turbot/github_sherlock

Control: Default branch protections should apply to administrators in each public repository

Description

Administrators should have the same restrictions as other users for the default branch.

Usage

steampipe check github_sherlock.control.public_repo_default_branch_protections_apply_to_admins

Plugins & Tables

SQL

select
r.full_name as resource,
case
when b.enforce_admins_enabled = 'true' then 'ok'
else 'alarm'
end as status,
r.full_name || ' default branch ' || b.name ||
case
when b.enforce_admins_enabled = 'true' then ' protections apply to admins.'
when b.enforce_admins_enabled = 'false' then ' protections do not apply to admins.'
-- If not false or true, then null, which means no branch protection rule exists
else ' is not protected.'
end as reason,
r.full_name
from
github_my_repository as r
left join github_branch_protection as b on r.full_name = b.repository_full_name
where
visibility = 'public' and r.fork = false and b.name in ('main', 'master')