turbot/github_compliance

Control: 1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal

Description

Ensure that when a proposed code change is updated, previous approvals are declined and new approvals are required.

Rationale

An approval process is necessary when code changes are suggested. Through this approval process, however, changes can still be made to the original proposal even after some approvals have already been given. This means malicious code can find its way into the code base even if the organization has enforced a review policy. To ensure this is not possible, outdated approvals must be declined when changes to the suggestion are introduced.

Note: If new code changes are pushed to a specific proposal, all previously accepted code change proposals must be declined.

Audit

For each code repository in use, validate that each updated code suggestion declines the previously received approvals.

Remediation

For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_4 --share

SQL

This control uses a named query:

default_branch_must_dismiss_stale_approvals

Tags