/
github_branch_policy_override.yml
40 lines (40 loc) · 1.3 KB
/
github_branch_policy_override.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
AnalysisType: rule
Filename: github_branch_policy_override.py
RuleID: "GitHub.Branch.PolicyOverride"
DisplayName: "GitHub Branch Protection Policy Override"
Enabled: true
LogTypes:
- GitHub.Audit
Tags:
- GitHub
- Initial Access:Supply Chain Compromise
Reports:
MITRE ATT&CK:
- TA0001:T1195
Severity: High
Description: Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
Runbook: Verify that the GitHub admin performed this activity and validate its use.
Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
Tests:
- Name: GitHub - Branch Protection Policy Override
ExpectedResult: true
Log:
{
"actor": "cat",
"action": "protected_branch.policy_override",
"created_at": 1621305118553,
"p_log_type": "GitHub.Audit",
"org": "my-org",
"repo": "my-org/my-repo",
}
- Name: GitHub - Protected Branch Name Updated
ExpectedResult: false
Log:
{
"actor": "cat",
"action": "protected_branch.update_name",
"created_at": 1621305118553,
"org": "my-org",
"p_log_type": "GitHub.Audit",
"repo": "my-org/my-repo",
}