An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
712
stars
63
forks
source link
False positives in control `1.2.3` and control `1.2.4` #81
Open
karanpopat opened 1 year ago
Description
For controls
1.2.3
and1.2.4
it always shows PASSED irrespective of the setting in GithubAdditional details in case it does not expose sensitive data (scanned pipeline files, PR, etc):
Here's the snippet from mapper.go which denotes the value has been hard-coded for the setting.
Reference GitHub setting snapshot which allows users to restrict/allow repository deletion and issue deletion -