-own critical paths to ensure coverage and reduce single-point approval gaps.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_requires_codeowners_review"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,40 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_requires_conversation_resolution",
|
||||
"CheckTitle": "Check if repository requires conversation resolution before merging",
|
||||
"CheckTitle": "Repository default branch requires conversation resolution before merging",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that the repository requires conversation resolution before merging.",
|
||||
"Risk": "Leaving comments unresolved before merging code can lead to overlooked issues, including potential bugs or security vulnerabilities, that might affect the quality and security of the codebase. Unaddressed concerns could result in a lower quality of code, increasing the risk of production failures or breaches.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging",
|
||||
"ResourceType": "",
|
||||
"Description": "Repository default branch uses branch protection to require **conversation resolution** on pull requests (`Require conversation resolution before merging`).",
|
||||
"Risk": "Unresolved threads let code with known concerns reach default, weakening **integrity** and **confidentiality**. Insecure changes or secrets may ship, enabling injection, auth bypass, or data exposure. **Availability** can suffer from regressions; review accountability is reduced.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://medium.com/@techeazy.consulting/github-branch-protection-rules-why-and-how-to-use-them-07ecfdb003cf",
|
||||
"https://www.graphite.com/guides/how-to-set-up-branch-protection-rules-github",
|
||||
"https://best.openssf.org/SCM-BestPractices/github/repository/no_conversation_resolution.html",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
|
||||
"https://github.com/orgs/community/discussions/127070",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PUT repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/required_conversation_resolution -f enabled=true",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, go to the repository > Settings\n2. Click Branches\n3. Edit the branch protection rule for the default branch (e.g., main)\n4. Check \"Require conversation resolution before merging\"\n5. Click Save changes",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection\" \"<example_resource_name>\" {\n repository_id = \"<example_resource_name>\"\n pattern = \"<default_branch_name>\"\n\n require_conversation_resolution = true # Critical: require all PR conversations to be resolved before merge\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Ensure that all comments in a code change proposal are resolved before merging. This guarantees that every reviewer’s concern is addressed, improving code quality and security by preventing issues from being ignored or overlooked.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Enable `Require conversation resolution before merging` on the default branch.\n\nAlso enforce:\n- Required approvals and CI checks\n- **CODEOWNERS** on critical paths\n- **Least privilege** for merge rights\n- Apply rules to admins to prevent bypass",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_requires_conversation_resolution"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_requires_linear_history",
|
||||
"CheckTitle": "Check if repository default branch requires linear history",
|
||||
"CheckTitle": "Repository default branch requires linear history",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GithubRepository",
|
||||
"Description": "Ensure that the repository default branch requires linear history.",
|
||||
"Risk": "Allowing non-linear history can result in a cluttered and difficult-to-trace Git history, making it harder to identify specific changes, debug issues, and understand the sequence of development. This increases the risk of errors, inconsistencies, and bugs, especially in production environments.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-linear-history",
|
||||
"Severity": "low",
|
||||
"ResourceType": "",
|
||||
"Description": "**Repository default branch** enforces `Require linear history`, blocking merge commits and allowing only `squash` or `rebase` merges",
|
||||
"Risk": "Without a **linear history**, commit provenance is harder to verify, weakening **integrity** and **accountability**.\n\nMerge commits can obscure diffs entering the default branch, hindering audits and rollbacks, enabling unnoticed **malicious or unreviewed code**, and delaying incident response.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-linear-history",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "curl -X PUT -H \"Authorization: Bearer <TOKEN>\" -H \"Accept: application/vnd.github+json\" -H \"Content-Type: application/json\" https://api.github.com/repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection -d '{\"required_status_checks\":null,\"enforce_admins\":false,\"required_pull_request_reviews\":null,\"restrictions\":null,\"required_linear_history\":true}'",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, go to the repository > Settings > Branches\n2. If a rule exists for the default branch, click Edit; otherwise click Add rule and set Branch name pattern to the default branch (e.g., main)\n3. Check Require linear history\n4. Click Create (or Save changes)",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection\" \"<example_resource_name>\" {\n repository_id = \"<example_repository_id>\"\n pattern = \"<DEFAULT_BRANCH>\"\n require_linear_history = true # Critical: enforces linear history on the default branch\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enforce a linear history by requiring rebase or squash merges for pull requests. This will create a clean, chronological commit history, making it easier to track changes, revert modifications, and troubleshoot any issues that arise.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Enable `Require linear history` on the default branch and allow only `squash` or `rebase` merges.\n\nReinforce with **branch protection**: require pull requests and reviews, **status checks**, and **signed commits**. Limit bypass to trusted roles (least privilege) to preserve **traceability** and **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_requires_linear_history"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,36 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_requires_multiple_approvals",
|
||||
"CheckTitle": "Check if repositories require at least 2 code changes approvals",
|
||||
"CheckTitle": "Repository default branch requires at least 2 approvals for code changes",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that repositories require at least 2 code changes approvals before merging a pull request.",
|
||||
"Risk": "If repositories do not require at least 2 code changes approvals before merging a pull request, it is possible that code changes are not being reviewed by multiple people, which could lead to the introduction of bugs or security vulnerabilities.",
|
||||
"RelatedUrl": "https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "",
|
||||
"Description": "Repository default branch enforces **required reviews** with a minimum of `2` approving reviews before a pull request can be merged.\n\nAssesses whether an approval threshold of at least `2` is configured for code changes targeting the default branch.",
|
||||
"Risk": "Without multi-review approval on the default branch, a single actor can merge changes, degrading **integrity** and **accountability**. This enables:\n- supply-chain tampering or backdoors\n- introduction of exploitable bugs\n- bypass of change control via compromised accounts",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PUT repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection -F required_status_checks=null -F enforce_admins=false -F restrictions=null -F required_pull_request_reviews.required_approving_review_count=2",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the repository and go to Settings > Branches\n2. Under Branch protection rules, click Add rule (or Edit for the default branch rule)\n3. Set Branch name pattern to the default branch (e.g., main)\n4. Check Require a pull request before merging\n5. Set Require approvals to 2\n6. Click Create/Save to apply",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection\" \"<example_resource_name>\" {\n repository_id = \"<example_resource_name>\"\n pattern = \"<DEFAULT_BRANCH>\"\n\n required_pull_request_reviews {\n required_approving_review_count = 2 # Enforces at least 2 approvals before merging into the default branch\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "To require at least 2 code changes approvals before merging a pull request, navigate to the repository settings, click on 'Branches', and then 'Add rule'.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging"
|
||||
"Text": "Enforce the **four-eyes principle** by requiring at least `2` approvals for merges to the default branch.\n\nStrengthen with **separation of duties** using code owner reviews, dismiss stale approvals, apply protections to admins, and pair with required status checks for **defense in depth**.",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_requires_multiple_approvals"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"ci-cd",
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_requires_signed_commits",
|
||||
"CheckTitle": "Check if repository requires signed commits",
|
||||
"CheckTitle": "Repository default branch requires signed commits",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that every commit in a pull request is signed and verified before merging to the default branch.",
|
||||
"Risk": "If repositories do not require signed commits, there is no way to verify the authenticity and integrity of code changes. This could allow malicious actors to impersonate legitimate contributors and introduce unauthorized or harmful changes to the codebase.",
|
||||
"RelatedUrl": "https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "",
|
||||
"Description": "**Repository default branch** enforces **signed and verified commits** (`Require signed commits`), allowing only commits with valid cryptographic signatures to be pushed or merged.",
