Add severity to controls

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
-	github.com/vektah/gqlparser/v2 v2.4.5 // indirect
+	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 )
 
@@ -53,7 +53,7 @@ require (
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/open-policy-agent/opa v0.42.0
+	github.com/open-policy-agent/opa v0.43.1
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
@@ -62,8 +62,8 @@ require (
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/xanzy/go-gitlab v0.73.1
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
-	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 // indirect
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
+	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
 	google.golang.org/appengine v1.6.7 // indirect

go.sum

@@ -753,8 +753,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/open-policy-agent/opa v0.42.0 h1:CTJ240+A+sZEYSuLDYiT5l8Q3lcQf2eZc53jCbWNjZE=
-github.com/open-policy-agent/opa v0.42.0/go.mod h1:MrmoTi/BsKWT58kXlVayBb+rYVeaMwuBm3nYAN3923s=
+github.com/open-policy-agent/opa v0.43.1 h1:GAtUd6aO5lObFP6rRpteXDVffKa4vGUF4I6qVLdhUng=
+github.com/open-policy-agent/opa v0.43.1/go.mod h1:xfTsKQEMvy7CxxgsCFoYuzT9jA/8C4JWLignCkN4Dzw=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -884,8 +884,9 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
@@ -958,8 +959,8 @@ github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/vektah/gqlparser/v2 v2.4.5 h1:C02NsyEsL4TXJB7ndonqTfuQOL4XPIu0aAWugdmTgmc=
-github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
+github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE=
+github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
 github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
@@ -1310,8 +1311,8 @@ golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1525,7 +1526,7 @@ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9K
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

internal/checks/artifacts/access-to-artifacts/rules.metadata.json

@@ -5,6 +5,7 @@
     "checks": {
         "4.2.3": {
             "title": "Ensure user's access to the package registry utilizes MFA",
+            "severity": "Critical",
             "type": "ARTIFACT",
             "entity": "PackageRegistry",
             "description": "Enforce Multi Factor Authentication for user access to the package registry.",
@@ -14,6 +15,7 @@
         },
         "4.2.5": {
             "title": "Ensure anonymous access to artifacts is revoked",
+            "severity": "Critical",
             "type": "ARTIFACT",
             "entity": "PackageRegistry",
             "description": "Disable anonymous access to artifacts.",

internal/checks/artifacts/package-registries/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "4.3.4": {
       "title": "Ensure webhooks of the package registry are secured",
+      "severity": "Critical",
       "type": "ARTIFACT",
       "entity": "PackageRegistry",
       "description": "Use secured webhooks of the package registry.",

internal/checks/build-pipelines/pipeline-instructions/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "2.3.1": {
       "title": "Ensure all build steps are defined as code",
+      "severity": "High",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "Use Pipeline as Code for build pipelines and their defined steps.",
@@ -14,6 +15,7 @@
     },
     "2.3.5": {
       "title": "Ensure access to the build process's triggering is minimized",
+      "severity": "Medium",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "Restrict access to the pipelines' triggers.",
@@ -23,6 +25,7 @@
     },
     "2.3.7": {
       "title": "Ensure pipelines are automatically scanned for vulnerabilities",
+      "severity": "Critical",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "Scan pipelines for vulnerabilities. It is recommended to do that automatically.",
@@ -32,6 +35,7 @@
     },
     "2.3.8": {
       "title": "Ensure scanners are in place to identify and prevent sensitive data in pipeline files",
+      "severity": "Critical",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc. in pipelines.",

internal/checks/build-pipelines/pipeline-integrity/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "2.4.2": {
       "title": "Ensure all external dependencies used in the build process are locked",
+      "severity": "Critical",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "External dependencies might be public packages needed in the pipeline or even the public image used for the build worker. Lock these external dependencies in every build pipeline.",
@@ -14,6 +15,7 @@
     },
     "2.4.6": {
       "title": "Ensure pipeline steps produce an SBOM",
+      "severity": "High",
       "type": "BUILD",
       "entity": "Pipeline",
       "description": "SBOM (Software Bill Of Materials) is a file that specifies each component of software or a build process. Generate an SBOM after each run of a pipeline.",

internal/checks/dependencies/third-party-packages/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "3.1.7": {
       "title": "Ensure dependencies are pinned to a specific, verified version",
+      "severity": "Critical",
       "type": "DEPENDENCIES",
       "entity": "Dependencies",
       "description": "Pin dependencies to a specific version. Avoid using the \"latest\" tag or broad version.",

internal/checks/dependencies/validate_packages/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "3.2.2": {
       "title": "Ensure packages are automatically scanned for known vulnerabilities",
+      "severity": "Critical",
       "type": "DEPENDENCIES",
       "entity": "Dependencies",
       "description": "Automatically scan every package for vulnerabilities.",
@@ -14,6 +15,7 @@
     },
     "3.2.3": {
       "title": "Ensure packages are automatically scanned for license implications",
+      "severity": "High",
       "type": "DEPENDENCIES",
       "entity": "Dependencies",
       "description": "A software license is a document that provides legal conditions and guidelines for the use and distribution of software, usually defined by the author. It is recommended to scan for any legal implications automatically.",

internal/checks/source-code/code-changes/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "1.1.3": {
       "title": "Ensure any change to code receives approval of two strongly authenticated users",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Branch",
       "description": "Ensure that every code change is reviewed and approved by two authorized contributors who are strongly authenticated.",
@@ -17,6 +18,7 @@
     },
     "1.1.4": {
       "title": "Ensure previous approvals are dismissed when updates are introduced to a code change proposal",
+      "severity": "High",
       "type": "SCM",
       "entity": "Branch",
       "description": "Ensure updates to a proposed code change require re-approval of reviewers",
@@ -27,6 +29,7 @@
     },
     "1.1.5": {
       "title": "Ensure that there are restrictions on who can dismiss code change reviews",
+      "severity": "High",
       "type": "SCM",
       "entity": "Branch",
       "description": "Only trusted users should be allowed to dismiss code change reviews",
@@ -36,6 +39,7 @@
     },
     "1.1.6": {
       "title": "Ensure code owners are set for extra sensitive code or configuration",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Branch",
       "description": "Code owners are trusted users that are responsible for reviewing and managing an important piece of code or configuration. Set code owners for every extremely sensitive code or configuration.",
@@ -48,6 +52,7 @@
     },
     "1.1.8": {
       "title": "Ensure inactive branches are reviewed and removed periodically",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Repository",
       "description": "Keep track of code branches that are inactive for a period of time and remove them periodically.",
@@ -57,6 +62,7 @@
     },
     "1.1.9": {
       "title": "Ensure all checks have passed before the merge of new code",
+      "severity": "High",
       "type": "SCM",
       "entity": "Branch",
       "description": "Before a code change request can be merged to the codebase, all pre-defined checks must successfully pass.",
@@ -69,6 +75,7 @@
     },
     "1.1.10": {
       "title": "Ensure open git branches are up to date before they can be merged into codebase",
+      "severity": "High",
       "type": "SCM",
       "entity": "Branch",
       "description": "Organizations should make sure each suggested code change is in full sync with the existing state of its origin code repository, before allowing to merge it in.",
@@ -79,6 +86,7 @@
     },
     "1.1.11": {
       "title": "Ensure all open comments are resolved before allowing to merge code changes",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Branch",
       "description": "Organizations should enforce a \"no open comments\" policy before allowing to merge code changes.",
@@ -89,6 +97,7 @@
     },
     "1.1.12": {
       "title": "Ensure verifying signed commits of new changes before merging",
+      "severity": "High",
       "type": "SCM",
       "entity": "Branch",
       "description": "Ensure every commit in pull request is signed and verified before merge",
@@ -101,6 +110,7 @@
     },
     "1.1.13": {
       "title": "Ensure linear history is required",
+      "severity": "Low",
       "type": "SCM",
       "entity": "Repository",
       "description": "Linear history is the name for Git history where all of the commits come one after another. Such history exists if a pull request is merged either by rebase merge (re-order the commits history) or squash merge (squashes all commits to one). Ensure that linear history is required by enforcing the use of rebase or squash merge when merging a pull request.",
@@ -114,6 +124,7 @@
     },
     "1.1.14": {
       "title": "Ensure branch protection rules are enforced on administrators",
+      "severity": "Critical/High",
       "type": "SCM",
       "entity": "Repository",
       "description": "Ensure administrators are subject to branch protection rules.",
@@ -125,6 +136,7 @@
     },
     "1.1.15": {
       "title": "Ensure pushing of new code is restricted to specific individuals or teams",
+      "severity": "High",
       "type": "SCM",
       "entity": "Repository",
       "description": "Enforce that only trusted users can push to protected branches.",
@@ -137,6 +149,7 @@
     },
     "1.1.16": {
       "title": "Ensure force pushes code to branches is denied",
+      "severity": "Critical",
       "type": "SCM",
       "entity": "Repository",
       "description": "The 'force push' option allows users with 'push' permissions to force their changes directly to the branch without PR and it should be disabled.",
@@ -149,6 +162,7 @@
     },
     "1.1.17": {
       "title": "Ensure branch deletions are denied",
+      "severity": "Critical",
       "type": "SCM",
       "entity": "Repository",
       "description": "Ensure that users with push access only can't delete a protected branch.",

internal/checks/source-code/contribution-access/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "1.3.1": {
       "title": "Ensure inactive users are reviewed and removed periodically",
+      "severity": "High",
       "type": "SCM",
       "entity": "Repository",
       "description": "Track inactive user accounts and periodically remove them.",
@@ -17,6 +18,7 @@
     },
     "1.3.3": {
       "title": "Ensure minimum admins are set for the organization",
+      "severity": "High",
       "type": "SCM",
       "entity": "Organization",
       "description": "Ensure the organization has a minimum number of admins.",
@@ -28,6 +30,7 @@
     },
     "1.3.5": {
       "title": "Ensure the organization is requiring members to use MFA",
+      "severity": "Critical",
       "type": "SCM",
       "entity": "Organization",
       "description": "Require members of the organization to use Multi-Factor Authentication, in addition to using a standard user name and password, when authenticating to the source code management platform.",
@@ -41,6 +44,7 @@
     },
     "1.3.7": {
       "title": "Ensure 2 admins are set for each repository",
+      "severity": "High",
       "type": "SCM",
       "entity": "Repository",
       "description": "Ensure every repository has 2 users with admin permissions to it.",
@@ -52,6 +56,7 @@
     },
     "1.3.8": {
       "title": "Ensure strict base permissions are set for repositories",
+      "severity": "High",
       "type": "SCM",
       "entity": "Organization",
       "description": "Base permissions define the permission level granted to all the organization members automatically. Define strict base access permissions for all of the repositories in the organization, which should apply to new ones as well.",
@@ -64,6 +69,7 @@
     },
     "1.3.9": {
       "title": "Ensure an organization's identity is confirmed with a Verified badge",
+      "severity": "High",
       "type": "SCM",
       "entity": "Organization",
       "description": "Verify the domains that the organization owns",

internal/checks/source-code/repository-management/rules.metadata.json

@@ -5,6 +5,7 @@
   "checks": {
     "1.2.1": {
       "title": "Ensure all public repositories contain a SECURITY.md file",
+      "severity": "Low",
       "type": "SCM",
       "entity": "Repository",
       "description": "SECURITY.md file is a security policy file, which gives people instructions when they are reporting security vulnerabilities in a project. When someone creates an issue in that project, a link to the SECURITY.md file will be shown.",
@@ -14,6 +15,7 @@
     },
     "1.2.2": {
       "title": "Ensure repository creation is limited to specific members",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Organization",
       "description": "Limit the ability to create repositories to trusted users and teams.",
@@ -23,6 +25,7 @@
     },
     "1.2.3": {
       "title": "Ensure repository deletion is limited to specific members",
+      "severity": "Medium",
       "type": "SCM",
       "entity": "Organization",
       "description": "Ensure only a limited number of trusted members can delete repositories.",
@@ -32,6 +35,7 @@
     },
     "1.2.4": {
       "title": "Ensure issue deletion is limited to specific members",
+      "severity": "High",
       "type": "SCM",
       "entity": "Organization",
       "description": "Ensure only trusted an responsible members can delete issues.",