Skip to content

Commit

Permalink
Fix: Refine policy logic and enhance descriptions for forking restric…
Browse files Browse the repository at this point in the history
…tions (Legit-Labs#319)
  • Loading branch information
sagic-orca authored Jul 3, 2024
1 parent 286b90b commit 8b13777
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
8 changes: 6 additions & 2 deletions policies/github/repository.rego
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@ repository_webhook_doesnt_require_ssl[violated] := true {

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed for This Repository
# description: Forking a repository can lead to loss of control and potential exposure of the source code. If you do not need forking, it is recommended to turn it off in the repository configuration. If needed, forking should be turned on by admins deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Repositories
# description: Forking private or internal repositories can lead to unauthorized spread and potential exposure of sensitive source code. It is recommended to disable forking for private repositories in the repository or the organization configuration to maintain control over the source code. If forking is necessary, it should be enabled selectively by admins for specific collaboration needs on private repositories.
# custom:
# remediationSteps:
# - 1. Make sure you have admin permissions
Expand All @@ -124,6 +124,10 @@ repository_webhook_doesnt_require_ssl[violated] := true {
# threat: Forked repositories cause more code and secret sprawl in the organization as forks are independent copies of the repository and need to be tracked separately, making it more difficult to keep track of sensitive assets and contain potential incidents.
default forking_allowed_for_repository := true

forking_allowed_for_repository := false {
input.repository.is_private == false
}

forking_allowed_for_repository := false {
input.repository.is_private == true
input.repository.allow_forking == false
Expand Down
4 changes: 2 additions & 2 deletions policies/gitlab/repository.rego
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ project_has_too_many_admins := false {

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed
# description: Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Projects
# description: Forking a project (repository) can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project or group configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# custom:
# remediationSteps:
# - 1. Make sure you have owner permissions
Expand Down

0 comments on commit 8b13777

Please sign in to comment.