feat: modified too many admins policy from flat number to percentage …

…based (#318) * modified too many admins policy from flat number to percentage based * type * Update repository.rego * Update repository.rego * changed wording
Legit-Labs · Jul 8, 2024 · 5604bae · 5604bae
1 parent e583b66
commit 5604bae
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 10 deletions.
diff --git a/policies/github/repository.rego b/policies/github/repository.rego
@@ -31,8 +31,8 @@ repository_not_maintained := false {
 }
 # METADATA
 # scope: rule
-# title: Repository Should Have Fewer Than Three Admins
-# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins).
+# title: Repository Should Have A Low Admin Count
+# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of repository admins to the minimum required, and no more than 5% of the userbase (Up to 3 admins are always allowed).
 # custom:
 #   severity: LOW
 #   remediationSteps:
@@ -49,7 +49,10 @@ default repository_has_too_many_admins := true
 
 repository_has_too_many_admins := false {
 	admins := [admin | admin := input.collaborators[_]; admin.permissions.admin]
-	count(admins) <= 3
+	adminNum := count(admins)
+	userNum := count(input.collaborators)
+	maxAdmins := max([3, ceil(userNum * 0.05)])
+	adminNum <= maxAdmins
 }
 
 # METADATA
@@ -739,4 +742,4 @@ default secret_scanning_not_enabled := true
 
 secret_scanning_not_enabled := false{
     input.security_and_analysis.secret_scanning.status == "enabled"
-}
+}
diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego
@@ -26,8 +26,8 @@ project_not_maintained := false {
 
 # METADATA
 # scope: rule
-# title: Project Should Have Fewer Than Three Owners
-# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required (recommended maximum 3 admins).
+# title: Project Should Have A Low Owner Count
+# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required, and no more than 5% of the userbase (Up to 3 owners are always allowed).
 # custom:
 #   severity: LOW
 #   remediationSteps:
@@ -41,7 +41,10 @@ default project_has_too_many_admins := true
 
 project_has_too_many_admins := false {
 	admins := [admin | admin := input.members[_]; admin.access_level == 50]
-	count(admins) <= 3
+	adminNum := count(admins)
+	userNum := count(input.members)
+	maxAdmins := max([3, ceil(userNum * 0.05)])
+	adminNum <= maxAdmins
 }
 
 # METADATA

diff --git a/test/repository_test.go b/test/repository_test.go
@@ -403,11 +403,21 @@ func TestGitlabRepositoryTooManyAdmins(t *testing.T) {
 		}
 	}
 
-	tmpMember := &gitlab2.ProjectMember{
+	tmpAdminMember := &gitlab2.ProjectMember{
 		AccessLevel: 50,
 	}
-	trueCase := []*gitlab2.ProjectMember{tmpMember, tmpMember, tmpMember, tmpMember}
-	falseCase := []*gitlab2.ProjectMember{tmpMember, tmpMember}
+	tmpRegMember := &gitlab2.ProjectMember{
+		AccessLevel: 20,
+	}
+	trueCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
+	for i := 0; i < 10; i++ {
+		trueCase = append(trueCase, tmpRegMember)
+	}
+	falseCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
+	for i := 0; i < 57; i++ {
+		falseCase = append(falseCase, tmpRegMember)
+	}
+
 	options := map[bool][]*gitlab2.ProjectMember{
 		false: falseCase,
 		true:  trueCase,