From 5604baef47c23e76de734bec34408e9efb168649 Mon Sep 17 00:00:00 2001 From: Tal-Legit <154063186+Tal-Legit@users.noreply.github.com> Date: Mon, 8 Jul 2024 18:01:58 +0300 Subject: [PATCH] feat: modified too many admins policy from flat number to percentage based (#318) * modified too many admins policy from flat number to percentage based * type * Update repository.rego * Update repository.rego * changed wording --- policies/github/repository.rego | 11 +++++++---- policies/gitlab/repository.rego | 9 ++++++--- test/repository_test.go | 16 +++++++++++++--- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/policies/github/repository.rego b/policies/github/repository.rego index d0078fc2..41e4d2d1 100644 --- a/policies/github/repository.rego +++ b/policies/github/repository.rego @@ -31,8 +31,8 @@ repository_not_maintained := false { } # METADATA # scope: rule -# title: Repository Should Have Fewer Than Three Admins -# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins). +# title: Repository Should Have A Low Admin Count +# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of repository admins to the minimum required, and no more than 5% of the userbase (Up to 3 admins are always allowed). # custom: # severity: LOW # remediationSteps: @@ -49,7 +49,10 @@ default repository_has_too_many_admins := true repository_has_too_many_admins := false { admins := [admin | admin := input.collaborators[_]; admin.permissions.admin] - count(admins) <= 3 + adminNum := count(admins) + userNum := count(input.collaborators) + maxAdmins := max([3, ceil(userNum * 0.05)]) + adminNum <= maxAdmins } # METADATA @@ -739,4 +742,4 @@ default secret_scanning_not_enabled := true secret_scanning_not_enabled := false{ input.security_and_analysis.secret_scanning.status == "enabled" -} \ No newline at end of file +} diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego index 1b08642a..6b6aa5ab 100644 --- a/policies/gitlab/repository.rego +++ b/policies/gitlab/repository.rego @@ -26,8 +26,8 @@ project_not_maintained := false { # METADATA # scope: rule -# title: Project Should Have Fewer Than Three Owners -# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required (recommended maximum 3 admins). +# title: Project Should Have A Low Owner Count +# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required, and no more than 5% of the userbase (Up to 3 owners are always allowed). # custom: # severity: LOW # remediationSteps: @@ -41,7 +41,10 @@ default project_has_too_many_admins := true project_has_too_many_admins := false { admins := [admin | admin := input.members[_]; admin.access_level == 50] - count(admins) <= 3 + adminNum := count(admins) + userNum := count(input.members) + maxAdmins := max([3, ceil(userNum * 0.05)]) + adminNum <= maxAdmins } # METADATA diff --git a/test/repository_test.go b/test/repository_test.go index d9a6dda2..2c239349 100644 --- a/test/repository_test.go +++ b/test/repository_test.go @@ -403,11 +403,21 @@ func TestGitlabRepositoryTooManyAdmins(t *testing.T) { } } - tmpMember := &gitlab2.ProjectMember{ + tmpAdminMember := &gitlab2.ProjectMember{ AccessLevel: 50, } - trueCase := []*gitlab2.ProjectMember{tmpMember, tmpMember, tmpMember, tmpMember} - falseCase := []*gitlab2.ProjectMember{tmpMember, tmpMember} + tmpRegMember := &gitlab2.ProjectMember{ + AccessLevel: 20, + } + trueCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember} + for i := 0; i < 10; i++ { + trueCase = append(trueCase, tmpRegMember) + } + falseCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember} + for i := 0; i < 57; i++ { + falseCase = append(falseCase, tmpRegMember) + } + options := map[bool][]*gitlab2.ProjectMember{ false: falseCase, true: trueCase,