turbot/github_compliance

Query: default_branch_pipelines_scanners_set_to_prevent_sensitive_data

Usage

powerpipe query github_compliance.query.default_branch_pipelines_scanners_set_to_prevent_sensitive_data

SQL

with repositories as (
select
name_with_owner,
url
from
github_my_repository
order by
name_with_owner
),
pipelines as (
select
name,
repository_full_name,
pipeline
from
github_workflow
where
repository_full_name in (select name_with_owner from repositories)
),
vulnerability_scanner_repos as (
select distinct
p.repository_full_name
from
pipelines as p,
jsonb_array_elements(pipeline -> 'jobs') as job,
jsonb_array_elements(job -> 'steps') as step
where
(step ->> 'type' = 'task'
and (step -> 'task' ->> 'name')::text in (
'argonsecurity/scanner-action',
'aquasecurity/trivy-action',
'zricethezav/gitleaks-action',
'ShiftLeftSecurity/scan-action'
)) or
(step ->> 'type' = 'shell'
and ((step -> 'shell' ->> 'script')::text like glob('spectral.* scan') or
(step -> 'shell' ->> 'script')::text like glob('git secrets --scan') or
(step -> 'shell' ->> 'script')::text like glob('whispers') or
(step -> 'shell' ->> 'script')::text like glob('docker run.* abhartiya/tools_gitallsecrets') or
(step -> 'shell' ->> 'script')::text like glob('detect-secrets.* scan')
))
)
select
-- Required Columns
r.url as resource,
case
when v.repository_full_name is null then 'alarm'
else 'ok'
end as status,
case
when v.repository_full_name is null then 'Scanners are not set to identify and prevent sensitive data in pipeline files.'
else 'Scanners are set to identify and prevent sensitive data in pipeline files.'
end as reason,
-- Additional Dimensions
r.name_with_owner
from
repositories as r
left join vulnerability_scanner_repos as v on r.name_with_owner = v.repository_full_name;

Controls

The query is being used by the following controls: