v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 2.3.5 Ensure access to build process triggering is minimized

Description

Restrict access to pipeline triggers.

Rationale

Build pipelines are used for multiple reasons. Some are very sensitive, such as pipelines that deploy to production. In order to protect the environment from malicious acts or human mistakes, such as a developer deploying a bug to production, it is important to apply the "principle of least privilege" to pipeline triggering. This principle requires restrictions placed on which users can run which pipeline. It allows for sensitive pipelines to only be run by administrators, who are generally the most trusted and skilled members of the organization.

Audit

For every pipeline in use, verify only the necessary users have permission to trigger it.

Remediation

For every pipeline in use, grant only the necessary users permission to trigger it.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_2_3_5 --share

SQL

This control uses a named query:

org_default_repo_permission_none_read

Tags

category = Compliance
cis = true
cis_section_id = 2.3
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub