github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/github/repositories/private.go (about) 1 package repositories 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckPrivate = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GIT-0001", 14 Provider: providers.GitHubProvider, 15 Service: "repositories", 16 ShortCode: "private", 17 Summary: "Github repository shouldn't be public.", 18 Impact: "Anyone can read the contents of the GitHub repository and leak IP", 19 Resolution: "Make sensitive or commercially important repositories private", 20 Explanation: `Github repository should be set to be private. 21 22 You can do this by either setting <code>private</code> attribute to 'true' or <code>visibility</code> attribute to 'internal' or 'private'.`, 23 Links: []string{ 24 "https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility", 25 "https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility#about-internal-repositories", 26 }, 27 Terraform: &scan.EngineMetadata{ 28 GoodExamples: terraformPrivateGoodExamples, 29 BadExamples: terraformPrivateBadExamples, 30 Links: terraformPrivateLinks, 31 RemediationMarkdown: terraformPrivateRemediationMarkdown, 32 }, 33 Severity: severity.Critical, 34 }, 35 func(s *state.State) (results scan.Results) { 36 for _, repo := range s.GitHub.Repositories { 37 if repo.Metadata.IsUnmanaged() { 38 continue 39 } 40 if repo.Public.IsTrue() { 41 results.Add( 42 "Repository is public,", 43 repo.Public, 44 ) 45 } else { 46 results.AddPassed(repo) 47 } 48 } 49 return 50 }, 51 )