Open dmjb opened 7 months ago
I think this is a great idea! If this is an interesting topic for you, then I think it would be nice to create these rules. Another reason I'm happy you brought this up is that we have rules that can flag a PR with a dependency with CVEs or with a low trusty score by failing a commit status on the PR but we currently don't have a way to enforce that the repo requires this commit status, so there's an extra manual step involved.
Feel free to ping me if you want a quick walkthrough on how the rules are implemented and some tips around debugging and creating a new rule - this would be a great thing to explore and write some documentation around, a lot of the how-to-write-a-new rule is really tribal knowledge and we should document it better.
btw for setting up the branch protection rules via a remediation, there's already a bespoke branch protection remediator that /should/ be able to set those settings up provided correct settings.
There does not appear to a rule for enforcing status checks in branch protections, e.g.
Examining the Github API output for the branch protections shown in the screenshot, the relevant part of the response is:
Notes:
1) If the
Require status checks to pass before merging
is unselected, thenrequired_status_checks
is set to null. 2) TheRequire branches to be up to date before merging
checkbox corresponds to thestrict
flag in the JSON object. 3) It is possible to select these options without setting up a list of checks. Personal experience shows that this results in the checks not working (or at least not working consistently). We probably want to enforce that theRequire status checks to pass before merging
box is selected and the list of checks to be non-empty. 4) We may want to create a separate rule forRequire branches to be up to date before merging
or at least make it optional when creating a policy.