default_branch_all_build_steps_as_codedefault_branch_blocks_force_pushdefault_branch_code_change_review_dismissal_restrictionsdefault_branch_must_dismiss_stale_approvalsdefault_branch_pipeline_locks_external_dependencies_for_build_processdefault_branch_pipeline_must_have_jobs_with_sbom_generationdefault_branch_pipelines_scan_for_vulnerabilitiesdefault_branch_pipelines_scanners_set_to_prevent_sensitive_datadefault_branch_protections_apply_to_adminsdefault_branch_requires_2_pull_request_reviewsdefault_branch_requires_code_owners_reviewdefault_branch_requires_signed_commitsdefault_branch_requires_status_checksdefault_branch_restrict_push_and_mergedefault_branch_setting_block_deletionorg_default_repo_permission_noneorg_default_repo_permission_none_readorg_domain_verifiedorg_member_mfa_enabledorg_members_cannot_create_reposorg_minimum_administrators_setorg_two_factor_requiredpublic_repo_has_security_md_filerepo_delete_branch_on_merge_enabledrepo_deletion_limited_to_trusted_usersrepo_inactive_members_reviewrepo_inactive_more_than_90_daysrepo_issue_deletion_limited_to_trusted_usersrepo_linear_history_enabledrepo_no_open_commentsrepo_open_branches_are_upto_date_before_mergerepo_should_have_two_adminsrepo_webhook_package_registery_security_settings_enabled
Query: repo_deletion_limited_to_trusted_users
Usage
powerpipe query github_compliance.query.repo_deletion_limited_to_trusted_usersSteampipe Tables
SQL
with repo_admins as ( select distinct name_with_owner, array_agg(user_login) as admins from github_my_repository r join github_repository_collaborator c on r.name_with_owner = c.repository_full_name and c.permission = 'ADMIN' group by name_with_owner)select -- Required Columns r.url as resource, case when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 0 then 'alarm' else 'ok' end as status, case when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 2 then concat( 'Repository deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ', ', to_jsonb(admins) - $1::text[] #>> '{1}', ' and ', (jsonb_array_length(to_jsonb(admins) - $1::text[]) - 2)::text, ' more.') when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 2 then concat('Repository deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ' and ', to_jsonb(admins) - $1::text[] #>> '{1}', '.') when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 1 then concat('Repository deletion permission allowed to untrusted user ', to_jsonb(admins) - $1::text[] #>> '{0}', '.') else 'Repository deletion permission limited to trusted users.' end as reason, -- Additional Dimensions r.name_with_ownerfrom github_my_repository as r left join repo_admins as a on r.name_with_owner = a.name_with_owner;
Controls
The query is being used by the following controls: