|
1 | 1 | package compliance_framework.public_repos |
2 | 2 |
|
3 | | -_checks["repos"] if { |
| 3 | +risk_templates := [ |
| 4 | + { |
| 5 | + "name": "Organization has public repositories", |
| 6 | + "title": "Public Repositories Expose Source Code and Organizational Assets", |
| 7 | + "statement": "Public repositories in a GitHub organization are accessible to anyone on the internet without authentication. For organizations that intend to operate privately, unintentional public repos can expose proprietary source code, configuration files, internal tooling, infrastructure details, or secrets committed to version history. This information can be used by attackers to map attack surfaces, extract credentials, or exploit vulnerabilities in the exposed codebase.", |
| 8 | + "likelihood_hint": "high", |
| 9 | + "impact_hint": "high", |
| 10 | + "violation_ids": ["public_repos_present"], |
| 11 | + "threat_refs": [ |
| 12 | + { |
| 13 | + "system": "https://cwe.mitre.org", |
| 14 | + "external_id": "CWE-200", |
| 15 | + "title": "Exposure of Sensitive Information to an Unauthorized Actor", |
| 16 | + "url": "https://cwe.mitre.org/data/definitions/200.html" |
| 17 | + }, |
| 18 | + { |
| 19 | + "system": "https://cwe.mitre.org", |
| 20 | + "external_id": "CWE-284", |
| 21 | + "title": "Improper Access Control", |
| 22 | + "url": "https://cwe.mitre.org/data/definitions/284.html" |
| 23 | + } |
| 24 | + ], |
| 25 | + "remediation": { |
| 26 | + "title": "Convert public repositories to private or archive them", |
| 27 | + "description": "Review all public repositories in the organization and convert any that should not be publicly accessible to private visibility. Archive any obsolete repositories to prevent accidental disclosure.", |
| 28 | + "tasks": [ |
| 29 | + { "title": "Audit all public repositories in the organization" }, |
| 30 | + { "title": "Review repository contents and git history for exposed credentials, configuration, or internal documentation" }, |
| 31 | + { "title": "Rotate any credentials or secrets found in public repository history before changing visibility" }, |
| 32 | + { "title": "Convert non-intentionally public repositories to private" }, |
| 33 | + { "title": "Archive or delete obsolete public repositories" }, |
| 34 | + { "title": "Enable secret scanning on all repositories to detect any remaining exposed credentials" } |
| 35 | + ] |
| 36 | + } |
| 37 | + }, |
| 38 | + { |
| 39 | + "name": "Organization has public gists", |
| 40 | + "title": "Public Gists May Expose Sensitive Scripts or Configuration", |
| 41 | + "statement": "Public gists associated with an organization's members can inadvertently expose internal scripts, configuration snippets, credentials, or operational procedures. Because gists are often used informally, developers may not realize that content shared via a public gist is indexed and discoverable by anyone.", |
| 42 | + "likelihood_hint": "moderate", |
| 43 | + "impact_hint": "moderate", |
| 44 | + "violation_ids": ["public_gists_present"], |
| 45 | + "threat_refs": [ |
| 46 | + { |
| 47 | + "system": "https://cwe.mitre.org", |
| 48 | + "external_id": "CWE-200", |
| 49 | + "title": "Exposure of Sensitive Information to an Unauthorized Actor", |
| 50 | + "url": "https://cwe.mitre.org/data/definitions/200.html" |
| 51 | + }, |
| 52 | + { |
| 53 | + "system": "https://cwe.mitre.org", |
| 54 | + "external_id": "CWE-538", |
| 55 | + "title": "Insertion of Sensitive Information into Externally-Accessible File or Directory", |
| 56 | + "url": "https://cwe.mitre.org/data/definitions/538.html" |
| 57 | + } |
| 58 | + ], |
| 59 | + "remediation": { |
| 60 | + "title": "Remove or make private all public gists", |
| 61 | + "description": "Review all public gists associated with organization members and convert any containing sensitive or internal content to secret gists, or delete them entirely.", |
| 62 | + "tasks": [ |
| 63 | + { "title": "Audit all public gists owned by organization members" }, |
| 64 | + { "title": "Convert gists containing sensitive content to secret gists or delete them" }, |
| 65 | + { "title": "Educate members on the risks of sharing internal content via public gists" }, |
| 66 | + { "title": "Establish a policy prohibiting the use of public gists for internal scripts or configuration" } |
| 67 | + ] |
| 68 | + } |
| 69 | + } |
| 70 | +] |
| 71 | + |
| 72 | +violation[{"id": "public_repos_present"}] if { |
4 | 73 | input.settings.public_repos > 0 |
5 | 74 | } |
6 | 75 |
|
7 | | -_checks["gists"] if { |
| 76 | +violation[{"id": "public_gists_present"}] if { |
8 | 77 | input.settings.public_gists > 0 |
9 | 78 | } |
10 | 79 |
|
11 | | -violation[{}] if { |
12 | | - some check in _checks |
13 | | -} |
14 | | - |
15 | | - |
16 | 80 | title := "No Public Repos or Gists" |
17 | 81 | description := "The Organization should not have any public repositories or gists attached to it" |
0 commit comments