Merge pull request #3 from compliance-framework/demo-updates

Demo updates

Author: Chris Vermeulen

example-data/testorg-unremediated.json

@@ -1,63 +1,61 @@
 {
-    "organization": {
-        "login": "test-org",
-        "id": 1234567,
-        "node_id": "O_abcdefg",
-        "url": "https://api.github.com/orgs/test-org",
-        "repos_url": "https://api.github.com/orgs/test-org/repos",
-        "events_url": "https://api.github.com/orgs/test-org/events",
-        "hooks_url": "https://api.github.com/orgs/test-org/hooks",
-        "issues_url": "https://api.github.com/orgs/test-org/issues",
-        "members_url": "https://api.github.com/orgs/test-org/members{/member}",
-        "public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
-        "avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
-        "description": null,
-        "is_verified": false,
-        "has_organization_projects": true,
-        "has_repository_projects": true,
-        "public_repos": 0,
-        "public_gists": 0,
-        "followers": 0,
-        "following": 0,
-        "html_url": "https://github.com/test-org",
-        "created_at": "2025-04-09T15:36:21Z",
-        "updated_at": "2025-04-09T15:38:25Z",
-        "archived_at": null,
-        "type": "Organization",
-        "total_private_repos": 0,
-        "owned_private_repos": 0,
-        "private_gists": 0,
-        "disk_usage": 0,
-        "collaborators": 0,
-        "billing_email": "test@example.com",
-        "default_repository_permission": "read",
-        "members_can_create_repositories": true,
-        "two_factor_requirement_enabled": false,
-        "members_allowed_repository_creation_type": "all",
-        "members_can_create_public_repositories": true,
-        "members_can_create_private_repositories": true,
-        "members_can_create_internal_repositories": false,
-        "members_can_create_pages": true,
-        "members_can_fork_private_repositories": false,
-        "web_commit_signoff_required": false,
-        "deploy_keys_enabled_for_repositories": false,
-        "members_can_create_public_pages": true,
-        "members_can_create_private_pages": true,
-        "plan": {
-            "name": "free",
-            "space": 976562499,
-            "private_repos": 10000,
-            "filled_seats": 2,
-            "seats": 1
-        },
-        "advanced_security_enabled_for_new_repositories": false,
-        "dependabot_alerts_enabled_for_new_repositories": false,
-        "dependabot_security_updates_enabled_for_new_repositories": false,
-        "dependency_graph_enabled_for_new_repositories": false,
-        "secret_scanning_enabled_for_new_repositories": false,
-        "secret_scanning_push_protection_enabled_for_new_repositories": false,
-        "secret_scanning_push_protection_custom_link_enabled": false,
-        "secret_scanning_push_protection_custom_link": null,
-        "secret_scanning_validity_checks_enabled": false
-    }
+    "login": "test-org",
+    "id": 1234567,
+    "node_id": "O_abcdefg",
+    "url": "https://api.github.com/orgs/test-org",
+    "repos_url": "https://api.github.com/orgs/test-org/repos",
+    "events_url": "https://api.github.com/orgs/test-org/events",
+    "hooks_url": "https://api.github.com/orgs/test-org/hooks",
+    "issues_url": "https://api.github.com/orgs/test-org/issues",
+    "members_url": "https://api.github.com/orgs/test-org/members{/member}",
+    "public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
+    "avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
+    "description": null,
+    "is_verified": false,
+    "has_organization_projects": true,
+    "has_repository_projects": true,
+    "public_repos": 0,
+    "public_gists": 0,
+    "followers": 0,
+    "following": 0,
+    "html_url": "https://github.com/test-org",
+    "created_at": "2025-04-09T15:36:21Z",
+    "updated_at": "2025-04-09T15:38:25Z",
+    "archived_at": null,
+    "type": "Organization",
+    "total_private_repos": 0,
+    "owned_private_repos": 0,
+    "private_gists": 0,
+    "disk_usage": 0,
+    "collaborators": 0,
+    "billing_email": "test@example.com",
+    "default_repository_permission": "read",
+    "members_can_create_repositories": true,
+    "two_factor_requirement_enabled": false,
+    "members_allowed_repository_creation_type": "all",
+    "members_can_create_public_repositories": true,
+    "members_can_create_private_repositories": true,
+    "members_can_create_internal_repositories": false,
+    "members_can_create_pages": true,
+    "members_can_fork_private_repositories": false,
+    "web_commit_signoff_required": false,
+    "deploy_keys_enabled_for_repositories": false,
+    "members_can_create_public_pages": true,
+    "members_can_create_private_pages": true,
+    "plan": {
+        "name": "free",
+        "space": 976562499,
+        "private_repos": 10000,
+        "filled_seats": 2,
+        "seats": 1
+    },
+    "advanced_security_enabled_for_new_repositories": false,
+    "dependabot_alerts_enabled_for_new_repositories": false,
+    "dependabot_security_updates_enabled_for_new_repositories": false,
+    "dependency_graph_enabled_for_new_repositories": false,
+    "secret_scanning_enabled_for_new_repositories": false,
+    "secret_scanning_push_protection_enabled_for_new_repositories": false,
+    "secret_scanning_push_protection_custom_link_enabled": false,
+    "secret_scanning_push_protection_custom_link": null,
+    "secret_scanning_validity_checks_enabled": false
 }

example-data/testorg.json

@@ -1,63 +1,61 @@
 {
-    "organization": {
-        "login": "test-org",
-        "id": 1234567,
-        "node_id": "O_abcdefg",
-        "url": "https://api.github.com/orgs/test-org",
-        "repos_url": "https://api.github.com/orgs/test-org/repos",
-        "events_url": "https://api.github.com/orgs/test-org/events",
-        "hooks_url": "https://api.github.com/orgs/test-org/hooks",
-        "issues_url": "https://api.github.com/orgs/test-org/issues",
-        "members_url": "https://api.github.com/orgs/test-org/members{/member}",
-        "public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
-        "avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
-        "description": null,
-        "is_verified": false,
-        "has_organization_projects": true,
-        "has_repository_projects": true,
-        "public_repos": 0,
-        "public_gists": 0,
-        "followers": 0,
-        "following": 0,
-        "html_url": "https://github.com/test-org",
-        "created_at": "2025-04-09T15:36:21Z",
-        "updated_at": "2025-04-09T15:38:25Z",
-        "archived_at": null,
-        "type": "Organization",
-        "total_private_repos": 0,
-        "owned_private_repos": 0,
-        "private_gists": 0,
-        "disk_usage": 0,
-        "collaborators": 0,
-        "billing_email": "test@example.com",
-        "default_repository_permission": "read",
-        "members_can_create_repositories": true,
-        "two_factor_requirement_enabled": true,
-        "members_allowed_repository_creation_type": "all",
-        "members_can_create_public_repositories": false,
-        "members_can_create_private_repositories": true,
-        "members_can_create_internal_repositories": true,
-        "members_can_create_pages": false,
-        "members_can_fork_private_repositories": false,
-        "web_commit_signoff_required": true,
-        "deploy_keys_enabled_for_repositories": true,
-        "members_can_create_public_pages": false,
-        "members_can_create_private_pages": true,
-        "plan": {
-            "name": "free",
-            "space": 976562499,
-            "private_repos": 10000,
-            "filled_seats": 2,
-            "seats": 1
-        },
-        "advanced_security_enabled_for_new_repositories": true,
-        "dependabot_alerts_enabled_for_new_repositories": true,
-        "dependabot_security_updates_enabled_for_new_repositories": true,
-        "dependency_graph_enabled_for_new_repositories": true,
-        "secret_scanning_enabled_for_new_repositories": true,
-        "secret_scanning_push_protection_enabled_for_new_repositories": true,
-        "secret_scanning_push_protection_custom_link_enabled": true,
-        "secret_scanning_push_protection_custom_link": null,
-        "secret_scanning_validity_checks_enabled": true
-    }
+    "login": "test-org",
+    "id": 1234567,
+    "node_id": "O_abcdefg",
+    "url": "https://api.github.com/orgs/test-org",
+    "repos_url": "https://api.github.com/orgs/test-org/repos",
+    "events_url": "https://api.github.com/orgs/test-org/events",
+    "hooks_url": "https://api.github.com/orgs/test-org/hooks",
+    "issues_url": "https://api.github.com/orgs/test-org/issues",
+    "members_url": "https://api.github.com/orgs/test-org/members{/member}",
+    "public_members_url": "https://api.github.com/orgs/test-org/public_members{/member}",
+    "avatar_url": "https://avatars.githubusercontent.com/u/1234567?v=4",
+    "description": null,
+    "is_verified": false,
+    "has_organization_projects": true,
+    "has_repository_projects": true,
+    "public_repos": 0,
+    "public_gists": 0,
+    "followers": 0,
+    "following": 0,
+    "html_url": "https://github.com/test-org",
+    "created_at": "2025-04-09T15:36:21Z",
+    "updated_at": "2025-04-09T15:38:25Z",
+    "archived_at": null,
+    "type": "Organization",
+    "total_private_repos": 0,
+    "owned_private_repos": 0,
+    "private_gists": 0,
+    "disk_usage": 0,
+    "collaborators": 0,
+    "billing_email": "test@example.com",
+    "default_repository_permission": "read",
+    "members_can_create_repositories": true,
+    "two_factor_requirement_enabled": true,
+    "members_allowed_repository_creation_type": "all",
+    "members_can_create_public_repositories": false,
+    "members_can_create_private_repositories": true,
+    "members_can_create_internal_repositories": true,
+    "members_can_create_pages": false,
+    "members_can_fork_private_repositories": false,
+    "web_commit_signoff_required": true,
+    "deploy_keys_enabled_for_repositories": true,
+    "members_can_create_public_pages": false,
+    "members_can_create_private_pages": true,
+    "plan": {
+        "name": "free",
+        "space": 976562499,
+        "private_repos": 10000,
+        "filled_seats": 2,
+        "seats": 1
+    },
+    "advanced_security_enabled_for_new_repositories": true,
+    "dependabot_alerts_enabled_for_new_repositories": true,
+    "dependabot_security_updates_enabled_for_new_repositories": true,
+    "dependency_graph_enabled_for_new_repositories": true,
+    "secret_scanning_enabled_for_new_repositories": true,
+    "secret_scanning_push_protection_enabled_for_new_repositories": true,
+    "secret_scanning_push_protection_custom_link_enabled": true,
+    "secret_scanning_push_protection_custom_link": null,
+    "secret_scanning_validity_checks_enabled": true
 }

