Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Refine policy logic and enhance descriptions for forking restrictions #319

Merged
merged 2 commits into from
Jul 3, 2024
Merged

fix: Refine policy logic and enhance descriptions for forking restrictions #319

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b00f4a2
Fix: Refine policy logic and enhance descriptions for forking restric…
sagic-orca Jul 2, 2024
c704f67
Merge branch 'main' into fix/better-fork-allowed-detection
sagic-orca Jul 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions policies/github/repository.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ repository_webhook_doesnt_require_ssl[violated] := true {

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed for This Repository
# description: Forking a repository can lead to loss of control and potential exposure of the source code. If you do not need forking, it is recommended to turn it off in the repository configuration. If needed, forking should be turned on by admins deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Repositories
# description: Forking private or internal repositories can lead to unauthorized spread and potential exposure of sensitive source code. It is recommended to disable forking for private repositories in the repository or the organization configuration to maintain control over the source code. If forking is necessary, it should be enabled selectively by admins for specific collaboration needs on private repositories.
# custom:
# remediationSteps:
# - 1. Make sure you have admin permissions
Expand All @@ -124,6 +124,10 @@ repository_webhook_doesnt_require_ssl[violated] := true {
# threat: Forked repositories cause more code and secret sprawl in the organization as forks are independent copies of the repository and need to be tracked separately, making it more difficult to keep track of sensitive assets and contain potential incidents.
default forking_allowed_for_repository := true

forking_allowed_for_repository := false {
input.repository.is_private == false
}

forking_allowed_for_repository := false {
input.repository.is_private == true
input.repository.allow_forking == false
Expand Down
4 changes: 2 additions & 2 deletions policies/gitlab/repository.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ project_has_too_many_admins := false {

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed
# description: Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Projects
# description: Forking a project (repository) can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project or group configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# custom:
# remediationSteps:
# - 1. Make sure you have owner permissions
Expand Down
Loading