feat: chagned titles and added new policies (#232)

* chagned titles and added new policies

* added GitHub Advanced Security policies

* cr fixes

README.md

@@ -144,7 +144,7 @@ To run legitify against GitLab Cloud set the scm flag to gitlab `--scm gitlab`,
 export SERVER_URL="https://gitlab.example.com/"
 LEGITIFY_TOKEN=<your_token> legitify analyze --namespace organization --scm gitlab
 ```
-> **_NOTE 1:_**  To ignore invalid server certificate, please pass the `ignore-invalide-certificate` flag
+> **_NOTE 1:_**  To ignore invalid server certificate, please pass the `ignore-invalid-certificate` flag
 
 > **_NOTE 2:_**  For non-premium GitLab accounts some policies (such as branch protection policies) will be skipped
 

cmd/common_args.go

@@ -47,7 +47,7 @@ const (
 	ArgPermissionsOutputFile    = "permissions-file"
 	ArgToken                    = "token"
 	ArgServerUrl                = "server-url"
-	ArgIgnoreInvalidCertificate = "ignore-invalide-certificate"
+	ArgIgnoreInvalidCertificate = "ignore-invalid-certificate"
 	ScmType                     = "scm"
 )
 

internal/clients/github/client.go

@@ -522,6 +522,8 @@ var enterpriseQuery struct {
 			MembersCanInviteCollaboratorsSetting        string
 			TwoFactorRequiredSetting                    string
 			MembersCanCreatePublicRepositoriesSetting   bool
+			DefaultRepositoryPermissionSetting          string
+			MembersCanDeleteRepositoriesSetting         string
 			SamlIdentityProvider                        struct {
 				ExternalIdentities struct {
 					TotalCount int
@@ -560,13 +562,15 @@ func (c *Client) collectSpecificEnterprises() ([]githubcollected.Enterprise, err
 		err := c.GraphQLClient().Query(c.context, &enterpriseQuery, variables)
 		if err != nil {
 			log.Printf("failed to get enterprise %v: %v", enterprise, err)
-			continue
 		}
 		if enterpriseQuery.Enterprise.DatabaseId == 0 {
 			log.Printf("Failed to get enterprise %v . User is not a member of this enterprise", enterprise)
-			continue
 		}
 		samlEnabled := enterpriseQuery.Enterprise.OwnerInfo.SamlIdentityProvider.ExternalIdentities.TotalCount > 0
+		codeAndSecurityPolicySettings, err := c.GetSecurityAndAnalysisForEnterprise(enterprise)
+		if err != nil {
+			log.Printf("failed to get code security settings for enterprise %v: %v", enterprise, err)
+		}
 		newEnter := githubcollected.NewEnterprise(
 			enterpriseQuery.Enterprise.OwnerInfo.MembersCanChangeRepositoryVisibilitySetting,
 			enterpriseQuery.Enterprise.Name,
@@ -577,7 +581,10 @@ func (c *Client) collectSpecificEnterprises() ([]githubcollected.Enterprise, err
 			enterpriseQuery.Enterprise.OwnerInfo.MembersCanInviteCollaboratorsSetting,
 			enterpriseQuery.Enterprise.OwnerInfo.MembersCanCreatePublicRepositoriesSetting,
 			enterpriseQuery.Enterprise.OwnerInfo.TwoFactorRequiredSetting,
-			samlEnabled)
+			enterpriseQuery.Enterprise.OwnerInfo.DefaultRepositoryPermissionSetting,
+			enterpriseQuery.Enterprise.OwnerInfo.MembersCanDeleteRepositoriesSetting,
+			samlEnabled,
+			codeAndSecurityPolicySettings)
 		res = append(res, newEnter)
 
 	}
@@ -599,3 +606,18 @@ func (c *Client) GetRulesForBranch(organization, repository, branch string) ([]*
 	}
 	return p, nil
 }
+
+func (c *Client) GetSecurityAndAnalysisForEnterprise(enterprise string) (*types.AnalysisAndSecurityPolicies, error) {
+	url := fmt.Sprintf("/api/v3/enterprises/%v/code_security_and_analysis", enterprise)
+	req, err := c.client.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var p types.AnalysisAndSecurityPolicies
+	_, err = c.client.Do(c.context, req, &p)
+	if err != nil {
+		return nil, err
+	}
+	return &p, nil
+}

internal/clients/github/types/types.go

@@ -11,3 +11,11 @@ type RepositoryRule struct {
 	Type       string           `json:"type"`
 	Parameters *json.RawMessage `json:"parameters,omitempty"`
 }
+
+type AnalysisAndSecurityPolicies struct {
+	AdvancedSecurityEnabledForNewRepositories      bool   `json:"advanced_security_enabled_for_new_repositories"`
+	DependabotAlertsEnabledForNewRepositories      bool   `json:"dependabot_alerts_enabled_for_new_repositories"`
+	SecretScanningEnabledForNewRepositories        bool   `json:"secret_scanning_enabled_for_new_repositories"`
+	SecretScanningPushProtectionEnabledForNewRepos bool   `json:"secret_scanning_push_protection_enabled_for_new_repositories"`
+	SecretScanningPushProtectionCustomLink         string `json:"secret_scanning_push_protection_custom_link"`
+} 

internal/collected/github/enterprise.go

@@ -1,6 +1,7 @@
 package githubcollected
 
 import (
+	"github.com/Legit-Labs/legitify/internal/clients/github/types"
 	"github.com/Legit-Labs/legitify/internal/common/namespace"
 	"github.com/Legit-Labs/legitify/internal/common/permissions"
 )
@@ -15,11 +16,14 @@ type Enterprise struct {
 	Url                                         string `json:"url"`
 	Id                                          int64  `json:"id"`
 	UserRole                                    string
-	MembersCanCreatePublicRepositoriesSetting   bool `json:"members_can_create_public_repositories"`
+	MembersCanCreatePublicRepositoriesSetting   bool                               `json:"members_can_create_public_repositories"`
+	DefaultRepositoryPermissionSetting          string                             `json:"default_repository_permission_settings"`
+	MembersCanDeleteRepositoriesSetting         string                             `json:"member_can_delete_repository"`
+	CodeAndSecurityPolicySettings               *types.AnalysisAndSecurityPolicies `json:"code_analysis_and_security_policies"`
 }
 
 func NewEnterprise(membersCanChangeRepositoryVisibilitySetting string, name string, Url string, Id int64, isAdmin bool, repositoriesForkingPolicy string,
-	externalCollaboratorsInvitePolicy string, membersCanCreatePublicRepositoriesSetting bool, twoFactorRequiredSetting string, samlEnabled bool) Enterprise {
+	externalCollaboratorsInvitePolicy string, membersCanCreatePublicRepositoriesSetting bool, twoFactorRequiredSetting string, defaultRepositoryPermissionSetting string, membersCanDeleteRepositoriesSetting string, samlEnabled bool, codeAndSecurityPolicySettings *types.AnalysisAndSecurityPolicies) Enterprise {
 	UserRole := permissions.EnterpriseNonAdminRole
 	if isAdmin {
 		UserRole = permissions.EnterpriseAdminRole
@@ -35,6 +39,9 @@ func NewEnterprise(membersCanChangeRepositoryVisibilitySetting string, name stri
 		Id:                                          Id,
 		UserRole:                                    UserRole,
 		MembersCanCreatePublicRepositoriesSetting: membersCanCreatePublicRepositoriesSetting,
+		DefaultRepositoryPermissionSetting:        defaultRepositoryPermissionSetting,
+		MembersCanDeleteRepositoriesSetting:       membersCanDeleteRepositoriesSetting,
+		CodeAndSecurityPolicySettings:             codeAndSecurityPolicySettings,
 	}
 }
 

policies/github/enterprise.rego

@@ -2,11 +2,10 @@ package enterprise
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: MEDIUM
-# title: Enterprise Should Not Allow Members To Change Repository Visibility
+# title: Enterprise Should Prevent Repository Admins From Changing Repository Visibility
 # description: The enterprise's Repository visibility change policy should be set to DISABLED. This will prevents users from creating private repositories and change them to be public. Malicous actors could leak code if enabled.
 # custom:
+#   severity: MEDIUM
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the policies page, Under the "Repository visibility change" section, choose the "Disabled" option]
 #   requiredScopes: [admin:enterprise]
 #   threat:
@@ -20,11 +19,10 @@ enterprise_not_using_visibility_change_disable_policy = false {
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: LOW
-# title: Enterprise Should Not Allow Members To Fork Internal And Private Repositories
+# title: Enterprise Should Prevent Members From Forking Internal And Private Repositories
 # description: The enterprise's repository forking policy should be set to DISABLED. Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
 # custom:
+#   severity: LOW
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the policies page, Under the "Repository Forking" section, Choose the "Disabled" option]
 #   requiredScopes: [admin:enterprise]
 #   threat:
@@ -38,11 +36,10 @@ enterprise_allows_forking_repos = false {
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: MEDIUM
-# title: Enterprise Should Not Allow Members To Create public Repositories
+# title: Enterprise Should Prevent Members From Creating public Repositories
 # description: The enterprise's repository creation policy should be set to private/internal repositories only. This will prevents non-admin users from creating public repositories and potentially exposing source code.
 # custom:
+#   severity: MEDIUM
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the policies page, Under the "Repository creation" section, Choose the "Members can create repositories" option and uncheck 'Public']
 #   requiredScopes: [admin:enterprise]
 #   threat:
@@ -56,11 +53,10 @@ enterprise_allows_creating_public_repos = false {
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: MEDIUM
-# title: Enterprise Should Not Allow Members To Invite Outside Collaborators
+# title: Enterprise Should Prevent Members From Inviting Outside Collaborators
 # description: The enterprise's external collaborators invite policy should be set to enterprise/organization owners only. Allowing members to invite external collaborators might result in unauthorized access to the internal projects.
 # custom:
+#   severity: MEDIUM
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the policies page, Under the "Repository outside collaborators" section - choose the "Enterprise Owners Only" or the "Organization Owners Only" option]
 #   requiredScopes: [admin:enterprise]
 #   threat:
@@ -73,11 +69,10 @@ enterprise_allows_inviting_externals_collaborators = false {
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: HIGH
 # title: Two-Factor Authentication Should Be Enforced For The Enterprise
 # description: The two-factor authentication requirement should be enforced at the enterprise level. Regardless of whether users are managed externally by SSO, it is highly recommended to enable this option to reduce the risk of a deliberate or accidental user creation without MFA.
 # custom:
+#   severity: HIGH
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the Settings page, Go to the Authentication security tab, Check the "Require two-factor authentication for all organizations in the enterprise" checkbox]
 #   requiredScopes: [admin:enterprise]
 #   threat:
@@ -91,11 +86,10 @@ enterprise_enforce_two_factor_authentication = false {
 
 # METADATA
 # scope: rule
-# custom:
-#   severity: MEDIUM
 # title: Enterprise Should Use Single-Sign-On
 # description: It is recommended to enable access to an enterprise via SAML single sign-on (SSO) by authenticating through an identity provider (IdP). This allows for central account control and for timely access revocations.
 # custom:
+#   severity: MEDIUM
 #   remediationSteps: [Make sure you are an enterprise owner, Go to the Settings page, Go to the Authentication security tab, Toggle on "Enable SAML authentication", Fill in the remaining SSO configuration as instructed on the screen, Click "Save"]
 #   requiredScopes: [admin:enterprise]
 #   threat: Not using an SSO solution makes it more difficult to track a potentially compromised user's actions across different systems, prevents common password policy throughout the enterprise, and makes it challenging to audit different aspects of the user's behavior.
@@ -104,3 +98,76 @@ default enterprise_not_using_single_sign_on = true
 enterprise_not_using_single_sign_on = false {
 	input.saml_enabled
 }
+
+# METADATA
+# scope: rule
+# title: Enterprise Should Define Base Permissions As “No Permission” For All Members   
+# description: Collaborators in your organizations should receive access to specific organizations and repositories as necessary, and not have read and write access to all repositories across the enterprise.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Settings page, Under the ‘Policies’ tab, choose ‘Repositories’, Under ‘Base Permission’ choose ‘No Permission’]
+#   requiredScopes: [admin:enterprise]
+#   threat: An adversary will have access to all repositories in the enterprise, instead of just a part of them.
+default repository_no_permission_enforced_by_default = true
+
+repository_no_permission_enforced_by_default = false {
+	input.default_repository_no_permission_enforced == "NONE"
+}
+
+# METADATA
+# scope: rule
+# title: Enterprise Should Prevent Repository Admins From Deleting Or Transferring Repositories
+# description: The enterprise’s Repository deletion and transfer policy should be set to DISABLED. This will prevent repository admins from deleting a repo or transferring it to a different owner or organization. Malicious actors could leak code if enabled.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Enterprise Settings page, Under the ‘Policies’ tab choose ‘Repositories’, Go to the ‘Admin repository permissions' section, under ‘Repository deletion and transfer' and select 'Disabled']
+#   requiredScopes: [admin:enterprise]
+#   threat: A member of the organization could inadvertently or maliciously transfer a repository to an external namespace and expose confidential data.
+default memberes_allowed_repository_move_or_deletion = true
+
+memberes_allowed_repository_move_or_deletion = false {
+	input.member_can_delete_repository == "DISABLED"
+}
+
+# METADATA
+# scope: rule
+# custom:
+#   severity: MEDIUM
+# title: Enterprise Should Automatically Enable Advanced Security Across All Organizations/Repositories
+# description: Advanced Security includes code scanning, secret scanning and dependency review. These features protect your repositories from containing vulnerable data. Prevents the risk of unauthorized access or exploitation of vulnerabilities.
+# custom:
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Enterprise Settings page, Under the ‘Settings’ tab choose ‘Code security and analysis’, Check 'Automatically enable for new repositories']
+#   requiredScopes: [admin:enterprise]
+default enable_ghas_for_new_orgs = true
+
+enable_ghas_for_new_orgs = false {
+	input.code_analysis_and_security_policies.advanced_security_enabled_for_new_repositories == true
+}
+
+# METADATA
+# scope: rule
+# title: Enterprise Should Automatically Enable Secret Scanning Across All Organizations/Repositories
+# description: Enable GitHub Advanced Security secret scanning to alert on sensitive data that exists in your enterprise. Secrets shouldn’t be hard-coded in to your repositories as they will be retrievable by anyone with access to the repository.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Enterprise Settings page, Under the ‘Settings’ tab choose ‘Code security and analysis’, Check 'Automatically enable for new repositories with Advanced Security enabled']
+#   requiredScopes: [admin:enterprise]
+default enable_secret_scanning_for_new_orgs = true
+
+enable_secret_scanning_for_new_orgs = false {
+	input.code_analysis_and_security_policies.secret_scanning_enabled_for_new_repositories == true
+}
+
+# METADATA
+# scope: rule
+# title: Enterprise Should Automatically Enable Secret Scanning Across All Organizations/Repositories
+# description: The enterprise should prevent sensitive data from being pushed to all repositories, to prevent it from being exposed to anyone with access to the repository.
+# custom:
+#   severity: MEDIUM
+#   remediationSteps: [Make sure you are an enterprise owner, Go to the Enterprise Settings page, Under the ‘Settings’ tab choose ‘Code security and analysis’, Check 'Automatically enable for repositories added to secret scanning']
+#   requiredScopes: [admin:enterprise]
+default enable_push_protection_secret_scanning = true
+
+enable_push_protection_secret_scanning = false {
+	input.code_analysis_and_security_policies.secret_scanning_push_protection_enabled_for_new_repositories == true
+}