-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmondoo-github-security.mql.yaml
546 lines (470 loc) · 32 KB
/
mondoo-github-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-github-organization-security
name: Mondoo GitHub Organization Security
version: 1.5.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: github
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
The Mondoo GitHub Organization Security policy provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations.
### cnspec GitHub provider
This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command:
```bash
cnspec scan github --help
```
## Configuring the GitHub provider
The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. Access to an organization is determined by the level of access the token cnspec is configured with when it runs.
### Create a personal access token
To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.
### Configure a GITHUB_TOKEN environment variable
You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable.
#### Linux / macOS
```bash
export GITHUB_TOKEN=<your personal access token>
```
#### Windows
```powershell
$Env:GITHUB_TOKEN = "<personal-access-token>"
```
## Scan a GitHub organization
To scan the configuration of your GitHub organization, run this command:
```bash
cnspec scan github org <ORG_NAME>
```
## Scan a GitHub organization and all repositories
cnspec can also scan a GitHub organization and all of its repositories using the `--discover all` flag. To scan your GitHub organization and discover and scan all of the repositories within your organization, run this command:
```bash
cnspec scan github org <ORG_NAME> --discover all
```
> Note: Scanning large GitHub organizations may exceed GitHub API rate limits. For more information see [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation.
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: GitHub Org
filters: asset.platform == "github-org"
checks:
- uid: mondoo-github-organization-security-default-permission-level
- uid: mondoo-github-organization-security-two-factor-auth
- uid: mondoo-github-organization-security-verified-domain
- uid: mondoo-github-organization-security-security-policy
scoring_system: highest impact
- uid: mondoo-github-repository-security
name: GitHub Repository Security
version: 1.5.0
license: BUSL-1.1
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
# Overview
GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments.
### cnspec GitHub Provider
This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command:
```bash
cnspec scan github --help
```
## Configuring the GitHub provider
The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs.
### Create a personal access token
To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.
### Configure a GITHUB_TOKEN environment variable
You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable.
#### Linux / macOS
```bash
export GITHUB_TOKEN=<your personal access token>
```
#### Windows
```powershell
$Env:GITHUB_TOKEN = "<personal-access-token>"
```
## Scanning GitHub repositories
To scan the configuration of a GitHub repository:
```bash
cnspec scan github repo <ORG_NAME/REPO_NAME>
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- filters: |
asset.platform == "github-repo"
checks:
- uid: mondoo-github-repository-security-binary-artifacts
- uid: mondoo-github-repository-security-enforce-branch-protection
- uid: mondoo-github-repository-security-ensure-default-branch-protection
- uid: mondoo-github-repository-security-ensure-dependabot-workflow
- uid: mondoo-github-repository-security-ensure-release-branch-protection
- uid: mondoo-github-repository-security-prevent-force-pushes-default-branch
- uid: mondoo-github-repository-security-prevent-force-pushes-release-branch
- uid: mondoo-github-repository-security-require-conversation-resolution
- uid: mondoo-github-repository-security-require-status-checks-before-merging
- uid: mondoo-github-repository-security-required-signed-commits
- uid: mondoo-github-repository-security-security-policy
scoring_system: highest impact
props:
- uid: mondooGithubSecurityRequiredPullRequestReviews
title: Define the required number of reviewers on pull requests
mql: "1"
queries:
- uid: mondoo-github-organization-security-two-factor-auth
title: Enable Two-factor authentication for all users in the organization
impact: 90
mql: github.organization.twoFactorRequirementEnabled
docs:
desc: |
Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to. It is highly recommended that GitHub Organizations are configured to require all users to configure 2FA.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.organization.twoFactorRequirementEnabled
```
remediation: |
GitHub has several options for configuring 2FA for your organization. To enable 2FA, see [Configuring two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) in GitHub's documentation.
refs:
- url: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa
title: Securing your account with two-factor authentication (2FA)
- uid: mondoo-github-organization-security-verified-domain
title: Organization should have a verified domain attached
impact: 80
mql: github.organization.isVerified
docs:
desc: |
You can verify your ownership of domains with GitHub to confirm your organization's identity. You can also approve domains that GitHub can send email notifications to members of your organization. After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.organization.isVerified
```
remediation: |
To achieve verified status for your GitHub organization, see [Verifying or approving a domain for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization) in the GitHub documentation site.
refs:
- url: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization
title: Verifying or approving a domain for your organization
- uid: mondoo-github-organization-security-default-permission-level
title: Ensure GitHub Organization has base permissions configured
impact: 50
mql: github.organization.defaultRepositoryPermission == "read"
docs:
desc: |
You can set base permissions that apply to all members of an organization when accessing any of the organization's repositories. Base permissions do not apply to outside collaborators.
