-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add remediation capability for GH branch protections #1174
Conversation
2d2d949
to
d8cd55c
Compare
d8cd55c
to
9637be8
Compare
Two things to follow up on but I don't think they block the review (should block accepting the PR though..)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code LGTM, how tricky would it get to add some basic tests?
@@ -4,7 +4,7 @@ type: rule-type | |||
name: branch_protection | |||
context: | |||
provider: github | |||
description: Verifies that a branch has proper protections. | |||
description: Verifies that a branch has a branch protection rule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wold suggest renaming this to something like branch_protection_enabled
to mark that it's a simple boolean rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, thanks
working on the tests now, using the mock API. |
9637be8
to
34a5466
Compare
btw I have trouble with the allow_fork_syncing remediation so for now I didn't include it in the profile.yaml. I'll file a separate ticket and will debug that issue further, but all that is included in this PR should work.. |
Thanks for the review, I will first review @rdimitrov 's PR on refactoring the engine for alerts to see which rebase is easier |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
34a5466
to
c9f92cc
Compare
We will be implementing a github-specific branch protection remediator to make our life easier when working with the complex branch protection API. The first step is to implement the protobuf type. At the moment, the type only has one field which is the patch.
We'll need this to implement the GH branch protection remediator.
Remediating github branch protections using plain REST calls proved to be very difficult because of several discrepancies between the data returned on GET and the expected data sent on POST. Instead, we're going to use the GH API with a bespoke GH branch protection remediatior.
To provide better granularity, testability and enable different remediations for different tunables, let's split the branch protection rule-type into several. Co-Authored-By: Juan Antonio Osorio <ozz@stacklok.com>
c9f92cc
to
f254eba
Compare
rebased atop Radoslav's recent alerting work |
Adds branch protection remediations and splits the previous huge branch protection rule into smaller ones.
Fixes: #1154