Control: 4.3.4 Ensure webhooks of the package registry are secured
Description
Use secured webhooks of the package registry.
Rationale
Webhooks are used for triggering an HTTP request based on an action made in the platform. Typically, package registries feature webhooks when a package receives an update. Since webhooks are an HTTP POST request, they can be malformed if not secured over SSL. To prevent a potential hack and compromise of the webhook or to the registry or web server accepting the request, use only secured webhooks.
Audit
For each webhook in use, ensure it is secured (HTTPS).
Remediation
For each webhook in use, change it to secured (over HTTPS).
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_4_3_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_4_3_4 --shareSQL
This control uses a named query:
with hooks_info as ( select login as name, url, h as hook from github_my_organization, jsonb_array_elements(hooks) h union select name, url, h as hook from github_my_repository, jsonb_array_elements(hooks) h)select -- Required Columns url as resource, case when (hook ->> 'active' = 'true' and (hook -> 'config' ->> 'insecure_ssl' = '1' or hook -> 'config' ->> 'secret' is null or hook -> 'config' ->> 'url' not like '%https:%')) then 'alarm' else 'ok' end as status, case when (hook ->> 'active' = 'true' and (hook -> 'config' ->> 'insecure_ssl' = '1' or hook -> 'config' ->> 'secret' is null or hook -> 'config' ->> 'url' not like '%https:%')) then (hook ->> 'id') || ' is an insecure hook.' else (hook ->> 'id') || ' is a secure hook.' end as reason, -- Additional Dimensions namefrom hooks_info;