steampipe plugin install github

Table: github_branch_protection - Query GitHub Branch Protections using SQL

GitHub Branch Protection is a feature within GitHub that allows you to define certain rules for branches, particularly those that are part of the project's deployment process. These rules can include required status checks, required pull request reviews, and restrictions on who can push to the branch. Branch Protection helps maintain code integrity by enforcing workflow policies and preventing force pushes and accidental deletions.

Table Usage Guide

The github_branch_protection table provides insights into branch protection rules within GitHub. As a DevOps engineer or a repository manager, explore branch-specific details through this table, including the enforcement of status checks, pull request reviews, and push restrictions. Utilize it to uncover information about branch protections, such as those with strict requirements, the enforcement of signed commits, and the restrictions on who can push to the branch.

Important Notes

  • You must specify the repository_full_name column in where or join clause to query the table.

Examples

List all branch protection rules for a repository

Explore the safety measures applied to a specific repository to understand its level of protection against unauthorized changes.

select
*
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe';
select
*
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe';

Get a single branch protection rule by node id

Explore the specific rules and restrictions applied to a particular branch in a GitHub repository. This can be useful for understanding how different branches are managed and protected, and to ensure compliance with best practices for code review and collaboration.

select
node_id,
matching_branches,
is_admin_enforced,
allows_deletions,
allows_force_pushes,
blocks_creations,
creator_login,
dismisses_stale_reviews,
lock_allows_fetch_and_merge,
lock_branch,
require_last_push_approval,
requires_approving_reviews,
requires_commit_signatures,
restricts_pushes,
push_allowance_apps,
push_allowance_apps,
push_allowance_users
from
github_branch_protection
where
node_id = 'BPR_xxXXXX0X0X0XXXX0';
select
node_id,
matching_branches,
is_admin_enforced,
allows_deletions,
allows_force_pushes,
blocks_creations,
creator_login,
dismisses_stale_reviews,
lock_allows_fetch_and_merge,
lock_branch,
require_last_push_approval,
requires_approving_reviews,
requires_commit_signatures,
restricts_pushes,
push_allowance_apps,
push_allowance_apps,
push_allowance_users
from
github_branch_protection
where
node_id = 'BPR_xxXXXX0X0X0XXXX0';

List branch protection rules which are not currently utilised

Determine the areas in which branch protection rules are not being used within the 'turbot/steampipe' repository. This can help in identifying unused rules and optimizing the repository's security configuration.

select
*
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe'
and matching_branches = 0;
select
*
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe'
and matching_branches = 0;

Get repositories that require signed commits for merging

Explore which branches in the 'turbot/steampipe' repository have a policy requiring signed commits for merging. This can help maintain code integrity by ensuring only verified changes are merged.

select
repository_full_name,
pattern,
matching_branches
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe'
and requires_commit_signatures = true;
select
repository_full_name,
pattern,
matching_branches
from
github_branch_protection
where
repository_full_name = 'turbot/steampipe'
and requires_commit_signatures = 1;

Schema for github_branch_protection

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
allows_deletionsbooleanIf true, allow users with push access to delete matching branches.
allows_force_pushesbooleanIf true, permit force pushes for all users with push access.
blocks_creationsbooleanIf true, indicates that branch creation is a protected operation.
bypass_force_push_allowance_appsjsonbApplications can force push to the branch only if in this list.
bypass_force_push_allowance_teamsjsonbTeams can force push to the branch only if in this list.
bypass_force_push_allowance_usersjsonbUsers can force push to the branch only if in this list.
bypass_pull_request_allowance_appsjsonbApplications can bypass pull requests to the branch only if in this list.
bypass_pull_request_allowance_teamsjsonbTeams can bypass pull requests to the branch only if in this list.
bypass_pull_request_allowance_usersjsonbUsers can bypass pull requests to the branch only if in this list.
creator_logintextThe login of the user whom created the branch protection rule.
dismisses_stale_reviewsbooleanIf true, new commits pushed to matching branches dismiss pull request review approvals.
idbigintThe ID of the branch protection rule.
is_admin_enforcedbooleanIf true, enforce all configured restrictions for administrators.
lock_allows_fetch_and_mergebooleanIf true, users can pull changes from upstream when the branch is locked.
lock_branchbooleanIf true, matching branches are read-only and cannot be pushed to.
login_idtext=, !=, ~~, ~~*, !~~, !~~*Unique identifier for the user login.
matching_branchesbigintCount of branches which match this rule.
node_idtext=The Node ID of the branch protection rule.
patterntextThe protection rule pattern.
push_allowance_appsjsonbApplications can push to the branch only if in this list.
push_allowance_teamsjsonbTeams can push to the branch only if in this list.
push_allowance_usersjsonbUsers can push to the branch only if in this list.
repository_full_nametext=The full name of the repository (login/repo-name).
require_last_push_approvalbooleanIf true, the most recent push must be approved by someone other than the person who pushed it.
required_approving_review_countbigintNumber of approving reviews required to update matching branches.
required_deployment_environmentsjsonbList of required deployment environments that must be deployed successfully to update matching branches.
required_status_checksjsonbStatus checks that must pass before a branch can be merged into branches matching this rule.
requires_approving_reviewsbooleanIf true, approving reviews required to update matching branches.
requires_code_owner_reviewsbooleanIf true, reviews from code owners are required to update matching branches.
requires_commit_signaturesbooleanIf true, commits are required to be signed by verified signatures.
requires_conversation_resolutionbooleanIf true, requires all comments on the pull request to be resolved before it can be merged to a protected branch.
requires_deploymentsbooleanIf true, matching branches require deployment to specific environments before merging.
requires_linear_historybooleanIf true, prevent merge commits from being pushed to matching branches.
requires_status_checksbooleanIf true, status checks are required to update matching branches.
requires_strict_status_checksbooleanIf true, branches required to be up to date before merging.
restricts_pushesbooleanIf true, pushing to matching branches is restricted.
restricts_review_dismissalsbooleanIf true, review dismissals are restricted.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- github

You can pass the configuration to the command with the --config argument:

steampipe_export_github --config '<your_config>' github_branch_protection