Skip to content

Commit 179ce13

Browse files
authored
feat: runner-v2
feat: runner-v2
1 parent a00bd8b commit 179ce13

7 files changed

Lines changed: 273 additions & 15 deletions

.github/workflows/build-and-upload.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
with:
2424
files: dist/bundle.tar.gz
2525
- name: Install gooci cli
26-
run: go install github.com/compliance-framework/gooci@latest
26+
run: go install github.com/compliance-framework/gooci@v0.0.7
2727
- name: Authenticate gooci cli
2828
run: gooci login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
2929
- name: gooci Upload Version

policies/gh_org_mfa_enabled.rego

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,49 @@
11
package compliance_framework.mfa_enabled
22

3-
violation[{}] if {
3+
risk_templates := [
4+
{
5+
"name": "Organization MFA not enforced",
6+
"title": "GitHub Organization Members Accessible via Single-Factor Authentication",
7+
"statement": "Without mandatory two-factor authentication (2FA) enforcement at the organization level, any member account protected only by a password is susceptible to credential-based attacks including phishing, credential stuffing, and brute force. A compromised member account can expose repositories, secrets, CI/CD pipelines, and administrative settings to an attacker without requiring privilege escalation.",
8+
"likelihood_hint": "high",
9+
"impact_hint": "high",
10+
"violation_ids": ["mfa_not_enforced"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-308",
15+
"title": "Use of Single-factor Authentication",
16+
"url": "https://cwe.mitre.org/data/definitions/308.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-287",
21+
"title": "Improper Authentication",
22+
"url": "https://cwe.mitre.org/data/definitions/287.html"
23+
},
24+
{
25+
"system": "https://cwe.mitre.org",
26+
"external_id": "CWE-522",
27+
"title": "Insufficiently Protected Credentials",
28+
"url": "https://cwe.mitre.org/data/definitions/522.html"
29+
}
30+
],
31+
"remediation": {
32+
"title": "Enforce two-factor authentication for all organization members",
33+
"description": "Enable the 'Require two-factor authentication' setting for the GitHub organization so that all current and future members must use 2FA. Members and outside collaborators who do not comply will be removed from the organization until they enable 2FA.",
34+
"tasks": [
35+
{ "title": "Audit current member 2FA status to identify non-compliant accounts before enforcement" },
36+
{ "title": "Communicate the 2FA requirement to all members and collaborators in advance" },
37+
{ "title": "Navigate to Organization Settings > Security > Authentication security" },
38+
{ "title": "Enable 'Require two-factor authentication for everyone in the organization'" },
39+
{ "title": "Review and re-invite any removed accounts once they have enabled 2FA" },
40+
{ "title": "Consider enforcing SAML SSO as an additional layer of centralized identity control" }
41+
]
42+
}
43+
}
44+
]
45+
46+
violation[{"id": "mfa_not_enforced"}] if {
447
input.settings.two_factor_requirement_enabled == false
548
}
649

policies/gh_org_public_repos.rego

Lines changed: 71 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,81 @@
11
package compliance_framework.public_repos
22

3-
_checks["repos"] if {
3+
risk_templates := [
4+
{
5+
"name": "Organization has public repositories",
6+
"title": "Public Repositories Expose Source Code and Organizational Assets",
7+
"statement": "Public repositories in a GitHub organization are accessible to anyone on the internet without authentication. For organizations that intend to operate privately, unintentional public repos can expose proprietary source code, configuration files, internal tooling, infrastructure details, or secrets committed to version history. This information can be used by attackers to map attack surfaces, extract credentials, or exploit vulnerabilities in the exposed codebase.",
8+
"likelihood_hint": "high",
9+
"impact_hint": "high",
10+
"violation_ids": ["public_repos_present"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-200",
15+
"title": "Exposure of Sensitive Information to an Unauthorized Actor",
16+
"url": "https://cwe.mitre.org/data/definitions/200.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-284",
21+
"title": "Improper Access Control",
22+
"url": "https://cwe.mitre.org/data/definitions/284.html"
23+
}
24+
],
25+
"remediation": {
26+
"title": "Convert public repositories to private or archive them",
27+
"description": "Review all public repositories in the organization and convert any that should not be publicly accessible to private visibility. Archive any obsolete repositories to prevent accidental disclosure.",
28+
"tasks": [
29+
{ "title": "Audit all public repositories in the organization" },
30+
{ "title": "Review repository contents and git history for exposed credentials, configuration, or internal documentation" },
31+
{ "title": "Rotate any credentials or secrets found in public repository history before changing visibility" },
32+
{ "title": "Convert non-intentionally public repositories to private" },
33+
{ "title": "Archive or delete obsolete public repositories" },
34+
{ "title": "Enable secret scanning on all repositories to detect any remaining exposed credentials" }
35+
]
36+
}
37+
},
38+
{
39+
"name": "Organization has public gists",
40+
"title": "Public Gists May Expose Sensitive Scripts or Configuration",
41+
"statement": "Public gists associated with an organization's members can inadvertently expose internal scripts, configuration snippets, credentials, or operational procedures. Because gists are often used informally, developers may not realize that content shared via a public gist is indexed and discoverable by anyone.",
42+
"likelihood_hint": "moderate",
43+
"impact_hint": "moderate",
44+
"violation_ids": ["public_gists_present"],
45+
"threat_refs": [
46+
{
47+
"system": "https://cwe.mitre.org",
48+
"external_id": "CWE-200",
49+
"title": "Exposure of Sensitive Information to an Unauthorized Actor",
50+
"url": "https://cwe.mitre.org/data/definitions/200.html"
51+
},
52+
{
53+
"system": "https://cwe.mitre.org",
54+
"external_id": "CWE-538",
55+
"title": "Insertion of Sensitive Information into Externally-Accessible File or Directory",
56+
"url": "https://cwe.mitre.org/data/definitions/538.html"
57+
}
58+
],
59+
"remediation": {
60+
"title": "Remove or make private all public gists",
61+
"description": "Review all public gists associated with organization members and convert any containing sensitive or internal content to secret gists, or delete them entirely.",
62+
"tasks": [
63+
{ "title": "Audit all public gists owned by organization members" },
64+
{ "title": "Convert gists containing sensitive content to secret gists or delete them" },
65+
{ "title": "Educate members on the risks of sharing internal content via public gists" },
66+
{ "title": "Establish a policy prohibiting the use of public gists for internal scripts or configuration" }
67+
]
68+
}
69+
}
70+
]
71+
72+
violation[{"id": "public_repos_present"}] if {
473
input.settings.public_repos > 0
574
}
675

7-
_checks["gists"] if {
76+
violation[{"id": "public_gists_present"}] if {
877
input.settings.public_gists > 0
978
}
1079

11-
violation[{}] if {
12-
some check in _checks
13-
}
14-
15-
1680
title := "No Public Repos or Gists"
1781
description := "The Organization should not have any public repositories or gists attached to it"

policies/gh_org_secret_dependabot_alerts.rego

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,42 @@
11
package compliance_framework.dependabot_alerts
22

3-
violation[{}] if {
3+
risk_templates := [
4+
{
5+
"name": "Dependabot alerts not enabled by default for new repositories",
6+
"title": "New Repositories Created Without Vulnerability Alert Coverage",
7+
"statement": "When Dependabot alerts are not enabled by default for new repositories, any repository created in the organization will silently accumulate vulnerable dependencies without notification. Security teams have no visibility into known CVEs affecting dependencies in these repositories until alerts are manually enabled, increasing the time-to-detection and the window of exposure.",
8+
"likelihood_hint": "moderate",
9+
"impact_hint": "high",
10+
"violation_ids": ["dependabot_alerts_not_default"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-693",
15+
"title": "Protection Mechanism Failure",
16+
"url": "https://cwe.mitre.org/data/definitions/693.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-1395",
21+
"title": "Dependency on Vulnerable Third-Party Component",
22+
"url": "https://cwe.mitre.org/data/definitions/1395.html"
23+
}
24+
],
25+
"remediation": {
26+
"title": "Enable Dependabot alerts by default for all new repositories",
27+
"description": "Configure the GitHub organization so that Dependabot alerts are automatically enabled for every new repository created. This ensures that vulnerability detection is active from the moment a repository is initialized.",
28+
"tasks": [
29+
{ "title": "Navigate to Organization Settings > Code security and analysis" },
30+
{ "title": "Enable 'Dependabot alerts' for all new repositories" },
31+
{ "title": "Retroactively enable Dependabot alerts on existing repositories that currently lack coverage" },
32+
{ "title": "Establish a process to review and triage new Dependabot alerts within an agreed SLA" },
33+
{ "title": "Consider also enabling Dependabot security updates to automate remediation PRs" }
34+
]
35+
}
36+
}
37+
]
38+
39+
violation[{"id": "dependabot_alerts_not_default"}] if {
440
input.dependabot_alerts_enabled_for_new_repositories == false
541
}
642

policies/gh_org_secret_scanning_enabled.rego

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,49 @@
11
package compliance_framework.secret_scanning
22

3-
violation[{}] if {
3+
risk_templates := [
4+
{
5+
"name": "Secret scanning not enabled by default for new repositories",
6+
"title": "New Repositories Created Without Secret Detection Coverage",
7+
"statement": "When secret scanning is not enabled by default at the organization level, any new repository created will lack automatic detection of committed credentials. API keys, tokens, certificates, and passwords pushed to these repositories will go undetected until scanning is manually enabled, leaving an indefinite window during which exposed secrets can be harvested and abused.",
8+
"likelihood_hint": "high",
9+
"impact_hint": "high",
10+
"violation_ids": ["secret_scanning_not_default"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-312",
15+
"title": "Cleartext Storage of Sensitive Information",
16+
"url": "https://cwe.mitre.org/data/definitions/312.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-522",
21+
"title": "Insufficiently Protected Credentials",
22+
"url": "https://cwe.mitre.org/data/definitions/522.html"
23+
},
24+
{
25+
"system": "https://cwe.mitre.org",
26+
"external_id": "CWE-798",
27+
"title": "Use of Hard-coded Credentials",
28+
"url": "https://cwe.mitre.org/data/definitions/798.html"
29+
}
30+
],
31+
"remediation": {
32+
"title": "Enable secret scanning by default for all new repositories",
33+
"description": "Configure the GitHub organization to automatically enable secret scanning on every new repository. Extend coverage retroactively to existing repositories that currently lack it.",
34+
"tasks": [
35+
{ "title": "Navigate to Organization Settings > Code security and analysis" },
36+
{ "title": "Enable 'Secret scanning' for all new repositories" },
37+
{ "title": "Retroactively enable secret scanning on all existing repositories" },
38+
{ "title": "Review all existing secret scanning alerts and revoke any exposed credentials immediately" },
39+
{ "title": "Configure push protection at the organization level to block secrets before they enter the repository" },
40+
{ "title": "Establish a runbook for responding to secret scanning alerts within an agreed SLA" }
41+
]
42+
}
43+
}
44+
]
45+
46+
violation[{"id": "secret_scanning_not_default"}] if {
447
input.secret_scanning_enabled_for_new_repositories == false
548
}
649

Lines changed: 38 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,44 @@
11
package compliance_framework.teams_privacy_closed
22

3-
violation[{}] if {
3+
risk_templates := [
4+
{
5+
"name": "Organization team is not set to closed visibility",
6+
"title": "Non-Standard Team Visibility Undermines Organizational Auditability and Governance",
7+
"statement": "GitHub teams not set to 'closed' visibility deviate from the organization's standard access control posture. Teams set to 'secret' are invisible to other organization members, which can hide privileged groups from security audits, obscure access control structures, and create shadow administrative boundaries that are difficult to govern. Standardizing all teams on 'closed' visibility ensures that team membership is transparent to organization members while remaining hidden from external actors, enabling consistent security review and access control governance.",
8+
"likelihood_hint": "moderate",
9+
"impact_hint": "moderate",
10+
"violation_ids": ["team_not_closed"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-778",
15+
"title": "Insufficient Logging",
16+
"url": "https://cwe.mitre.org/data/definitions/778.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-284",
21+
"title": "Improper Access Control",
22+
"url": "https://cwe.mitre.org/data/definitions/284.html"
23+
}
24+
],
25+
"remediation": {
26+
"title": "Set all organization teams to closed (private) visibility",
27+
"description": "Configure every GitHub team in the organization to use 'closed' visibility so that team membership is only visible to organization members, reducing exposure of internal organizational structure.",
28+
"tasks": [
29+
{ "title": "Audit all teams in the organization and identify those not set to 'closed' visibility" },
30+
{ "title": "Update each non-closed team's privacy setting to 'closed' via the GitHub team settings page or API" },
31+
{ "title": "Establish a policy requiring all new teams to be created with 'closed' visibility" },
32+
{ "title": "Automate team visibility auditing using this policy on a scheduled basis" }
33+
]
34+
}
35+
}
36+
]
37+
38+
violation[{"id": "team_not_closed"}] if {
439
some team in input.teams
540
team.privacy != "closed"
641
}
742

8-
title := "All teams are private within the organization"
9-
description := "All teams within the organization must be set to private to ensure sensitive information is not exposed."
43+
title := "All teams use closed visibility within the organization"
44+
description := "All teams within the organization must be set to 'closed' visibility to ensure consistent auditability and prevent hidden privilege groups."

policies/gh_teams_security_found.rego

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,42 @@
11
package compliance_framework.teams_security_found
22

3+
risk_templates := [
4+
{
5+
"name": "No dedicated security team exists in the organization",
6+
"title": "Absence of Security Team Leaves No Clear Ownership for Security Incidents and Risk",
7+
"statement": "Without a dedicated security team in the GitHub organization, there is no identifiable group responsible for managing security incidents, reviewing security-sensitive code changes, enforcing security policies, or providing guidance to developers. This creates an accountability gap where security concerns may go unaddressed, vulnerabilities remain untracked, and incident response is ad hoc and slow.",
8+
"likelihood_hint": "moderate",
9+
"impact_hint": "high",
10+
"violation_ids": ["no_security_team"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-657",
15+
"title": "Violation of Secure Design Principles",
16+
"url": "https://cwe.mitre.org/data/definitions/657.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-693",
21+
"title": "Protection Mechanism Failure",
22+
"url": "https://cwe.mitre.org/data/definitions/693.html"
23+
}
24+
],
25+
"remediation": {
26+
"title": "Create a dedicated security team in the GitHub organization",
27+
"description": "Establish a named security team in the GitHub organization with defined membership, responsibilities, and CODEOWNERS entries for security-sensitive paths. The team should be the designated point of contact for security incidents, vulnerability disclosures, and security policy enforcement.",
28+
"tasks": [
29+
{ "title": "Create a GitHub team with 'security' in the name (e.g., 'Security', 'security-ops', 'AppSec')" },
30+
{ "title": "Assign appropriate members with security responsibilities to the team" },
31+
{ "title": "Set the team to 'closed' visibility to limit exposure of membership" },
32+
{ "title": "Add the security team as a CODEOWNER for security-sensitive paths (e.g., auth, infra, CI configs)" },
33+
{ "title": "Document the team's responsibilities in the organization's security policy or SECURITY.md" },
34+
{ "title": "Configure GitHub to route security advisories and vulnerability reports to the security team" }
35+
]
36+
}
37+
}
38+
]
39+
340
_team_with_security if {
441
some team in input.teams
542
contains(lower(team.name), "security")
@@ -10,7 +47,7 @@ _team_with_security if {
1047
contains(lower(team.description), "security")
1148
}
1249

13-
violation[{}] if {
50+
violation[{"id": "no_security_team"}] if {
1451
not _team_with_security
1552
}
1653

0 commit comments

Comments
 (0)