Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/go_modules/github.com/hashicorp/g…
Browse files Browse the repository at this point in the history
…o-retryablehttp-0.7.7
  • Loading branch information
noamd-legit authored Jul 9, 2024
2 parents d6bba93 + 5604bae commit 79b0dea
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 15 deletions.
25 changes: 24 additions & 1 deletion .github/workflows/e2e_testing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,14 @@ on:
release:
types: [ published ]
pull_request:
pull_request_target:
types: [ labeled ]
permissions:
contents: read
pull-requests: write
jobs:
install_and_run_e2e_tests:
if: ${{ github.event.pull_request.head.repo.fork == false || (github.event.pull_request.head.repo.fork == true && contains(github.event.pull_request.labels.*.name,'Approve E2E Test')) }}
runs-on: ubuntu-latest
strategy:
matrix:
Expand Down Expand Up @@ -46,7 +50,14 @@ jobs:
extra: --repo Legitify-E2E/bad_branch_protection

steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # ratchet:actions/checkout@v3
- name: Checkout non-fork
if: ${{ github.event.pull_request.head.repo.fork == false }}
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # ratchet:actions/checkout@v3
- name: Checkout fork
if: ${{ github.event.pull_request.head.repo.fork == true }}
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # ratchet:actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # ratchet:actions/setup-go@v3
with:
go-version: 1.19
Expand Down Expand Up @@ -83,3 +94,15 @@ jobs:
SLACK_COLOR: ${{ job.status }}
SLACK_MESSAGE: E2E Tests failed - ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
SLACK_TITLE: "Legitify periodic E2E test failed"

remove_e2e_label:
if: ${{ always() && (github.event.pull_request.head.repo.fork == true && contains(github.event.pull_request.labels.*.name,'Approve E2E Test')) }}
needs: install_and_run_e2e_tests
runs-on: ubuntu-latest
steps:
- name: Remove E2E Label
run: |
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" repos/${{ github.repository }}/issues/${{ github.event.number }}/labels/${{ 'Approve%20E2E%20Test' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2 changes: 2 additions & 0 deletions .legitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ instance_8B699E54671FEE1FAC02B830C651450F
instance_8326D270DF418129D65CC0F25077233E
instance_5BB71F8938BAD8D688018A6F9505C44D
instance_0A8CFE3A09E996BDA5D889138D351B7E
instance_5C5D072C7F47D0E7F38048F9550E3EAA
instance_E553D24593AB8E5DE68FC9469FEF895D
19 changes: 13 additions & 6 deletions policies/github/repository.rego
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ repository_not_maintained := false {
}
# METADATA
# scope: rule
# title: Repository Should Have Fewer Than Three Admins
# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins).
# title: Repository Should Have A Low Admin Count
# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of repository admins to the minimum required, and no more than 5% of the userbase (Up to 3 admins are always allowed).
# custom:
# severity: LOW
# remediationSteps:
Expand All @@ -49,7 +49,10 @@ default repository_has_too_many_admins := true

repository_has_too_many_admins := false {
admins := [admin | admin := input.collaborators[_]; admin.permissions.admin]
count(admins) <= 3
adminNum := count(admins)
userNum := count(input.collaborators)
maxAdmins := max([3, ceil(userNum * 0.05)])
adminNum <= maxAdmins
}

# METADATA
Expand Down Expand Up @@ -111,8 +114,8 @@ repository_webhook_doesnt_require_ssl[violated] := true {

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed for This Repository
# description: Forking a repository can lead to loss of control and potential exposure of the source code. If you do not need forking, it is recommended to turn it off in the repository configuration. If needed, forking should be turned on by admins deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Repositories
# description: Forking private or internal repositories can lead to unauthorized spread and potential exposure of sensitive source code. It is recommended to disable forking for private repositories in the repository or the organization configuration to maintain control over the source code. If forking is necessary, it should be enabled selectively by admins for specific collaboration needs on private repositories.
# custom:
# remediationSteps:
# - 1. Make sure you have admin permissions
Expand All @@ -124,6 +127,10 @@ repository_webhook_doesnt_require_ssl[violated] := true {
# threat: Forked repositories cause more code and secret sprawl in the organization as forks are independent copies of the repository and need to be tracked separately, making it more difficult to keep track of sensitive assets and contain potential incidents.
default forking_allowed_for_repository := true

forking_allowed_for_repository := false {
input.repository.is_private == false
}

forking_allowed_for_repository := false {
input.repository.is_private == true
input.repository.allow_forking == false
Expand Down Expand Up @@ -735,4 +742,4 @@ default secret_scanning_not_enabled := true

secret_scanning_not_enabled := false{
input.security_and_analysis.secret_scanning.status == "enabled"
}
}
13 changes: 8 additions & 5 deletions policies/gitlab/repository.rego
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ project_not_maintained := false {

# METADATA
# scope: rule
# title: Project Should Have Fewer Than Three Owners
# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required (recommended maximum 3 admins).
# title: Project Should Have A Low Owner Count
# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required, and no more than 5% of the userbase (Up to 3 owners are always allowed).
# custom:
# severity: LOW
# remediationSteps:
Expand All @@ -41,13 +41,16 @@ default project_has_too_many_admins := true

project_has_too_many_admins := false {
admins := [admin | admin := input.members[_]; admin.access_level == 50]
count(admins) <= 3
adminNum := count(admins)
userNum := count(input.members)
maxAdmins := max([3, ceil(userNum * 0.05)])
adminNum <= maxAdmins
}

# METADATA
# scope: rule
# title: Forking Should Not Be Allowed
# description: Forking a repository can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project's configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# title: Forking Should Not Be Allowed for Private/Internal Projects
# description: Forking a project (repository) can lead to loss of control and potential exposure of source code. If you do not need forking, it is recommended to turn it off in the project or group configuration. The option to fork should be enabled only by owners deliberately when opting to create a fork.
# custom:
# remediationSteps:
# - 1. Make sure you have owner permissions
Expand Down
16 changes: 13 additions & 3 deletions test/repository_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -403,11 +403,21 @@ func TestGitlabRepositoryTooManyAdmins(t *testing.T) {
}
}

tmpMember := &gitlab2.ProjectMember{
tmpAdminMember := &gitlab2.ProjectMember{
AccessLevel: 50,
}
trueCase := []*gitlab2.ProjectMember{tmpMember, tmpMember, tmpMember, tmpMember}
falseCase := []*gitlab2.ProjectMember{tmpMember, tmpMember}
tmpRegMember := &gitlab2.ProjectMember{
AccessLevel: 20,
}
trueCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
for i := 0; i < 10; i++ {
trueCase = append(trueCase, tmpRegMember)
}
falseCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
for i := 0; i < 57; i++ {
falseCase = append(falseCase, tmpRegMember)
}

options := map[bool][]*gitlab2.ProjectMember{
false: falseCase,
true: trueCase,
Expand Down

0 comments on commit 79b0dea

Please sign in to comment.