Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-github-compliance
Overview
2Dashboards
37Benchmarks
33Queries
2Variables
GitHub

Control: 1.2.4 Ensure issue deletion is limited to specific users

Description

Ensure only trusted and responsible users can delete issues.

Rationale

Issues are a way to keep track of things happening in repositories, such as setting new milestones or requesting urgent fixes. Deleting an issue is not a benign activity, as it might harm the development workflow or attempt to hide malicious behavior. Because of this, it should be restricted and allowed only by trusted and responsible users.

Note: Certain users will not be permitted to delete issues.

Audit

Verify that only trusted and responsible users can delete issues.

Remediation

Restrict issue deletion to a few trusted and responsible users only.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_2_4 --share

SQL

This control uses a named query:

with repo_admins as (
  select distinct
    name_with_owner,
    array_agg(user_login) as admins
  from
    github_my_repository r
  join
    github_repository_collaborator c
  on
    r.name_with_owner = c.repository_full_name
  and
    c.permission = 'ADMIN'
  group by
    name_with_owner
)
select
  -- Required Columns
  r.url as resource,
  case
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) > 2
      then concat( 'Repository issue deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ', ', to_jsonb(admins) - $1::text[] #>> '{1}', ' and ', (jsonb_array_length(to_jsonb(admins) - $1::text[]) - 2)::text, ' more.')
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 2
      then concat('Repository issue deletion permission allowed to untrusted users ', to_jsonb(admins) - $1::text[] #>> '{0}', ' and ', to_jsonb(admins) - $1::text[] #>> '{1}', '.')
    when jsonb_array_length(to_jsonb(admins) - $1::text[]) = 1
      then concat('Repository issue deletion permission allowed to untrusted user ', to_jsonb(admins) - $1::text[] #>> '{0}', '.')
    else 'Repository issue deletion permission limited to trusted users.'
  end as reason,
  -- Additional Dimensions
  r.name_with_owner
from
  github_my_repository as r
  left join repo_admins as a on r.name_with_owner = a.name_with_owner;

Params

ArgsNameDefaultDescriptionVariable
$1trusted_issue_admins
[""]
A list of GitHub users allowed to delete issues.

Tags

category = Compliance
cis = true
cis_section_id = 1.2
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub