# Step 1: Evidence Details

|System|Source|Frameworks|
|---|---|---|
|github|compliancecow|-|

```
Purpose: This control ensures that the GitHub branch ruleset configuration has required reviewers enabled and that the number of required reviewers is at least 4 (MinNoReqReviews is user input ). Compliance is determined based on meeting or exceeding this threshold.
```
```
RecomendedEvidenceName: GithubBranchSettingsReport
```

# Step 2: Task structure

In [None]:

[
# RuleName : GithubPRRequiredReviewersReport
{
"RuleInputs" : {
    "IncludeCriteria" : "repo/*/branch/dev,test,prod" ,
    "ExcludeCriteria" : "repo/*/branch/prod" ,
    "MinimumRequiredReviewersCount" : 4
}
}

    #  Task1 : GithubPRRequiredReviewersReport
    # Task Inputs 
    {
        "TaskInputs" : {
            "IncludeCriteria" : "repo/*/branch/dev,test,prod" ,
            "ExcludeCriteria" : "repo/*/branch/prod" ,
            "MinimumRequiredReviewersCount" : 4
        }
    }

    # Task Output:
    {
        "LogFile" : "",
        "GithubBranchSettingsReport" : "GithubBranchSettingsReport.json"
    }


# Rule Output:
{
    "ComplianceStatus_": "NOT_DETERMINED",
    "CompliancePCT_" : "0",
    "LogFile" : "",
    "GithubBranchSettingsReport" : "GithubBranchSettingsReport.json"
}
]

In [None]:

# - GoSDK functions

# ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: accessToken})
# tc := oauth2.NewClient(context.Background(), ts)
# client = github.NewClient(tc)

# // fetch repos and filter required repo using (include and exclude criteria)

# //We can only work with public repositories as branch protection calls are failing for private repos
# repos, _, err := client.Repositories.ListByOrg(ctx, inputs.Owner, nil)


# // fetch branch and filter required branch within filtered repos using (include and exclude criteria)
# branches, _, err := client.Repositories.ListBranches(ctx, repoOwner, repoName, nil)


#// Fetch branch protection details and look for required reviewers list
# branchProtection, _, err := gitHubObj.Repositories.GetBranchProtection(ctx, repoOwner, repoName, branchName)

# In branchProtection check for required reviewers count and 
# compare with user input  'MinimumRequiredReviewersCount'if it is morthan or equal to MinimumRequiredReviewersCount the it is COMPLIANT else NON_COMPLIANT

# Step 3: Define the Standard Schema
  


In [None]:
{
    # Meta
    "System": "github",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "N/A", 
    "ResourceName": "NEW1", # Branch Name
    "ResourceType": "Branch",
    "ResourceTags": "N/A",
    "ResourceURL" : "https://github.com/ComplianceCow/demo-repo/tree/dev", # Branch Url

    # Data
    "RepositoryName" : "PolicyCow",
    "RequireReviewersEnabled" : True,
    "ActualRequiredReviewersCount" : 3,
    "MinimumRequiredReviewersCount" : 4,
    
    # Compliance details
    "ValidationStatusCode": "INSUFFICIENT_REVIEWERS_IN_RULESET",
    "ValidationStatusNotes": "Required reviewers are enabled, but the number is below the compliance threshold of 4.",
    "ComplianceStatus": "NON_COMPLIANT",
    "ComplianceStatusReason": "The number of required reviewers is less than 4.",
    "EvaluatedTime": "2024-07-25T15:10:04.74592421Z",

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
    
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceTags|ResourceURL|HasReqReviewersEnabled|NumReqReviewersCfg|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|github|compliancecow|NEW1|NEW1|Branch||https://github.com/ComplianceCow-Demo/PolicyCow/tree/test|True|3|INSUFFICIENT_REVIEWERS_IN_RULESET|Required reviewers are enabled, but the number is below the compliance threshold of 4.|NON_COMPLIANT|The number of required reviewers is less than 4.|2024-07-25T15:10:04.74592421Z||||


# Step 4: Describe the Compliance Taxonomy


|ComplianceStatus|ComplianceStatusReason|ValidationStatusCode|ValidationStatusNotes|
|---|---|---|---|
|COMPLIANT|Required reviewers are properly configured in the branch ruleset with at least 4 reviewers.|RULESET_SUFFICIENT_REVIEWERS_CONFIGURED|The branch ruleset has required reviewers enabled and meets the compliance requirement of having 4 or more reviewers.|
|NON_COMPLIANT|Required reviewers are not enabled in the branch ruleset.|MISSING_RULESET|The branch ruleset does not have required reviewers enabled.|
|NON_COMPLIANT|The number of required reviewers is less than 4.|INSUFFICIENT_REVIEWERS_IN_RULESET|Required reviewers are enabled, but the number is below the compliance threshold of 4.|


# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
#COMPLIANT - 100%
#NON_COMPLIANT - 0%<=status<100%
#NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

1. JiraAction


[EvidenceName]
"Issuetype" = "Task"
"Project" = "CON" # project key must be valid
"Priority" = "Medium" 
"Query" = "(<<ColoumnName>> == 'NON_COMPLIANT')" # ColoumnName - data type supported - string

"Summary" = "Non-Compliant Branch <<ResourceID>> in Repository <<ResourceName>>"

"Description" = "The branch '<<ResourceID>>' in the repository '<<ResourceName>>' has been marked as NON_COMPLIANT. The branch configuration has 'Required reviewers' enabled with only <<NumReqReviewersCfg>> reviewers, which is below the compliance threshold of 4. This issue needs to be addressed to ensure compliance.

Branch URL: <<ResourceURL>>
Evaluated Time: <<EvaluatedTime>>"

"Assignee" = "sonajohnson@test.com"
"Reporter" = "smith@test.com"
"Admin" = "johndaniel@test.com"



# Step 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               |    GithubBranchSettingsReport |
| **PreRequisiteRuleNames**  |         N/A    |
| **ExtendedSchemaRuleNames**|           N/A   |
| **ApplicationClassName**   |      githubconnector          |