SCM (Source Control Management) security is of high importance as it serves as an entry point to the whole CI/CD pipeline. This repository contains policies that verify SCM (currently GitHub's) organization/repositories/user accounts security. The policies are evaluated using Open Policy Agent (OPA).
There are different sets of policies depending on which account is being evaluated. Most policies are only relevent for organization owners. See the bellow rulesets section.
The policies are evaluated against a certain state. When executed for the first time, the state is empty. The returned data should be reviewed and the security posture should be manually evaluated (with recommendations from each module). If the state is approved it should be added to the input data, so that the next evaluation of policies tracks the changes of the state. More information about the state configurable for each module is available in each module's corresponding section.
- Generate a Personal Access Token with necessary permissions on GitHub in Settings > Developer Settings. You will need the following permissions:
- read:org
- read:user
- read:public_key
- read:repo
- read:repo_hook
If needed, refer to each module's section to figure out what permissions are needed to evaluate the module's policies.
- Set an environment variable with the token, for example:
export GH_TOKEN='<token>'
Run the following to get the report as a gist in your GitHub Account:
docker run -e GH_TOKEN scribesecurity/gitgat:latest data.gh.post_gist
You can access your report from your gists https://gist.github.com/
Run the following to get the report as a Markdown file:
docker run -e GH_TOKEN scribesecurity/gitgat:latest data.github.report.print_report 2> report.md
Run the following to get the report as a JSON object:
docker run -e GH_TOKEN scribesecurity/gitgat:latest data.gh.eval
In order to run the report using the variables and state you have saved in the input.json file use this command:
docker run -e GH_TOKEN -v <full_path_to_directory_containing_input_file>:/var/opt/opa scribesecurity/gitgat:latest
If you have already included the token in the input.json file you can shorten it to:
docker run -v <full_path_to_directory_containing_input_file>:/var/opt/opa scribesecurity/gitgat:latest
Note that the default report is the JSON version so if you want to get the Markdown file you need to spesify it as seen at the top of this section.
In order to execute the evaluation of the policies, download and install OPA (version 0.40.0 and up) from https://www.openpolicyagent.org/docs/latest/#running-opa. Binaries are available for macOS, Linux and Windows.
The examples below demonstrating safe handling of GitHub's Personal Access Token via an environment variable rely on cat
and sed
which are typically available on macOS and Linux. They can be obtained for Windows as well, for example, by using Git for Windows.
It is also possible to put the token directly into the configuration file, but do it at your own risk and make sure that it cannot be read by other users.
Clone the repository using:
git clone git@github.com:scribe-public/gitgat.git
And then enter into the directory created:
cd gitgat
The configuration file for the examples below is expected to be input.json
. Make sure you create this file in the main gitgat folder, using the following script:
cp data/empty-input.json input.json
Samples of configuration files can be found in here: https://github.com/scribe-security/GitHub-Posture/tree/public/data.
If you wish to add information or state to your input.json
file you can refer to data/sample_input.json
, for policies configuration and state management. Each ruleset is its own JSON section and the state information for each rule fits inside that segment. Make sure that the state information does not get pushed to the repository as it might contain sensitive data.
sample_input.json
is not included in .gitignore, but input.json
is.
So it is recommended to use input.json
as the input configuration file for OPA.
When running eval and report commands, pipe the token variable via stdin and sed. Following are a few examples of uses.
Create a report as a report as a gist in your GitHub account:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.gh.post_gist
Get a report as an md file:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.github.report.print_report 2> report.md
Get a report as a JSON object:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.gh.eval
Run a specific module/rule:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.github.<module>.eval
For example:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.github.ssh_keys.eval
You can find the different rule files under data/github
. Each file is a single OPA rule. The file name is the rule name and that's the name you can use instead of the <module>
.
(Under development) Print the Markdown report to stdout:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.github.report.print_report
(Under development) Upload the report to GitHub as a Gist:
cat input.json | sed "s/GH_TOKEN/$GH_TOKEN/" | opa eval -I -b github data.gh.post_gist
The evaluation can be run for three different rulesets.
The ruleset is configured via input.rule_set
:
- "user" - evaluates rules from a single user perspective.
- "org" - evaluates rules from an organization perspective.
The organizations that are evaluated are configured in the
input.json
file under theorganizations
header. - "enterprise" - evaluates rules for an enterprise (coming soon).
The default selection is "user" as can be seen in the example input.json
file above.
Policies are configured via relevant state objects in input.json
.
Each configurable module has a corresponding input configuration object.
Configuration parameters are described in each module's section below.
The state can be updated and approved by the policy administrator.
Eval rules print out violations of policies.
The violated rules can be used to configure exceptions allowed by the SCM administrator for the modules by updating the state of the modules.
Additional information about modules is available in corresponding eval rules descriptions.
2 factor authentication protects against developers account password leakage. It is highly recommended to request users to enable 2 factor authentication. Module tfa checks for organization members with 2 factor authentication disabled.
Required permissions:
- read:org - note, that only organization owners can get the list of users with 2 factor authentication disabled
- read:user - to get the list of organizations the user belongs to (when evaluating the user ruleset)
Configuration parameters:
input.tfa.disabled_members
- specifies the list of users that are allowed to have 2 factor authentication disabledinput.tfa.unenforced_orgs
- specifies the list of organizations that are allowed to have 2 factor authentication enforcements disabled
Rule modules:
-
data.github.tfa.eval.state.disabled_members
returns the list of users in each organization that have the 2 factor authentication disabled. If the new state is approved, they should be added to the configuration state. -
data.github.tfa.eval.state.unenforced_orgs
returns the list of organizations that do not enforce 2 factor authentication.
Developers can use SSH keys to access the repositories. A leaked SSH key gives an attacker access to the repository without the need to acquire a password. To mitigate the risk, it is advised to rotate SSH keys periodically and review configured SSH keys. The module is supported in the user ruleset as organization owners do not have access to SSH keys metadata. Module ssh_keys checks for expired and newly added SSH keys.
Required permissions:
- read:public_key - to get the list of user's SSH public keys
Configuration parameters:
input.ssh_keys.expiration
- [years, months, days] for the SSH keys expirationinput.ssh_keys.keys
- list of SSH keys that are registered for the user
Rule modules:
data.github.ssh_keys.eval.state.expired
returns the list of SSH keys that are older than configured by the expiration parameter.data.github.ssh_keys.eval.state.keys
returns the list of SSH keys that were not previously added to the input configuration file. All the approved keys should be added to the configuration state.
Deploy keys are SSH keys that give access to a specific repository (as opposed to the user's SSH keys that give access to all user's repositories). The same recommendations apply to deploy keys. Module deploy_keys checks for expired and newly added deploy keys.
Required permissions:
- repo - to get the list of deploy keys
Configuration parameters:
input.deploy_keys.expiration
- [years, months, days] for the deploy keys expirationinput.deploy_keys.keys
- list of deploy keys that are registered for the repository
Rule modules:
data.github.deploy_keys.eval.state.expired
returns the list of deploy keys that are older than configured by the expiration parameter.data.github.deploy_keys.eval.state.keys
returns the list of deploy keys that were not previously registered for organization repositories. All the approved new keys should be added to the configuration state.
Commit signatures can serve as an additional protection mechanism against compromised developer's accounts. Even when the password or an SSH key is leaked, the commit signing key will not necessarily be leaked and requiring signatures would prevent an attacker from authoring commits on behalf of a compromised developer's account. See branches section for documentation on enabling signatures enforcement per branch. Module commits checks for commit signatures in specified repositories and for the history of commits to detect anomalies.
Required permissions:
- repo - to get the list of commits
Configuration parameters:
input.commits.<repo>.allow_unverified
- list of user accounts per repository that are allowed to commit without signinginput.commits.<repo>.history
- list of the last 30 commits in the repository
Rule modules:
data.github.commits.eval.state.unverified
returns the list of commits that are either not signed or for which the signature verification failed. It does not include the commits by authors listed inallow_unverified
. To approve the new state, the authors of unverified commits should be added to the configuration state.data.github.commits.eval.state.history
returns the list of commits in the repository that are not included in the input configuration state.
Organization administrators have full control over the organization configuration and its repositories. The list of administrator users should be kept up-to-date. Module admins monitors the list of admin users.
Required permissions:
- read:org - to get the list of admins in the organization
Configuration parameters:
input.admins.members
- current set of admin users
Rule module:
data.github.admins.eval.state.members
returns the list of admin users in each organization that were not included in the input list of admin users. If the new state is approved, they should be added to the configuration state.
Branch protection is a set of configuration options to authorize commits that can be pushed to a branch. For more information, refer to SCM documentation. Module branches monitors the branch protection configuration for a repository.
Required permissions:
- repo - to get the branch protection configuration in repositories
Configuration parameters:
input.branches.unprotected
- branches for which the branch protection is turned offinput.branches.protection_data
- current configuration of branch protection
Rule modules:
data.github.branches.eval.state.unprotected
returns the list of unprotected branches not included in the input configuration.data.github.branches.eval.state.protection_data
returns the protection configuration that is different from the input protection data. If the new branch protection configuration is approved, the unprotected branches and the protection configuration should be added to the input.
Teams configuration is a convenient mechanism to organize users into groups and set permissions on a per team basis. Module teams monitors the teams members and the permissions of teams in repositories.
Required permissions:
- read:org - to get the list of teams in an organization
- repo - to get the information about repositories
Configuration parameters:
input.teams.permissions
- current permissions of teams in repositoriesinput.teams.members
- current teams members
Rule modules:
data.github.teams.eval.state.changed_permissions
returns the newly added permissions of teams in repositories.data.github.teams.eval.state.permissions
returns the permissions of teams in repositories for which no previous state was configured.data.github.teams.eval.state.members
returns the lists of team members that are not included in the input data. If the new state is approved, the teams permissions state should be updated.
Sometimes it is necessary to configure more fine-grained permissions for the files in the repository. For example, access to CI/CD configuration files should be limited to DevOps developers. While teams module checks for the current settings, the repository history can be monitored for suspicious activity. Module files monitors modifications of individual files in the repository.
Required permissions:
- read:repo - to get the repository commits
Configuration parameters:
input.files.permissions
- permissions to modify individual files. Committers from the list per file are allowed to push commits that modify the file.
Rule modules:
data.github.admins.eval.state.violating_commits
returns the list of commits that violate the restrictions from the state. Updating the state requires adding the committers of the violating commits to the allowed list.
Web hooks notify external parties about events in the repository. This can potentially leak sensitive information. Module hooks monitors the list of configured Web hooks.
Required permissions:
- read:repo_hook - to get the list of Web hooks in repositories
Configuration parameters:
input.hooks
- the list of configured Web hooks
Rule module:
data.github.hooks.eval.state.hooks
returns the list of new/changed Web hooks. If the new state is approved, they should be added to the configuration state.
Information describing how to contribute can be found here.