turbot/github_sherlock
Loading controls...

Control: Default branch should block force push in each public repository

Description

Force pushing modifies commit history and should be avoided on the default branch.

Usage

Run the control in your terminal:

powerpipe control run github_sherlock.control.public_repo_default_branch_blocks_force_push

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_sherlock.control.public_repo_default_branch_blocks_force_push --share

Steampipe Tables

SQL

select
url as resource,
case
when (default_branch_ref -> 'branch_protection_rule') is null then 'info'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'false' then 'ok'
else 'alarm'
end as status,
name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'false' then ' prevents force push.'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes'
) = 'true' then ' allows force push.' -- If not false or true, then null, which means no branch protection rule exists
else ' branch protection rule unknown.'
end as reason,
name_with_owner
from
github_my_repository
where
visibility = 'PUBLIC'
and is_fork = false

Tags