| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive repositories |
There should be no inactive repository (no activity for over 30 days). |
Github
|
Repository should not have pushed_at isEarlierThan (-30, "days") |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure no new repositories exist |
Ensure administrators are aware of any new repositories (created in the past day). |
Github
|
Repository should have created_at isEarlierThan (-1, "days") |
| Ensure no new connected apps exist |
Ensure administrators are aware of any new connected apps (created in the past day). |
Github
|
ConnectedApp should have created_at isEarlierThan (-1, "days") |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Ensure branch protection rules are enabled for all branches in the repository |
The repository should have a branch protection rule enabled for all branches. |
Github
|
Repository should have branch_protection_enabled_for_all_branches eq true |
| Repositories should contain a CODEOWNERS file |
The default branch of a repository should have a CODEOWNERS file. |
Github
|
Repository should have default_branch.has_codeowners_file eq true |
| Repositories should contain a .gitignore file |
The default branch of a repository should have a .gitignore file. |
Github
|
Repository should have default_branch.has_gitignore_file eq true |
| Public repositories should have a LICENSE file |
The default branch of a public repository should have a LICENSE file. |
Github
|
Repository where private eq false should have default_branch.has_license_file eq true |
| Ensure connected apps do not have write access to organization administration |
Administrators should not allow connected GitHub apps to have organization administration write access. Connected apps with this permission level can modify organization settings and information. |
Github
|
ConnectedApp should not have write_permissions has ("organization_administration") |
| Ensure Secrets Detection is enabled |
Secret scanning should be enabled for the repository. |
Github
|
Repository should have secret_scanning_enabled eq true |
| Dismiss stale pull request approvals on the repository's default branch |
Stale pull request approvals should be dismissed when new commits are pushed to pull requests on the default branch. |
Github
|
Repository should have default_branch.protection_rule.dismisses_stale_reviews eq true |
| Require at least 1 approving review for pull requests on the repository's default branch |
Every pull request in the repository should require at least 1 approving review. |
Github
|
Repository should have default_branch.protection_rule.requires_approving_reviews eq true and default_branch.protection_rule.required_approving_review_count gte 1 |
| Require status checks for pull requests approvals on the repository's default branch |
Every pull request should require status checks to pass before merging. |
Github
|
Repository should have default_branch.protection_rule.requires_status_checks eq true |
| Ensure the organization's default repository permission is not set to admin |
GitHub organizations should not have the default repository permission set to admin. |
Github
|
Organization should not have default_repository_permission eq "admin" |
| Ensure repository does not have any outside collaborators |
The repository should not be accessible to outside collaborators. |
Github
|
Repository should have has_outside_collaborators eq false |
| Ensure a public repository has a security policy enabled |
The public repository should have a security policy enabled. |
Github
|
Repository where private eq false should have is_security_policy_enabled eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
| Description |
Service |
Rule |
| Ensure no users have 2FA disabled |
The organization should not have any users with 2FA disabled. |
Github
|
Organization should have has_2fa_disable_users eq false |
| Ensure 2FA is required for the organization |
The organization should require all users to have 2FA enabled. |
Github
|
Organization should have two_factor_requirement_enabled eq true |
| Do not allow admin users to bypass branch protection rules |
Admin users should not be allowed to bypass branch protection rules. |
Github
|
Repository should have branch_protection_rule_bypass_admin_user eq false |
| Ensure no gists are public |
The organization should not have any public gists. |
Github
|
Organization should have public_gists_count eq 0 |
| Ensure branch protection rules prohibit deletion of the default branch |
The organization should have branch protection rules configured which prevent the default branch from being deleted. |
Github
|
Repository should have default_branch.protection_rule.allow_deletions eq false |
| Disable force-pushing on the default branch |
Force-pushing should not be enabled on the default branch. |
Github
|
Repository should have default_branch.protection_rule.allow_force_pushes eq false |
| Ensure no administrators are inactive |
The organization should have no inactive administrators (no activity for over 30 days). |
Github
|
Organization should have has_inactive_admin_users eq false |
| Ensure there are no inactive users |
The organization should have no inactive users (no activity for over 30 days). |
Github
|
Organization should have has_inactive_users eq false |
| Ensure private repositories do not have any forks |
A private repository should not have any forks. |
Github
|
Repository where private eq true should have fork_count eq 0 |
| Ensure repositories are set to private |
The repository should be set to private. |
Github
|
Repository should have private eq true |
