turbot/github_sherlock

GitHub
Loading controls...

Control: Default branch protections should apply to administrators in each public repository

Description

Administrators should have the same restrictions as other users for the default branch.

Usage

Run the control in your terminal:

steampipe check github_sherlock.control.public_repo_default_branch_protections_apply_to_admins

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share github_sherlock.control.public_repo_default_branch_protections_apply_to_admins

Plugins & Tables

SQL

select
url as resource,
case
when (default_branch_ref -> 'branch_protection_rule') is null then 'info'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced'
) = 'true' then 'ok'
else 'alarm'
end as status,
name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case
when (
default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced'
) = 'true' then ' protections apply to admins.'
when (
default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced'
) = 'false' then ' protections do not apply to admins.' -- If not false or true, then null, which means no branch protection rule exists
else ' branch protection rule unknown.'
end as reason,
name_with_owner
from
github_my_repository
where
visibility = 'PUBLIC'
and is_fork = false

Tags