turbot/github_sherlock
GitHub
Loading controls...

Control: Default branch should block force push in each private repository

Description

Force pushing modifies commit history and should be avoided on the default branch.

Usage

Run the control in your terminal:

steampipe check github_sherlock.control.private_repo_default_branch_blocks_force_push

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share github_sherlock.control.private_repo_default_branch_blocks_force_push

Plugins & Tables

SQL

select
url as resource,
case
when (default_branch_ref -> 'branch_protection_rule') is null then 'info'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'false' then 'ok'
else 'alarm'
end as status,
name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'false' then ' prevents force push.'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'true' then ' allows force push.' -- If not false or true, then null, which means no branch protection rule exists
else ' branch protection rule unknown.'
end as reason,
name_with_owner
from
github_my_repository
where
visibility = 'PRIVATE'
and is_fork = false

Tags