Control: 1.2.3 Ensure repository deletion is limited to specific users

Description

Ensure only a limited number of trusted users can delete repositories.

Rationale

Restricting the ability to delete repositories protects the organization from intentional and unintentional data loss. This ensures that users cannot delete repositories or cause other potential damage—whether by accident or due to their account being hacked—unless they have the correct privileges.

Note: Certain users will not be permitted to delete repositories.

Audit

Verify that only a limited number of trusted users can delete repositories.

Remediation

Enforce repository deletion by a few trusted and responsible users only.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_3 --share

SQL

This control uses a named query:

with repo_admins as (
  select distinct
    name_with_owner,
    array_agg(user_login) as admins
  from
    github_my_repository r
  join
    github_repository_collaborator c
  on
    r.name_with_owner = c.repository_full_name
  and
    c.permission = 'ADMIN'
  group by
    name_with_owner
)
select
  -- Required Columns
  r.url as resource,
  case
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 2
      then concat( 'Repository deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ', ', to_jsonb(admins) - $1::text[] #>> '{1}', ' and ', (jsonb_array_length(to_jsonb(admins) - $1::text[]) - 2)::text, ' more.')
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 2
      then concat('Repository deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ' and ', to_jsonb(admins) - $1::text[] #>> '{1}', '.')
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 1
      then concat('Repository deletion permission allowed to untrusted user ', to_jsonb(admins) - $1::text[] #>> '{0}', '.')
    else 'Repository deletion permission limited to trusted users.'
  end as reason,
  -- Additional Dimensions
  r.name_with_owner
from
  github_my_repository as r
  left join repo_admins as a on r.name_with_owner = a.name_with_owner;

Params

Args	Name	Default	Description	Variable
$1	trusted_repo_admins	`[""]`	A list of GitHub users allowed to delete repositories.	trusted_repo_admins