default_branch_all_build_steps_as_codedefault_branch_blocks_force_pushdefault_branch_code_change_review_dismissal_restrictionsdefault_branch_must_dismiss_stale_approvalsdefault_branch_pipeline_locks_external_dependencies_for_build_processdefault_branch_pipeline_must_have_jobs_with_sbom_generationdefault_branch_pipelines_scan_for_vulnerabilitiesdefault_branch_pipelines_scanners_set_to_prevent_sensitive_datadefault_branch_protections_apply_to_adminsdefault_branch_requires_2_pull_request_reviewsdefault_branch_requires_code_owners_reviewdefault_branch_requires_signed_commitsdefault_branch_requires_status_checksdefault_branch_restrict_push_and_mergedefault_branch_setting_block_deletionorg_default_repo_permission_noneorg_default_repo_permission_none_readorg_domain_verifiedorg_member_mfa_enabledorg_members_cannot_create_reposorg_minimum_administrators_setorg_two_factor_requiredpublic_repo_has_security_md_filerepo_delete_branch_on_merge_enabledrepo_deletion_limited_to_trusted_usersrepo_inactive_members_reviewrepo_inactive_more_than_90_daysrepo_issue_deletion_limited_to_trusted_usersrepo_linear_history_enabledrepo_no_open_commentsrepo_open_branches_are_upto_date_before_mergerepo_should_have_two_adminsrepo_webhook_package_registery_security_settings_enabled
Query: default_branch_pipelines_scanners_set_to_prevent_sensitive_data
Usage
powerpipe query github_compliance.query.default_branch_pipelines_scanners_set_to_prevent_sensitive_dataSteampipe Tables
SQL
with repositories as ( select name_with_owner, url from github_my_repository order by name_with_owner),pipelines as ( select name, repository_full_name, pipeline from github_workflow where repository_full_name in (select name_with_owner from repositories)),vulnerability_scanner_repos as ( select distinct p.repository_full_name from pipelines as p, jsonb_array_elements(pipeline -> 'jobs') as job, jsonb_array_elements(job -> 'steps') as step where (step ->> 'type' = 'task' and (step -> 'task' ->> 'name')::text in ( 'argonsecurity/scanner-action', 'aquasecurity/trivy-action', 'zricethezav/gitleaks-action', 'ShiftLeftSecurity/scan-action' )) or (step ->> 'type' = 'shell' and ((step -> 'shell' ->> 'script')::text like glob('spectral.* scan') or (step -> 'shell' ->> 'script')::text like glob('git secrets --scan') or (step -> 'shell' ->> 'script')::text like glob('whispers') or (step -> 'shell' ->> 'script')::text like glob('docker run.* abhartiya/tools_gitallsecrets') or (step -> 'shell' ->> 'script')::text like glob('detect-secrets.* scan') )))select -- Required Columns r.url as resource, case when v.repository_full_name is null then 'alarm' else 'ok' end as status, case when v.repository_full_name is null then 'Scanners are not set to identify and prevent sensitive data in pipeline files.' else 'Scanners are set to identify and prevent sensitive data in pipeline files.' end as reason, -- Additional Dimensions r.name_with_ownerfrom repositories as r left join vulnerability_scanner_repos as v on r.name_with_owner = v.repository_full_name;
Controls
The query is being used by the following controls: