False positives in control `1.2.3` and control `1.2.4` - Githubissues

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

Apache License 2.0

712 stars 63 forks source link

False positives in control `1.2.3` and control `1.2.4` #81

Open karanpopat opened 1 year ago

karanpopat commented 1 year ago

Description

For controls 1.2.3 and 1.2.4 it always shows PASSED irrespective of the setting in Github

 1.2.3    Ensure repository deletion is limited to specific members                                       Passed                                                                           
 1.2.4    Ensure issue deletion is limited to specific members                                            Passed

Additional details in case it does not expose sensitive data (scanned pipeline files, PR, etc):

Here's the snippet from mapper.go which denotes the value has been hard-coded for the setting.

Reference GitHub setting snapshot which allows users to restrict/allow repository deletion and issue deletion -

naortalmor1 commented 1 year ago

Thanks we'll take a look on that!