github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/github/branch_protections/require_signed_commits.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/github/branch_protections/require_signed_commits.go (about)

     1  package branch_protections
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckRequireSignedCommits = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-GIT-0004",
    14  		Provider:   providers.GitHubProvider,
    15  		Service:    "branch_protections",
    16  		ShortCode:  "require_signed_commits",
    17  		Summary:    "GitHub branch protection does not require signed commits.",
    18  		Impact:     "Commits may not be verified and signed as coming from a trusted developer",
    19  		Resolution: "Require signed commits",
    20  		Explanation: `GitHub branch protection should be set to require signed commits.
    21  
    22  You can do this by setting the <code>require_signed_commits</code> attribute to 'true'.`,
    23  		Links: []string{
    24  			"https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection#require_signed_commits",
    25  			"https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification",
    26  			"https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits",
    27  		},
    28  		Terraform: &scan.EngineMetadata{
    29  			GoodExamples:        terraformRequireSignedCommitsGoodExamples,
    30  			BadExamples:         terraformRequireSignedCommitsBadExamples,
    31  			Links:               terraformRequireSignedCommitsLinks,
    32  			RemediationMarkdown: terraformRequireSignedCommitsRemediationMarkdown,
    33  		},
    34  		Severity: severity.High,
    35  	},
    36  	func(s *state.State) (results scan.Results) {
    37  		for _, branchProtection := range s.GitHub.BranchProtections {
    38  			if branchProtection.RequireSignedCommits.IsFalse() {
    39  				results.Add(
    40  					"Branch protection does not require signed commits,",
    41  					branchProtection.RequireSignedCommits,
    42  				)
    43  			} else {
    44  				results.AddPassed(branchProtection)
    45  			}
    46  		}
    47  		return
    48  	},
    49  )