check for admin repo permission before validate branch-protection pol…

…icies (#51)

internal/checks/common/assets/consts.rego

@@ -7,6 +7,7 @@ details := details {
 		"organization_packages_missing_minimal_permissions": "Organization Packages is missing minimal permissions",
 		"organization_premissive_default_repository_permissions": "Organization default permissions are too permissive",
 		"repository_missing_minimal_permissions": "Repository is missing minimal permissions",
+		"repository_missing_minimal_permissions_for_branch_protection": "Repository is missing admin permissions for branch protection settings",
 		"repository_data_is_missing": "Repository is not fetched",
 		"hooks_missing_minimal_permissions": "Organization & Repository Hooks is missing minimal permissions",
 		"linear_history_merge_commit_enabled": "MergeCommit is enabled for repository",

internal/checks/common/assets/permissions.rego

@@ -12,6 +12,12 @@ is_missing_repo_settings_permission {
 	input.Repository.AllowRebaseMerge == null
 }
 
+is_repo_admin {
+	some i in input.Repository.Collaborators
+	i.id == input.AuthorizedUser.id
+	i.permissions.admin == true
+}
+
 is_missing_hooks_permission {
 	missingOrgPerm := to_number(input.Organization.Hooks == null)
 	missingRepoPerm := to_number(input.Repository.Hooks == null)

internal/checks/consts/details.go

@@ -11,7 +11,8 @@ var (
 
 	Details_organization_hooks_missingMinimalPermissions = "Organization Packages is missing minimal permissions"
 
-	Details_repository_missing_minimal_permissions = "Repository is missing minimal permissions"
+	Details_repository_missing_minimal_permissions                 = "Repository is missing minimal permissions"
+	Details_repository_missing_minimal_permissions_for_protections = "Repository is missing admin permissions for branch protection settings"
 
 	Details_pipeline_pipelinesNotScannedForVulnerabilities     = "Pipelines are not scanned for vulnerabilities"
 	Details_dependencies_pipelinesNotScannedForVulnerabilities = "Pipeline dependencies are not scanned for vulnerabilities"

internal/checks/source-code/code-changes/code_changes_test.go

@@ -90,7 +90,18 @@ func TestCodeChangesChecker(t *testing.T) {
 				AssetsMetadata: builders.NewAssetsDataBuilder().WithRepository(builders.NewRepositoryBuilder().WithAdminCollborator(true, 0).Build()).Build(),
 			},
 			Expected: []*checkmodels.CheckRunResult{
-				checkmodels.ToCheckRunResult("1.1.5", checksMetadata.Checks["1.1.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown}),
+				checkmodels.ToCheckRunResult("1.1.3", checksMetadata.Checks["1.1.3"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.4", checksMetadata.Checks["1.1.4"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.5", checksMetadata.Checks["1.1.5"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.6", checksMetadata.Checks["1.1.6"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.9", checksMetadata.Checks["1.1.9"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.10", checksMetadata.Checks["1.1.10"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.11", checksMetadata.Checks["1.1.11"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.12", checksMetadata.Checks["1.1.12"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.14", checksMetadata.Checks["1.1.14"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.15", checksMetadata.Checks["1.1.15"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.16", checksMetadata.Checks["1.1.16"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
+				checkmodels.ToCheckRunResult("1.1.17", checksMetadata.Checks["1.1.17"], checksMetadata.Url, &checkmodels.CheckResult{Status: checkmodels.Unknown, Details: consts.Details_repository_missing_minimal_permissions_for_protections}),
 			},
 		},
 		{

internal/checks/source-code/code-changes/rules.rego

@@ -7,6 +7,7 @@ import future.keywords.in
 
 # for repository without branch protection setting
 is_no_branch_protection {
+	permissionslib.is_repo_admin
 	input.BranchProtections == null
 }
 
@@ -47,12 +48,6 @@ is_branch_protection_not_enforced_on_admins {
 	input.BranchProtections.EnforceAdmins.Enabled == false
 }
 
-is_admin {
-	some i in input.Repository.Collaborators
-	i.id == input.AuthorizedUser.id
-	i.permissions.admin == true
-}
-
 is_branch_protection_restrict_force_push {
 	input.BranchProtections.AllowForcePushes == false
 }
@@ -113,6 +108,13 @@ CbPolicy[msg] {
 	msg := {"ids": ["1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.13", "1.1.14", "1.1.15", "1.1.16", "1.1.17"], "status": constsLib.status.Unknown, "details": constsLib.details.repository_missing_minimal_permissions}
 }
 
+#Missing minimal permission for branch protection settings
+CbPolicy[msg] {
+	input.Repository.Collaborators != null
+	not permissionslib.is_repo_admin
+	msg := {"ids": ["1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.9", "1.1.10", "1.1.11", "1.1.12", "1.1.14", "1.1.15", "1.1.16", "1.1.17"], "status": constsLib.status.Unknown, "details": constsLib.details.repository_missing_minimal_permissions_for_branch_protection}
+}
+
 #Missing branch protection settings
 CbPolicy[msg] {
 	not utilsLib.is_repository_data_missing
@@ -126,12 +128,6 @@ CbPolicy[msg] {
 	msg := {"ids": ["1.1.5"], "status": constsLib.status.Unknown}
 }
 
-CbPolicy[msg] {
-	input.Repository.Collaborators != null
-	not is_admin
-	msg := {"ids": ["1.1.5"], "status": constsLib.status.Unknown}
-}
-
 CbPolicy[msg] {
 	is_required_pull_request_reviews_disabled
 	msg := {"ids": ["1.1.3", "1.1.4", "1.1.5", "1.1.6"], "status": constsLib.status.Failed}
@@ -153,7 +149,6 @@ CbPolicy[msg] {
 #Looking for default branch protection that doesn't require dismissal rules
 CbPolicy[msg] {
 	not is_no_branch_protection
-	is_admin
 	is_branch_protection_not_requires_dismissal_restrictions
 	msg := {"ids": ["1.1.5"], "status": constsLib.status.Failed}
 }

internal/checks/source-code/contribution-access/rules.rego

@@ -5,11 +5,6 @@ import data.common.permissions as permissionslib
 import data.generic.utils as utilsLib
 import future.keywords.in
 
-# for repository without branch protection setting
-is_no_branch_protection {
-	input.BranchProtections == null
-}
-
 is_2mfa_enforcement_disabled {
 	input.Organization.TwoFactorRequirementEnabled == false
 }