turbot/github_sherlock

Control: Default branch should block force push in each public repository

Description

Force pushing modifies commit history and should be avoided on the default branch.

Usage

steampipe check github_sherlock.control.public_repo_default_branch_blocks_force_push

Plugins & Tables

SQL

select
r.full_name as resource,
case
when b.allow_force_pushes_enabled = 'false' then 'ok'
else 'alarm'
end as status,
r.full_name || ' default branch ' || b.name ||
case
when b.allow_force_pushes_enabled = 'false' then ' prevents force push.'
when b.allow_force_pushes_enabled = 'true' then ' allows force push.'
-- If not false or true, then null, which means no branch protection rule exists
else ' is not protected.'
end as reason,
r.full_name
from
github_my_repository as r
left join github_branch_protection as b on r.full_name = b.repository_full_name
where
visibility = 'public' and r.fork = false and b.name in ('main', 'master')