By default, members of an organization will have Read permissions to the organization's repositories.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.organization.defaultRepositoryPermission
```
remediation: |
To set base permissions for GitHub, see [Setting base permissions for an organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/setting-base-permissions-for-an-organization) in GitHub's documentation.
refs:
- url: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization
title: Setting base permissions for an organization
- uid: mondoo-github-organization-security-security-policy
title: Ensure repository defines a security policy
impact: 30
mql: |
if ( github.organization.repositories.one(name == ".github") ) {
github.organization.repositories.where( name == ".github").all(
securityFile.exists
) || github.repository.securityFile.exists
} else {
github.repository.securityFile.exists
}
docs:
desc: |
This check tries to determine that the repository defines a security policy.
It is recommended projects provide instructions for reporting a security vulnerability in your project by adding a security policy to your repository.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.files.where( name == /SECURITY.md/ )
```
remediation: |
See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
title: GitHub Docs - Adding a security policy to your repository
- uid: mondoo-github-repository-security-ensure-default-branch-protection
title: Ensure GitHub repository default branch is protected
impact: 90
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
docs:
desc: |
This check ensures that the default branch for the repository has branch protection enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended that the default branch has branch protection enabled, with branch protection rules applied.
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: About Branch protection
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch
title: Changing the default branch
- uid: mondoo-github-repository-security-ensure-release-branch-protection
title: Ensure GitHub repository release branches are protected
impact: 90
props:
- uid: mondooGithubReleaseBranches
title: Pattern for release branch
mql: |
return /^release/
mql: |
github.repository.branches
.where( name == props.mondooGithubReleaseBranches )
.all( isProtected == true )
docs:
desc: |
This check ensures that any release branches (i.e. 'release-x.y.z') have branch protection rules enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that any release branches have branch protection enabled, with branch protection rules applied.
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site.
- uid: mondoo-github-repository-security-prevent-force-pushes-default-branch
title: Ensure repository does not allow force pushes to the default branch
impact: 80
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
github.repository.branches
.where( isDefault == true )
.all( protectionRules { allowForcePushes['enabled'] == false } )
docs:
desc: |
This check ensures that the default branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended to disable force pushes to the default repository branch. By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:
- Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.
- Allow only specific people or teams to force push to the branch.
If someone force pushes to a branch, the force push may overwrite commits that other collaborators based their work on. People may have merge conflicts or corrupted pull requests.
Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.branches.where( isDefault == true) { isProtected protectionRules { allowForcePushes['enabled'] } }
```
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- uid: mondoo-github-repository-security-prevent-force-pushes-release-branch
title: Ensure repository does not allow force pushes to any release branches
impact: 80
props:
- uid: mondooGithubReleaseBranches
title: Pattern for release branch
mql: |
return /^release/
mql: |
github.repository.branches
.where( name == props.mondooGithubReleaseBranches )
.all( isProtected == true )
github.repository.branches
.where( name == props.mondooGithubReleaseBranches )
.all( protectionRules { allowForcePushes['enabled'] == false } )
docs:
desc: |
This check ensures that the release branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended to disable force pushes to any release branches.
By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:
- Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.
- Allow only specific people or teams to force push to the branch.
If someone force pushes to a branch, the force push may overwrite commits that other collaborators have made. Force pushing may cause merge conflicts or corrupted pull requests for other users.
Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.branches.where( isDefault == true) { isProtected protectionRules { allowForcePushes['enabled'] } }
```
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- uid: mondoo-github-repository-security-require-conversation-resolution
title: Ensure branch protection requires conversation resolution before merging
impact: 80
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
github.repository.branches
.where( isDefault == true )
.all( protectionRules { requiredConversationResolution['enabled'] == true } )
docs:
desc: |
This checks that a branch protection rule is configured to require all comments on the pull request to be resolved before it can be merged to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require conversation resolution before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging
title: GitHub Documentation - Require conversation resolution before merging
- uid: mondoo-github-repository-security-require-status-checks-before-merging
title: Ensure status checks are passing before merging PRs on the default branch
impact: 80
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
github.repository.branches
.where( isDefault == true )
.all( protectionRules { requiredStatusChecks.length > 0 } )
docs:
desc: |
This check ensures that all required CI tests pass before collaborators can merge changes to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.branches.where( isDefault == true) { isProtected protectionRules { requiredStatusChecks.length } }
```
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require status checks before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging
title: Require status checks before merging
- uid: mondoo-github-repository-security-required-signed-commits
title: Ensure repository branch protection requires signed commits
impact: 80
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
github.repository.branches
.where( isDefault == true )
.all( protectionRules { requiredSignatures == true } )
docs:
desc: |
This check ensures a branch protection rule exists to require signed commits on the default branch. Signing commits and tags locally gives other people confidence about the origin of changes made to a project. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified."
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.branches.where( isDefault == true) { isProtected protectionRules { requiredSignatures } }
```
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require signed commits](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- url: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
title: GitHub Docs - About commit signature verification
- uid: mondoo-github-repository-security-enforce-branch-protection
title: Ensure repository does not allow bypassing of branch protections rules
impact: 70
mql: |
github.repository.branches
.where( isDefault == true )
.all( isProtected == true )
github.repository.branches
.where( isDefault == true )
.all( protectionRules.enforceAdmins['enabled'] == true )
docs:
desc: |
This check ensures branch protection rules cannot be bypassed. By default, the restrictions of a branch protection rule do not apply to people with admin permissions to the repository or custom roles with the "bypass branch protections" permission in a repository.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.branches.where( isDefault == true) { isProtected protectionRules { enforceAdmins['enabled'] } }
```
remediation: |
To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Do not allow bypassing the above settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
title: GitHub Docs - About protected branches
- uid: mondoo-github-repository-security-security-policy
title: Ensure repository defines a security policy
impact: 30
mql: |
github.repository.securityFile.exists
docs:
desc: |
This check tries to determine that the repository defines a security policy.
It is recommended projects provide instructions for reporting a security vulnerability in your project by adding a security policy to your repository.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository.files.one( name.downcase == "security.md")
```
remediation: |
See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site.
refs:
- url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
title: GitHub Docs - Adding a security policy to your repository
- uid: mondoo-github-repository-security-binary-artifacts
title: Ensure repository does not generate binary artifacts
impact: 90
mql: |
github.repository.files
.all( isBinary == false )
github.repository.files
.where( type == "dir" )
.all( files.where( type != "dir").all( isBinary == false) )
docs:
desc: |
This check determines whether the project has generated executable (binary) artifacts in the source repository. Binary artifacts pose security challenges because they cannot be reviewed, and users will often directly use executables if they are included in the source repository, leading to many dangerous behaviors.
audit: |
__cnspec shell__
1. Open a terminal
2. Connect cnspec shell to GitHub `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
3. Run this query:
```mql
github.repository { files { isBinary } files {files { isBinary } } }
```
remediation: |
Remove the generated executable artifacts from the repository, and then build from source.
refs:
- url: https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts
title: OSSF Scorecard - Binary Artifacts
- uid: mondoo-github-repository-security-ensure-dependabot-workflow
title: Ensure a GitHub Actions workflow exists for Dependabot
impact: 70
mql: |-
github.repository.files
.one( name == ".github" && type == "dir" )
github.repository.files
.where( path == ".github" )
.all( files.one( name == "dependabot.yaml" || name == "dependabot.yml" ) )
docs:
desc: |
This check ensures the existence of a GitHub Actions workflow to run Dependabot checks on the repository by looking for the existence of a `.github/dependabot.yml` or `.github/dependabot.yaml` configuration file.
Dependabot creates pull requests to keep your dependencies up to date, and you can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.
remediation: |
GitHub Actions provides many different workflows for running Dependabot checks on a project. For more information see [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) in the GitHub documentation site.