|
||||
"Risk": "Without required signing, commit authorship can be spoofed and unverified changes added, impacting integrity.\n- Backdoor injection\n- History tampering and forged identities\n- Release pipeline abuse and supply-chain compromise",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits",
|
||||
"https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X POST repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH_NAME>/protection/required_signatures",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, go to the repository > Settings\n2. Click Branches\n3. Edit the rule for the default branch (or Add rule targeting the default branch name)\n4. Check Require signed commits\n5. Click Save changes",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository = \"<example_repository_name>\"\n pattern = \"<default_branch_name>\"\n\n required_signatures = true # Critical: Enforces signed commits on the default branch\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable the 'Require signed commits' option in branch protection rules to ensure that all commits are cryptographically signed and verified before they can be merged.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits"
|
||||
"Text": "Enforce `Require signed commits` on default and release branches.\n- Standardize GPG/SSH/S/MIME for humans and bots\n- Protect and rotate signing keys; least privilege on bypass\n- Pair with required reviews and status checks for defense-in-depth",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_requires_signed_commits"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,40 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_default_branch_status_checks_required",
|
||||
"CheckTitle": "Check if repository enforces status checks to pass",
|
||||
"CheckTitle": "Repository default branch requires status checks",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GithubRepository",
|
||||
"Description": "Ensure that the repository enforces status checks to pass before merging code into the main branch.",
|
||||
"Risk": "Merging code without requiring all checks to pass increases the risk of introducing bugs, vulnerabilities, or unstable changes into the codebase. This can compromise the quality, security, and functionality of the application.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging",
|
||||
"ResourceType": "",
|
||||
"Description": "**GitHub repository default branch** uses **required status checks**, indicating whether merges are gated by successful check results on pull requests",
|
||||
"Risk": "Without required checks, unvetted commits can be merged, degrading code **integrity** and **availability**. Skipped or failing validations may introduce vulnerable dependencies, break builds, or allow malicious code, enabling supply-chain compromise and rapid propagation to production.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
|
||||
"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging",
|
||||
"https://dev.to/bobbyg603/github-status-checks-and-branch-protection-made-easy-2cnf",
|
||||
"https://medium.com/picus-security-engineering/how-to-handle-cancelable-github-actions-which-require-status-checks-to-pass-before-merging-63545083da4e",
|
||||
"https://stackoverflow.com/questions/76948223/github-require-specific-checks-to-pass-before-merging",
|
||||
"https://docs.gearset.com/en/articles/2437757-managing-status-check-rules-in-github",
|
||||
"https://graphite.com/guides/mandatory-pull-request-checks-and-requirements-in-github"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PATCH repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/required_status_checks -f strict=false -F contexts[]=<CHECK_NAME>",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, go to the repository > Settings > Branches\n2. Next to Branch protection rules, click Add rule (or Edit for the default branch rule)\n3. Set Branch name pattern to your default branch (e.g., main)\n4. Check Require status checks to pass before merging\n5. In the list, select at least one check (e.g., your CI workflow)\n6. Click Create (or Save changes)",
|
||||
"Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n repository_id = \"<example_repository_id>\"\n pattern = \"<DEFAULT_BRANCH>\"\n\n required_status_checks {\n strict = false\n contexts = [\"<CHECK_NAME>\"] # Critical: requires this status check to pass before merging\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Require all predefined status checks to pass successfully before allowing code changes to be merged. This ensures that all quality, stability, and security conditions are met, reducing the likelihood of errors or vulnerabilities being introduced into the project.",
|
||||
"Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
|
||||
"Text": "Enforce branch protection to require **status checks** on the default branch.\n- Gate merges on build, tests, and security scans\n- Use `require up-to-date` behavior to reduce integration risk\n- Apply to admins and limit bypasses\n- Combine with **least privilege** and required reviews for defense in depth",
|
||||