policies/gh_org_mfa_enabled.rego

@@ -1,15 +1,7 @@
 package compliance_framework.mfa_enabled
-# METADATA
-# title: Github Settings - Organizations - Two Factor Authentication Required
-# description: Ensure that 2FA is enabled for all users within the organization, making it harder for TAs to gain access to the organization's repos and settings
-# custom:
-#   controls:
-#     - <control-id>
-#   schedule: "* * * * *"
-
 
 violation[{}] if {
-    input.organization.two_factor_requirement_enabled == false
+    input.two_factor_requirement_enabled == false
 }
 
 title := "Two Factor Authentication is required at an organization level"
@@ -44,4 +36,12 @@ controls := [
         "class": "SP800-53-enhancement",
         "control-id": "ia-2.2",  # Multi-factor Authentication for Non-privileged Accounts
     },
+    {
+        "class": "OWASP_DSOMM_3",
+        "control-id": "IM-3.10",
+    },
+    {
+        "class": "OWASP_DSOMM_3",
+        "control-id": "IM-3.11",
+    },
 ]

policies/gh_org_mfa_enabled_test.rego

@@ -2,16 +2,12 @@ package compliance_framework.mfa_enabled
 
 test_mfa_enabled if {
     count(violation) == 0 with input as {
-        "organization": {
-            "two_factor_requirement_enabled": true
-        }
+        "two_factor_requirement_enabled": true
     }
 }
 
 test_mfa_violate_if_disabled if {
     count(violation) > 0 with input as {
-        "organization": {
-            "two_factor_requirement_enabled": false
-        }
+        "two_factor_requirement_enabled": false
     }
 }

policies/gh_org_public_repos.rego

@@ -1,21 +1,11 @@
-
 package compliance_framework.public_repos
-# METADATA
-# title: Github Settings - Organizations - Public Repos and Gists
-# description: "The organization should not have any public repos or gists if it is a sensitive organization"
-# custom:
-#   controls:
-#     - <control-id>
-#   schedule: "* * * * *"
-
-
 
 checks["repos"] if {
-	input.organization.public_repos > 0
+	input.public_repos > 0
 }
 
 checks["gists"] if {
-	input.organization.public_gists > 0
+	input.public_gists > 0
 }
 
 violation[{}] if {
@@ -29,4 +19,4 @@ description := "The Organization should not have any public repositories or gist
 # No direct controls in the frameworks at the moment
 # But will be useful when we are mapping ISO 27001, data privacy or custom 
 # IPR frameworks generated either as a standard or a custom catalog
-controls := []
+controls := []

policies/gh_org_public_repos_test.rego

@@ -2,18 +2,14 @@ package compliance_framework.public_repos
 
 test_public_repos_is_zero if {
     count(violation) == 0 with input as {
-        "organization": {
-            "pubic_repos": 0,
-            "public_gists": 0
-        }
+        "pubic_repos": 0,
+        "public_gists": 0
     }
 }
 
 test_public_repos_violate_when_higher if {
     count(violation) > 0 with input as {
-        "organization": {
-            "public_repos": 10,
-            "public_gists": 0
-        }
+        "public_repos": 10,
+        "public_gists": 0
     }
 }