Fix: Refine policy logic and enhance descriptions for forking restric…

…tions (#319)
Legit-Labs · Jul 3, 2024 · 8b13777 · 8b13777
1 parent 286b90b
commit 8b13777
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/policies/github/repository.rego b/policies/github/repository.rego
@@ -111,8 +111,8 @@ repository_webhook_doesnt_require_ssl[violated] := true {
 
 # METADATA
 # scope: rule
-# title: Forking Should Not Be Allowed for This Repository
-# description: Forking a repository can lead to loss of control and potential exposure of the source code. If you do not need forking, it is recommended to turn it off in the repository configuration. If needed, forking should be turned on by admins deliberately when opting to create a fork.
+# title: Forking Should Not Be Allowed for Private/Internal Repositories
+# description: Forking private or internal repositories can lead to unauthorized spread and potential exposure of sensitive source code. It is recommended to disable forking for private repositories in the repository or the organization configuration to maintain control over the source code. If forking is necessary, it should be enabled selectively by admins for specific collaboration needs on private repositories.
 # custom:
 #   remediationSteps:
 #     - 1. Make sure you have admin permissions
@@ -124,6 +124,10 @@ repository_webhook_doesnt_require_ssl[violated] := true {
 #   threat: Forked repositories cause more code and secret sprawl in the organization as forks are independent copies of the repository and need to be tracked separately, making it more difficult to keep track of sensitive assets and contain potential incidents.
 default forking_allowed_for_repository := true
 
+forking_allowed_for_repository := false {
+	input.repository.is_private == false
+}
+
 forking_allowed_for_repository := false {
 	input.repository.is_private == true
 	input.repository.allow_forking == false

diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego
@@ -46,8 +46,8 @@ project_has_too_many_admins := false {
 
 # METADATA
 # scope: rule
-# title: Forking Should Not Be Allowed
-# description: Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
+# title: Forking Should Not Be Allowed for Private/Internal Projects
+# description: Forking a project (repository) can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project or group configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
 # custom:
 #   remediationSteps:
 #     - 1. Make sure you have owner permissions