"Url": "https://hub.prowler.com/check/repository_default_branch_status_checks_required"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"ci-cd"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_dependency_scanning_enabled",
|
||||
"CheckTitle": "Check if package vulnerability scanning is enabled for dependencies in the repository",
|
||||
"CheckTitle": "Repository has package vulnerability scanning (Dependabot alerts) enabled",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Implement scanning tools to detect, prevent, and monitor known open-source vulnerabilities in packages used within the organization's projects. This check verifies that dependency/package vulnerability scanning (e.g., Dependabot alerts) is enabled for the repository.",
|
||||
"Risk": "If package vulnerability scanning is not enabled, known vulnerabilities in dependencies may go undetected, increasing the risk of exploitation and security breaches.",
|
||||
"RelatedUrl": "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
|
||||
"ResourceType": "",
|
||||
"Description": "**GitHub repositories** are assessed for **dependency vulnerability scanning** enabled via `Dependabot alerts`, which monitors the dependency graph for known vulnerable packages and versions.",
|
||||
"Risk": "Without automated scanning, known vulnerable dependencies may persist unnoticed, enabling supply-chain compromise. Exploits in third-party libraries can drive RCE, data theft, or build tampering, undermining confidentiality, integrity, and availability across code and CI/CD.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api --method PUT repos/<OWNER>/<REPO>/vulnerability-alerts",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the target repository\n2. Click Settings > Code security and analysis\n3. Under Dependabot alerts, click Enable\n4. Verify the toggle shows Enabled",
|
||||
"Terraform": "```hcl\nresource \"github_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n vulnerability_alerts = true # Enables Dependabot alerts to pass the check\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable Dependabot alerts or another package vulnerability scanner in the repository settings to automatically detect and alert on vulnerable dependencies.",
|
||||
"Url": "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
|
||||
"Text": "Enable **dependency vulnerability scanning** with `Dependabot alerts` or an equivalent SCA tool across repositories. Apply **defense in depth**: keep manifests and lockfiles current, triage alerts quickly, use automated security updates with required reviews, and surface results in PR checks and notifications.",
|
||||
"Url": "https://hub.prowler.com/check/repository_dependency_scanning_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"vulnerabilities",
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,38 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_has_codeowners_file",
|
||||
"CheckTitle": "Check if repositories have a CODEOWNERS file",
|
||||
"CheckTitle": "Repository has a CODEOWNERS file",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that repositories have a CODEOWNERS file.",
|
||||
"Risk": "Not having a CODEOWNERS file in a repository may lead to unclear code ownership and review responsibilities, increasing the risk of unreviewed or unauthorized changes.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "",
|
||||
"Description": "GitHub repositories declare **code ownership** via a `CODEOWNERS` file mapping file patterns to users or teams. This evaluation checks whether such a file exists in standard locations (`/`, `.github/`, or `docs/`) to enable automatic reviewer assignment.",
|
||||
"Risk": "Missing `CODEOWNERS` undermines **integrity** and **separation of duties**:\n- PRs can merge without accountable, domain reviews\n- Critical paths risk unauthorized or low-quality changes\nThis raises **software supply chain** exposure, enabling code tampering, hidden backdoors, and unsafe config modifications.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners",
|
||||
"https://graphite.com/guides/in-depth-guide-github-codeowners",
|
||||
"https://github.blog/news-insights/product-news/introducing-code-owners/",
|
||||
"https://dev.to/aviator_co/a-modern-guide-to-codeowners-242h",
|
||||
"https://blog.nashtechglobal.com/default-reviewers-through-codeowners-file/"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PUT repos/<example_org_or_user>/<example_repo>/contents/.github/CODEOWNERS -f message='add CODEOWNERS' -f content=\"$(printf '* @<example_owner>\\n' | base64 | tr -d '\\n')\"",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the target repository\n2. Click Add file > Create new file\n3. Set the filename to .github/CODEOWNERS\n4. Add a single line: `* @<example_owner>`\n5. Click Commit new file (commit to the default branch)",
|
||||
"Terraform": "```hcl\nresource \"github_repository_file\" \"<example_resource_name>\" {\n repository = \"<example_repo>\"\n file = \".github/CODEOWNERS\" # Critical: creates the CODEOWNERS file so the check passes\n content = \"* @<example_owner>\" # Critical: minimal valid content so the file is recognized\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Add a CODEOWNERS file to the root, .github/, or docs/ directory of the repository. The file should specify code owners for files and directories as appropriate for your organization.",
