search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
715 stars 62 forks source link

chain-bench only works for organizations #31

Closed rgreinho closed 2 years ago

rgreinho commented 2 years ago

Description

When using chain-bench to audit repositories which do not belong to an organization, the process failed.

What did you expect to happen?

As a user I expected the tool to work in a similar way for repositories that do not belong to an organization.

What happened instead?

The audit did not start due to 404 errors being returned since the repository was not part of an organization.

./chain-bench scan --repository-url https://github.com/rgreinho/trauma --access-token $GITHUB_TOKEN -o ./results
2022-06-17 09:08:59 INF 🚩 Fetch Starting
2022-06-17 09:09:00 ERR error in fetching organization error="GET https://api.github.com/orgs/rgreinho: 404 Not Found []"
2022-06-17 09:09:00 INF 🏢 Fetching Organization Settings Finished
2022-06-17 09:09:01 INF 🛢️ Fetching Repository Settings Finished
2022-06-17 09:09:01 INF 🌱 Fetching Branch Protection Settings Finished
2022-06-17 09:09:01 ERR error in fetching members error="GET https://api.github.com/orgs/rgreinho/members: 404 Not Found []"
2022-06-17 09:09:01 ERR Failed to fetch client data error="GET https://api.github.com/orgs/rgreinho/members: 404 Not Found []"
Error: GET https://api.github.com/orgs/rgreinho/members: 404 Not Found []

Additional details (base image name, container registry info...)

Implementation ideas

The type of repository (e.g.: User or Organization) could be determined by querying the repo with the Get A Repository endpoint and used to adjust next requests:


$ curl -sL https://api.github.com/repos/rgreinho/trauma| jq .owner.type
"User"
krol3 commented 2 years ago

@morwn this feature will be nice! +1