Control: 1.1.6 Ensure code owners are set for extra sensitive code or configuration
Description
Code owners are trusted users that are responsible for reviewing and managing an important piece of code or configuration. An organization is advised to set code owners for every extremely sensitive code or configuration.
Rationale
Configuring code owners protects data by verifying that trusted users will notice and review every edit, thus preventing unwanted or malicious changes from potentially compromising sensitive code or configurations.
Note: Code owner users will receive notifications for every change that occurs to the code and subsequently added as reviewers of pull requests automatically.
Audit
For every code repository in use, ensure code owners are set for sensitive code or configuration.
Remediation
For every code repository in use, identify particularly sensitive parts of code and configurations and set trusted users to be their code owners.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_6 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_code_owner_reviews')::bool is true then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule') is null then ' branch protection rule unknown.' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_code_owner_reviews')::bool is true then ' enforces code owner''s review.' else ' does not enforce code owner''s review.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;