Add policy set for GitHub provider

README.md

@@ -20,7 +20,7 @@ Detect compliance and security violations across Infrastructure as Code to mitig
 * 500+ Policies for security best practices
 * Scanning of Terraform 12+ (HCL2)
 * Scanning of Kubernetes YAML/JSON
-* Support for AWS, Azure, GCP, and Kubernetes
+* Support for AWS, Azure, GCP, Kubernetes and GitHub
 
 ## Installing
 Terrascan's binary for your architecture can be found on the [releases](https://github.com/accurics/terrascan/releases) page. Here's an example of how to install it:

docs/getting-started.md

@@ -109,7 +109,7 @@ Flags:
   -i, --iac-type string      iac type (terraform, k8s)
       --iac-version string   iac version terraform:(v12) k8s:(v1)
   -p, --policy-path string   policy path directory
-  -t, --policy-type string   <required> policy type (aws, azure, gcp, k8s)
+  -t, --policy-type string   <required> policy type (aws, azure, gcp, k8s, github)
 
 Global Flags:
   -c, --config-path string   config file path

docs/policies.md

@@ -41,3 +41,5 @@ Here's an example of the contents of a rule file:
 --8<-- "docs/policies/gcp.md"
 
 --8<-- "docs/policies/k8s.md"
+
+--8<-- "docs/policies/github.md"

docs/policies/github.md

@@ -0,0 +1,6 @@
+
+### github_repository
+| Category | Resource | Severity | Description | Reference ID |
+| -------- | -------- | -------- | ----------- | ------------ |
+| Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 |
+

go.mod

@@ -20,7 +20,7 @@ require (
 	go.uber.org/zap v1.10.0
 	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
 	golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect
-	golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49 // indirect
+	golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.3.0
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776

go.sum

@@ -536,6 +536,8 @@ golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3 h1:DywqrEscRX7O2phNjkT0L6l
 golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49 h1:cSlTPh0jd/6I6bv6XnLSqQCCHUP6CIprgjNz7KlrK6c=
 golang.org/x/tools v0.0.0-20200917192154-75ebdcb73b49/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d h1:y39d97JVttj+rkTXITl1nf9Vsk+VoRuNzIDLFldUSB4=
+golang.org/x/tools v0.0.0-20200917221617-d56e4e40bc9d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=

mkdocs.yml

@@ -45,6 +45,7 @@ nav:
     - AWS: policies/aws.md
     - GCP: policies/gcp.md
     - Azure: policies/azure.md
+    - GitHub: policies/github.md
   # - Educational Resources: learning.md
   - Contributing: contributing.md
   - Changelog: changelog.md

pkg/cli/scan.go

@@ -29,7 +29,7 @@ import (
 var (
 	// PolicyPath Policy path directory
 	PolicyPath string
-	// PolicyType Cloud type (aws, azure, gcp)
+	// PolicyType Cloud type (aws, azure, gcp, github)
 	PolicyType string
 	// IacType IaC type (terraform)
 	IacType string

pkg/policies/opa/rego/github/github_repository/accurics.github.IAM.1.json

@@ -0,0 +1,10 @@
+{
+    "name": "privateRepoEnabled",
+    "file": "privateRepoEnabled.rego",
+    "template_args": null,
+    "severity": "MEDIUM",
+    "description": "Repository is Not Private.",
+    "reference_id": "accurics.github.IAM.1",
+    "category": "Identity \u0026 Access Management",
+    "version": 1
+}

pkg/policies/opa/rego/github/github_repository/privateRepoEnabled.rego

@@ -0,0 +1,7 @@
+package accurics
+
+privateRepoEnabled[api.id] {
+    api := input.github_repository[_]
+    not api.config.private == true
+    not api.config.visibility == "private"
+}

pkg/policy/github.go

@@ -0,0 +1,28 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package policy
+
+const (
+	github                  supportedCloudType  = "github"
+	defaultGithubIacType    supportedIacType    = "terraform"
+	defaultGithubIacVersion supportedIacVersion = "v12"
+)
+
+func init() {
+	// Register github as a cloud provider with terrascan
+	RegisterCloudProvider(github, defaultGithubIacType, defaultGithubIacVersion)
+}