Merge pull request #119 from naveensrinivasan/feature/protected-branches

feature - Checks for branch protections

README.md

@@ -7,7 +7,8 @@
 A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk "You passed! All D's ... and an A!"
 
 ## Goals
-1. Automate analysis and trust decisions on the security posture of open source projects. 
+
+1. Automate analysis and trust decisions on the security posture of open source projects.
 
 1. Use this data to proactively improve the security posture of the critical projects the world depends on.
 
@@ -42,6 +43,7 @@ The program only requires one argument to run, the name of the repo:
 $ go build
 $ ./scorecard --repo=github.com/kubernetes/kubernetes
 Starting [Active]
+Starting [Branch-Protection]
 Starting [CI-Tests]
 Starting [CII-Best-Practices]
 Starting [Code-Review]
@@ -59,6 +61,7 @@ Finished [Frozen-Deps]
 Finished [Security-Policy]
 Finished [Contributors]
 Finished [Signed-Releases]
+Finished [Branch-Protection]
 Finished [Signed-Tags]
 Finished [CI-Tests]
 Finished [SAST]
@@ -69,6 +72,7 @@ Finished [Active]
 RESULTS
 -------
 Active: Pass 10
+Branch-Protection: Fail 5
 CI-Tests: Pass 10
 CII-Best-Practices: Pass 10
 Code-Review: Pass 10
@@ -116,27 +120,29 @@ These can be obtained from the GitHub [developer settings](https://github.com/se
 
 The following checks are all run against the target project:
 
-| Name  | Description |
-|---|---|
-| Security-MD | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? |
-| Contributors  | Does the project have contributors from at least two different organizations? |
-| Frozen-Deps | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? |
-| Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? |
-| Signed-Tags | Does the project cryptographically sign release tags? |
-| CI-Tests | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? |
-| Code-Review | Does the project require code review before code is merged? |
-| CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)? |
-| Pull-Requests | Does the project use [Pull Requests](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests) for all code changes? |
-| Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)? |
-| SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)? |
-| Active | Did the project get any commits in the last 90 days? |
+| Name               | Description                                                                                                                                                                                                                                                                                        |
+| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Security-MD        | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?                                                                                                                |
+| Contributors       | Does the project have contributors from at least two different organizations?                                                                                                                                                                                                                      |
+| Frozen-Deps        | Does the project declare and freeze [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?                                                                                        |
+| Signed-Releases    | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?                                                                                                                                                                                 |
+| Signed-Tags        | Does the project cryptographically sign release tags?                                                                                                                                                                                                                                              |
+| CI-Tests           | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?                                                                                                               |
+| Code-Review        | Does the project require code review before code is merged?                                                                                                                                                                                                                                        |
+| CII-Best-Practices | Does the project have a [CII Best Practices Badge](https://bestpractices.coreinfrastructure.org/en)?                                                                                                                                                                                               |
+| Pull-Requests      | Does the project use [Pull Requests](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/about-pull-requests) for all code changes?                                                                                                                 |
+| Fuzzing            | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)? |
+| SAST               | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)? |
+| Active             | Did the project get any commits in the last 90 days?                                                                                                                                                                                                                                      |
+| Branch-Protection  | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?                                                                                                                                             |
 
 To see detailed information on how each check works, see the [check-specific documentation page](checks.md).
 
 If you'd like to add a check, make sure it is something that meets the following criteria:
-* automate-able 
-* objective
-* actionable
+
+- automate-able
+- objective
+- actionable
 
 and then create a new GitHub Issue.
 
@@ -163,15 +169,17 @@ There are three formats currently: `default`, `json`, and `csv`. Others may be a
 These may be specified with the `--format` flag.
 
