search

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory
https://cnquery.io
Other
320 stars 21 forks source link

mondoo provider for GitHub is returning null "protection rules" #4727

Open frozen425 opened 1 month ago

frozen425 commented 1 month ago 
$ cnspec shell github repo frozen425/test-repo15
→ loaded configuration from environment using source $MONDOO_CONFIG_BASE64
→ connected to GitHub Repository
  ___ _ __  ___ _ __   ___  ___ 
 / __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) |  __/ (__ 
 \___|_| |_|___/ .__/ \___|\___|
   mondoo™     |_|              
cnspec> github.repository.branches[0].protectionRules {*}
github.repository.branches[0].protectionRules: null
cnspec> github.repository.branches {*}
github.repository.branches: [
  0: {
    protectionRules: null
    owner: github.user login="frozen425" name="Gomez" email="" company=""
    isDefault: true
    repoName: "test-repo15"
    headCommit: github.commit sha="3b248da9158ad7643d91e6868ac174f78369efcf"
    name: "main"
    isProtected: true
    headCommitSha: "3b248da9158ad7643d91e6868ac174f78369efcf"
  }
]
cnspec>

The Github Repo Branch Protection rules are included in the response from the Github API:

$ curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer ${GITHUB_ACCESS_TOKEN}" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/frozen425/test-repo15/branches/main/protection
{
  "url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection",
  "required_status_checks": {
    "url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection/required_status_checks",
    "strict": true,
    "contexts": [

    ],
    "contexts_url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection/required_status_checks/contexts",
    "checks": [

    ]
  },
  "required_pull_request_reviews": {
    "url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection/required_pull_request_reviews",
    "dismiss_stale_reviews": true,
    "require_code_owner_reviews": true,
    "require_last_push_approval": false,
    "required_approving_review_count": 1
  },
  "required_signatures": {
    "url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection/required_signatures",
    "enabled": false
  },
  "enforce_admins": {
    "url": "https://api.github.com/repos/frozen425/test-repo15/branches/main/protection/enforce_admins",
    "enabled": true
  },
  "required_linear_history": {
    "enabled": false
  },
  "allow_force_pushes": {
    "enabled": false
  },
  "allow_deletions": {
    "enabled": false
  },
  "block_creations": {
    "enabled": false
  },
  "required_conversation_resolution": {
    "enabled": false
  },
  "lock_branch": {
    "enabled": false
  },
  "allow_fork_syncing": {
    "enabled": false
  }
}
frozen425 commented 1 month ago

We have a Policy Check: "Ensure branch deletions are denied" / github-benchmark-level-1 that fails for Github Repos that should be passing. At first I thought it was the mql in the Check. It appears that protectionRules() is returning nil or not being called

jaym commented 1 month ago

i just tested it and it seems to work. You need to have admin access to the repo to get the protection rules according to a comment in the code. If you run with debug logging, it might say something like note: branch protection can only be accessed by admin users:

cnquery> github.repository.branches.where(isDefault == true) { * }
DBG starting query execution qrid=iLo+6h9iBuQ=
DBG performing request method=GET url=https://api.github.com/repos/mondoohq/cnspec
DBG oC+yDBQMU1QQAnaCGTD8QAVh0bUOqo8oJENRvwpBjEcqQ4Nfj2KitslRGbh+JSC+DpPFvUm36vSh+d5yV8Zh6g== finished
DBG graph has received all datapoints
DBG finished query execution qrid=iLo+6h9iBuQ=
github.repository.branches.where: [
  0: {
    protectionRules: github.branchprotection id="cnspec/main"
    isProtected: true
    headCommit: github.commit sha="52139cdd194287a7950dc70168e47792425f91a6"
    owner: github.user login="mondoohq" name="Mondoo Inc" email="hello@mondoo.com" company=""
    isDefault: true
    name: "main"
    repoName: "cnspec"
    headCommitSha: "52139cdd194287a7950dc70168e47792425f91a6"
  }
]
jaym commented 1 month ago

if the two tokens are the same, there could be something else going on. Maybe the debug output will tell us that

frozen425 commented 1 month ago

You were correct. The curl token was different from the cnspec token. I've updated my notes re: fine-grained PATs and the need for the Admin Read-Only permission.

And for classic PATs, I needed to make sure the token had repo:public_repo, since the repo in question is public. I'll test with a private repo later.

In any case, the docs are incorrect re: configuration of the PAT. docs Screenshot 2024-10-08 9 48 58 PM

misterpantz commented 1 month ago

Thank you, @frozen425. I'll update the doc.

misterpantz commented 1 month ago

Docs updated. Release is going out now. Thanks again!