|
||||
"Url": "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners"
|
||||
"Text": "Define and maintain a `CODEOWNERS` file mapping sensitive paths to responsible teams or users, preferring teams for resilience. Combine with branch protections requiring code-owner reviews to enforce **separation of duties** and **least privilege**. Keep entries current and cover critical directories to avoid pattern gaps.",
|
||||
"Url": "https://hub.prowler.com/check/repository_has_codeowners_file"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_inactive_not_archived",
|
||||
"CheckTitle": "Check for inactive repositories that are not archived",
|
||||
"CheckTitle": "Repository is archived or active within the configured inactivity threshold",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "medium",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that repositories with no activity are reviewed and considered for archival. Inactive repositories may have outdated dependencies or security configurations that could pose security risks.",
|
||||
"Risk": "Inactive repositories that are not archived may contain outdated dependencies, unpatched vulnerabilities, or misconfigured security settings. These repositories increase the attack surface and could be targeted by malicious actors.",
|
||||
"RelatedUrl": "https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories",
|
||||
"ResourceType": "",
|
||||
"Description": "**GitHub repositories** that remain **unarchived** and show no activity beyond a configured inactivity window (e.g., `180` days) are identified. The evaluation considers the most recent repository activity to surface long-idle codebases that are still unarchived.",
|
||||
"Risk": "Unarchived, long-inactive repos expand attack surface. Stale code and dependencies can hide unpatched flaws; writable state enables **integrity** compromise via malicious commits or workflow abuse; exposed secrets threaten **confidentiality**. Attackers can leverage them for lateral movement and supply-chain tampering.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories",
|
||||
"https://github.blog/news-insights/product-news/archiving-repositories/"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh repo archive <OWNER>/<REPO> --yes",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. Open the repository on GitHub\n2. Click Settings\n3. Scroll to Danger Zone\n4. Click Archive this repository\n5. Type the repository name and confirm by clicking I understand the consequences, archive this repository",
|
||||
"Terraform": "```hcl\nresource \"github_repository\" \"repo\" {\n name = \"<example_resource_name>\"\n archived = true # Critical: archives the repository so inactive repos pass the check\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Review inactive repositories and either: 1) Archive them if they are no longer needed, 2) Update their dependencies and security configurations if they are still required, or 3) Delete them if they contain no valuable information.",
|
||||
"Url": "https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories"
|
||||
"Text": "Adopt **lifecycle management**:\n- Archive or delete repos no longer needed\n- If retained, update dependencies, rotate secrets, disable unused workflows, and restrict writes under **least privilege**\n- Define an inactivity policy (e.g., `180` days) with periodic reviews to prevent dormant, writable codebases",
|
||||
"Url": "https://hub.prowler.com/check/repository_inactive_not_archived"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,35 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_public_has_securitymd_file",
|
||||
"CheckTitle": "Check if public repositories have a SECURITY.md file",
|
||||
"CheckTitle": "Public repository has a SECURITY.md file",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "low",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that public repositories have a SECURITY.md file",
|
||||
"Risk": "Not having a SECURITY.md file in a public repository may lead to security vulnerabilities being overlooked by users and contributors.",
|
||||
"RelatedUrl": "https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository",
|
||||
"ResourceType": "",
|
||||
"Description": "**Public repositories** include a `SECURITY.md` policy file that tells researchers how to report vulnerabilities. The evaluation focuses on the presence of this file in public repositories.",
|
||||
"Risk": "Without **SECURITY.md**, reporters may use public issues or ad-hoc channels, causing premature disclosure or missed reports. This widens the exploit window and impacts **confidentiality** (leaked details), **integrity** (unauthorized changes), and **availability** (DoS from unpatched flaws).",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository",
|
||||
"https://github.blog/changelog/2019-05-23-security-policy/"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PUT repos/<OWNER>/<REPO>/contents/.github/SECURITY.md -f message='Add SECURITY.md' -f content='UmVwb3J0IHZ1bG5lcmFiaWxpdGllcyB0byBzZWN1cml0eUBleGFtcGxlLmNvbQo='",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the target repository\n2. Click Security > Policy (under Reporting)\n3. Click Start setup\n4. Add minimal instructions (e.g., how to report vulnerabilities)\n5. Click Commit changes to create SECURITY.md",
|
||||
"Terraform": "```hcl\nresource \"github_repository_file\" \"security_md\" {\n repository = \"<example_resource_name>\"\n file = \".github/SECURITY.md\" # Critical: ensures SECURITY.md exists in a recognized location\n content = \"Report vulnerabilities to security@example.com\" # Critical: creates the file so the check passes\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Add a SECURITY.md file to the root of the repository. The file should contain information on how to report a security vulnerability, the security policy of the repository, and any other relevant information.",
|
||||
"Url": "https://github.blog/changelog/2019-05-23-security-policy/"
|
||||
"Text": "Publish a clear `SECURITY.md` for each public repo or an org default. Include private reporting channels, optional encryption keys, scope/supported versions, disclosure timelines, and safe-harbor terms. Link to any bounty program and review regularly. Align with **accountability** and **defense in depth** principles.",
|
||||
"Url": "https://hub.prowler.com/check/repository_public_has_securitymd_file"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"software-supply-chain"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
@@ -1,29 +1,34 @@
|
||||
{
|
||||
"Provider": "github",
|
||||
"CheckID": "repository_secret_scanning_enabled",
|
||||
"CheckTitle": "Check if secret scanning is enabled to detect sensitive data in the repository",
|
||||
"CheckTitle": "Repository has secret scanning enabled to detect sensitive data",
|
||||
"CheckType": [],
|
||||
"ServiceName": "repository",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "github:user-id:repository/repository-name",
|
||||
"ResourceIdTemplate": "",
|
||||
"Severity": "high",
|
||||
"ResourceType": "GitHubRepository",
|
||||
"Description": "Ensure that scanners are in place to detect and prevent sensitive data, such as confidential ID numbers, passwords, and other sensitive information, from being committed in the source code. This check verifies that secret scanning is enabled to identify and prevent sensitive data from being included in the repository.",
|
||||
"Risk": "If secret scanning is not enabled, sensitive data may be inadvertently committed to the repository, increasing the risk of data breaches and exploitation by attackers.",
|
||||
"RelatedUrl": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning",
|
||||
"ResourceType": "",
|
||||
"Description": "GitHub repository configuration for **secret scanning**-which detects secrets (API keys, tokens, passwords) in commits and Git history-is evaluated to determine if detection is active.",
|
||||
"Risk": "Without **secret scanning**, exposed credentials can persist unnoticed, enabling:\n- Unauthorized access to cloud and third-party services\n- **Supply-chain compromise** via tampered pipelines\n- Data exfiltration and repo takeover\n\nThis degrades **confidentiality** and **integrity**, and increases blast radius of a single leaked key.",
|
||||
"RelatedUrl": "",
|
||||
"AdditionalURLs": [
|
||||
"https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning"
|
||||
],
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"CLI": "gh api -X PATCH repos/<OWNER>/<REPO> -H \"Accept: application/vnd.github+json\" -H \"Content-Type: application/json\" -d '{\"security_and_analysis\":{\"secret_scanning\":{\"status\":\"enabled\"}}}'",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
"Other": "1. In GitHub, open the target repository and go to Settings\n2. In the left sidebar, click Code security and analysis\n3. Under Secret scanning, click Enable (or set to Enabled)\n4. Confirm if prompted",
|
||||
"Terraform": "```hcl\nresource \"github_repository\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n\n security_and_analysis {\n secret_scanning { # Critical: enable secret scanning\n status = \"enabled\" # Turns on secret scanning for the repository\n }\n }\n}\n```"
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Enable secret scanning in the repository settings to automatically detect and prevent sensitive data from being committed to the codebase.",
|
||||
"Url": "https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning"
|
||||
"Text": "Enable **secret scanning** (and **push protection** where available) across repositories.\n- Store secrets in a dedicated **secrets manager**, never in code\n- Define custom patterns and enable generic detection for org-specific secrets\n- Rotate and revoke exposed credentials quickly\n- Enforce **least privilege** and add **defense-in-depth** monitoring",
|
||||
"Url": "https://hub.prowler.com/check/repository_secret_scanning_enabled"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Categories": [
|
||||
"secrets"
|
||||
],
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": ""
|
||||
|
||||
Reference in New Issue
Block a user