 ## Requirements
-* The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more secure than a project with say 50 contributors. But, having two maintainers might be preferable to only having one -  the larger bus factor and ability to provide code reviews is objectively better.
-* The scorecard criteria can be as specific as possible and not limited general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase.
-* The scorecard can be populated for any open source project without any work or interaction from maintainers. 
-* Maintainers must be provided with a mechanism to correct any automated scorecard findings they feel were made in error, provide "hints" for anything we can't detect automatically, and even dispute the applicability of a given scorecard finding for that repository.
-* Any criteria in the scorecard must be actionable. It should be possible, with help, for any project to "check all the boxes".
-* Any solution to compile a scorecard should be usable by the greater open source community to monitor upstream security.
+
+- The scorecard must only be composed of automate-able, objective data. For example, a project having 10 contributors doesn’t necessarily mean it’s more secure than a project with say 50 contributors. But, having two maintainers might be preferable to only having one - the larger bus factor and ability to provide code reviews is objectively better.
+- The scorecard criteria can be as specific as possible and not limited general recommendations. For example, for Go, we can recommend/require specific linters and analyzers to be run on the codebase.
+- The scorecard can be populated for any open source project without any work or interaction from maintainers.
+- Maintainers must be provided with a mechanism to correct any automated scorecard findings they feel were made in error, provide "hints" for anything we can't detect automatically, and even dispute the applicability of a given scorecard finding for that repository.
+- Any criteria in the scorecard must be actionable. It should be possible, with help, for any project to "check all the boxes".
+- Any solution to compile a scorecard should be usable by the greater open source community to monitor upstream security.
 
 ## Docker
-* The Dockerfile in the root directory utilizes [experimental features](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md) which is available in Docker v18.09 or later.
+
+- The Dockerfile in the root directory utilizes [experimental features](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md) which is available in Docker v18.09 or later.
 
 ## Contributing
 

checks.md

@@ -64,3 +64,7 @@ It currently works by looking for well-known results ([CodeQL](https://securityl
 
 This check tries to determine if the project is still "actively maintained".
 It currently works by looking for releases or commits within the last 90 days.
+
+## Branch-Protection
+
+This check tries to determine if the project has branch protection enabled.

checks/branch_protected.go

@@ -0,0 +1,91 @@
+// Copyright 2020 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+import (
+	"github.com/google/go-github/v32/github"
+	"github.com/ossf/scorecard/checker"
+)
+
+func init() {
+	registerCheck("Branch-Protection", BranchProtection)
+}
+
+func BranchProtection(c checker.Checker) checker.CheckResult {
+	repo, _, err := c.Client.Repositories.Get(c.Ctx, c.Owner, c.Repo)
+	if err != nil {
+		return checker.RetryResult(err)
+	}
+
+	protection, _, err := c.Client.Repositories.
+		GetBranchProtection(c.Ctx, c.Owner, c.Repo, *repo.DefaultBranch)
+
+	if err != nil {
+		c.Logf("!! branch protection not enabled")
+		return checker.CheckResult{
+			Pass:       false,
+			Confidence: 10,
+		}
+	}
+	return IsBranchProtected(protection, c)
+
+}
+
+func IsBranchProtected(protection *github.Protection, c checker.Checker) checker.CheckResult {
+	totalChecks := 6
+	totalSuccess := 0
+
+	if protection.AllowForcePushes.Enabled {
+		c.Logf("!! branch protection AllowForcePushes enabled")
+	} else {
+		totalSuccess++
+	}
+
+	if protection.AllowDeletions.Enabled {
+		c.Logf("!! branch protection AllowDeletions enabled")
+	} else {
+		totalSuccess++
+	}
+
+	if !protection.EnforceAdmins.Enabled {
+		c.Logf("!! branch protection EnforceAdmins not enabled")
+	} else {
+		totalSuccess++
+	}
+
+	if !protection.RequireLinearHistory.Enabled {
+		c.Logf("!! branch protection require linear history not enabled")
+	} else {
+		totalSuccess++
+	}
+
+	if !protection.RequiredStatusChecks.Strict {
+		c.Logf("!! branch protection require status checks to pass before merging not enabled")
+	} else {
+		if len(protection.RequiredStatusChecks.Contexts) == 0 {
+			c.Logf("!! branch protection require status checks to pass before merging has no specific status to check for")
+		} else {
+			totalSuccess++
+		}
+	}
+
+	if protection.RequiredPullRequestReviews.RequiredApprovingReviewCount < 1 {
+		c.Logf("!! branch protection require pullrequest before merging not enabled")
+	} else {
+		totalSuccess++
+	}
+
+	return checker.ProportionalResult(totalSuccess, totalChecks, 1.0)
+}