Mods

turbot/github_sherlock

GitHub
Overview
4Dashboards
34Controls
0Queries
0Variables
GitHub
Loading controls...
On This Page
Description
Usage
Plugins & Tables
SQL
Tags
Get Involved
Edit on GitHub
Discuss on Slack

Control: Default branch should block force push in each public repository

Description

Force pushing modifies commit history and should be avoided on the default branch.

Usage

Run the control in your terminal:

steampipe check github_sherlock.control.public_repo_default_branch_blocks_force_push

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share github_sherlock.control.public_repo_default_branch_blocks_force_push

Plugins & Tables

github_my_repository
GitHub plugin

SQL

select
  url as resource,
  case
    when (default_branch_ref -> 'branch_protection_rule') is null then 'info'
    when (
      default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
    ) = 'false' then 'ok'
    else 'alarm'
  end as status,
  name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case
    when (
      default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
    ) = 'false' then ' prevents force push.'
    when (
      default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
    ) = 'true' then ' allows force push.' -- If not false or true, then null, which means no branch protection rule exists
    else ' branch protection rule unknown.'
  end as reason,
  name_with_owner
from
  github_my_repository
where
  visibility = 'PUBLIC'
  and is_fork = false

Tags

category = Compliance
plugin = github
service = GitHub/Repository