default_branch_all_build_steps_as_codedefault_branch_blocks_force_pushdefault_branch_code_change_review_dismissal_restrictionsdefault_branch_must_dismiss_stale_approvalsdefault_branch_pipeline_locks_external_dependencies_for_build_processdefault_branch_pipeline_must_have_jobs_with_sbom_generationdefault_branch_pipelines_scan_for_vulnerabilitiesdefault_branch_pipelines_scanners_set_to_prevent_sensitive_datadefault_branch_protections_apply_to_adminsdefault_branch_requires_2_pull_request_reviewsdefault_branch_requires_code_owners_reviewdefault_branch_requires_signed_commitsdefault_branch_requires_status_checksdefault_branch_restrict_push_and_mergedefault_branch_setting_block_deletionorg_default_repo_permission_noneorg_default_repo_permission_none_readorg_domain_verifiedorg_member_mfa_enabledorg_members_cannot_create_reposorg_minimum_administrators_setorg_two_factor_requiredpublic_repo_has_security_md_filerepo_delete_branch_on_merge_enabledrepo_deletion_limited_to_trusted_usersrepo_inactive_members_reviewrepo_inactive_more_than_90_daysrepo_issue_deletion_limited_to_trusted_usersrepo_linear_history_enabledrepo_no_open_commentsrepo_open_branches_are_upto_date_before_mergerepo_should_have_two_adminsrepo_webhook_package_registery_security_settings_enabled
Query: default_branch_pipelines_scan_for_vulnerabilities
Usage
powerpipe query github_compliance.query.default_branch_pipelines_scan_for_vulnerabilities
Steampipe Tables
SQL
with repositories as ( select name_with_owner, url from github_my_repository order by name_with_owner),pipelines as ( select name, repository_full_name, pipeline from github_workflow where repository_full_name in (select name_with_owner from repositories)),vulnerability_task_repos as ( select distinct p.repository_full_name from pipelines as p, jsonb_array_elements(pipeline -> 'jobs') as job, jsonb_array_elements(job -> 'steps') as step where step ->> 'type' = 'task' and (step -> 'task' ->> 'name')::text in ( 'argonsecurity/scanner-action', 'aquasecurity/trivy-action' ))select -- Required Columns r.url as resource, case when v.repository_full_name is null then 'alarm' else 'ok' end as status, case when v.repository_full_name is null then 'Automated vulnerabilities scanning is not set for pipelines.' else 'Automated vulnerabilities scanning is set for pipelines.' end as reason, -- Additional Dimensions r.name_with_ownerfrom repositories as r left join vulnerability_task_repos as v on r.name_with_owner = v.repository_full_name;
Controls
The query is being used by the following controls: