Skip to content

Commit 709fbb1

Browse files
committed
fix: forgot to add files after rename
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
1 parent 09e2bd8 commit 709fbb1

2 files changed

Lines changed: 123 additions & 0 deletions

File tree

policies/gh_org_owner_count.rego

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
package compliance_framework.owner_count
2+
3+
risk_templates := [
4+
{
5+
"name": "Excessive number of organization owners",
6+
"title": "Too Many Organization Owners Increases Blast Radius of Privileged Account Compromise",
7+
"statement": "Organization owners in GitHub hold the highest level of privilege: they can modify security settings, manage all members and teams, access all repositories, and permanently delete the organization. Granting owner access to more than 5 individuals significantly increases the attack surface for privilege abuse, insider threats, and account compromise scenarios. Limiting ownership to a small, well-controlled set ensures that elevated access is deliberately granted and periodically reviewed.",
8+
"likelihood_hint": "moderate",
9+
"impact_hint": "high",
10+
"violation_ids": ["too_many_owners"],
11+
"threat_refs": [
12+
{
13+
"system": "https://cwe.mitre.org",
14+
"external_id": "CWE-269",
15+
"title": "Improper Privilege Management",
16+
"url": "https://cwe.mitre.org/data/definitions/269.html"
17+
},
18+
{
19+
"system": "https://cwe.mitre.org",
20+
"external_id": "CWE-284",
21+
"title": "Improper Access Control",
22+
"url": "https://cwe.mitre.org/data/definitions/284.html"
23+
}
24+
],
25+
"remediation": {
26+
"title": "Reduce organization owner count to 5 or fewer",
27+
"description": "Review the list of organization owners and remove owner access from any accounts that do not require it. Prefer using team-based admin roles for day-to-day administrative tasks, reserving full organization ownership for a minimal set of accountable individuals.",
28+
"tasks": [
29+
{ "title": "Navigate to Organization Settings > People > Owners" },
30+
{ "title": "Review the business justification for each owner account" },
31+
{ "title": "Downgrade any owners who do not require full organization-level privileges to member or team maintainer roles" },
32+
{ "title": "Ensure remaining owners have MFA enabled and use strong authentication" },
33+
{ "title": "Schedule a periodic review of organization ownership at least annually" }
34+
]
35+
}
36+
},
37+
{
38+
"name": "Organization owner data is missing",
39+
"title": "Missing Organization Owner Telemetry Prevents Privileged Access Review",
40+
"statement": "When the organization owner list is missing from collected GitHub data, the policy cannot verify whether ownership is limited to a small, accountable group. Missing owner telemetry can hide excessive privileged access and prevents reviewers from confirming that organization-level administrative authority is appropriately governed.",
41+
"likelihood_hint": "moderate",
42+
"impact_hint": "high",
43+
"violation_ids": ["owners_missing"],
44+
"threat_refs": [
45+
{
46+
"system": "https://cwe.mitre.org",
47+
"external_id": "CWE-269",
48+
"title": "Improper Privilege Management",
49+
"url": "https://cwe.mitre.org/data/definitions/269.html"
50+
},
51+
{
52+
"system": "https://cwe.mitre.org",
53+
"external_id": "CWE-284",
54+
"title": "Improper Access Control",
55+
"url": "https://cwe.mitre.org/data/definitions/284.html"
56+
}
57+
],
58+
"remediation": {
59+
"title": "Collect organization owner data before evaluating owner-count posture",
60+
"description": "Update the GitHub organization data collector or input mapping so the policy receives the current list of organization owners. Re-run the policy after owner telemetry is present to verify that the owner count is compliant.",
61+
"tasks": [
62+
{ "title": "Verify that the GitHub token can read organization owner membership" },
63+
{ "title": "Populate the input owners field with current organization owners" },
64+
{ "title": "Re-run the owner-count policy after collection succeeds" },
65+
{ "title": "Review the collected owner list for stale or unnecessary owner access" }
66+
]
67+
}
68+
}
69+
]
70+
71+
_owners := object.get(input, "owners", [])
72+
73+
violation[{"id": "owners_missing"}] if {
74+
not "owners" in object.keys(input)
75+
}
76+
77+
violation[{"id": "too_many_owners"}] if {
78+
count(_owners) > 5
79+
}
80+
81+
title := "Organization has 5 or fewer owners"
82+
description := "The number of GitHub organization owners should not exceed 5 to limit the blast radius of a privileged account compromise and ensure that elevated access is deliberately granted and regularly reviewed."
83+
remarks := "More information: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners"
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
package compliance_framework.owner_count
2+
3+
test_owner_count_compliant if {
4+
count(violation) == 0 with input as {
5+
"owners": [
6+
{"login": "admin1"},
7+
{"login": "admin2"},
8+
{"login": "admin3"}
9+
]
10+
}
11+
}
12+
13+
test_owner_count_at_limit if {
14+
count(violation) == 0 with input as {
15+
"owners": [
16+
{"login": "admin1"},
17+
{"login": "admin2"},
18+
{"login": "admin3"},
19+
{"login": "admin4"},
20+
{"login": "admin5"}
21+
]
22+
}
23+
}
24+
25+
test_owner_count_exceeded if {
26+
count(violation) > 0 with input as {
27+
"owners": [
28+
{"login": "admin1"},
29+
{"login": "admin2"},
30+
{"login": "admin3"},
31+
{"login": "admin4"},
32+
{"login": "admin5"},
33+
{"login": "admin6"}
34+
]
35+
}
36+
}
37+
38+
test_owner_count_missing_owners if {
39+
count(violation) > 0 with input as {}
40+
}

0 commit comments

Comments
 (0)