Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-github-compliance
Overview
2Dashboards
37Benchmarks
33Queries
2Variables
GitHub

Control: 1.2.1 Ensure all public repositories contain a SECURITY.md file

Description

A SECURITY.md file is a security policy file that offers instruction on reporting security vulnerabilities in a project. When someone creates an issue within a specific project, a link to the SECURITY.md file will subsequently be shown.

Rationale

A SECURITY.md file provides users with crucial security information. It can also serve an important role in project maintenance, encouraging users to think ahead about how to properly handle potential security issues, updates, and general security practices.

Audit

For each repository in use, verify that it has a SECURITY.md file in the documents or root directory of the repository.

Remediation

For each repository in use, create a SECURITY.md file and save it in the documents or root directory of the repository.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_1 --share

SQL

This control uses a named query:

select
  -- Required Columns
  r.url as resource,
  case
    when p.security is null then 'alarm'
    else 'ok'
  end as status,
  r.name_with_owner || case when(p.security is not null) then ' with ' else ' without ' end || 'SECURITY.md file.' as reason,
  -- Additional Dimensions
  r.name_with_owner
from
  github_my_repository as r
  left join github_community_profile as p on r.name_with_owner = p.repository_full_name
where
  visibility = 'PUBLIC' and r.is_fork = false;

Tags

category = Compliance
cis = true
cis_section_id = 1.2
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub