package rules.GITHUB_DEFAULT_BRANCH_DELETION_PROTECTION
import data.snyk
resource_type := "MULTIPLE"
input_type := "tf"
metadata := {
"id": "GITHUB-DEFAULT-BRANCH-DELETION-PROTECTION",
"title": "Default branch deletion protection not enabled",
"severity": "high",
"description": "The history of the default branch is not protected against deletion for this repository.",
"product": ["iac"],
}
repos := snyk.resources("github_repository")
is_valid(repo) {
branch_protection := snyk.relates(repo, "github_repository.branch_protection")[_]
not branch_protection.allows_deletions
}
deny[info] {
repo := repos[_]
not is_valid(repo)
info := {"resource": repo}
}
resources[info] {
repo := repos[_]
info := {"resource": repo}
}
resources[info] {
repo := repos[_]
branch_protection := snyk.relates(repo, "github_repository.branch_protection")[_]
info := {"primary_resource": repo, "resource": branch_protection}
}
Example of resource tag enforcement
rules/REQUIRED_S3_BUCKET_TAGS/main.rego
package rules.REQUIRED_S3_BUCKET_TAGS
import data.snyk
input_type := "tf"
metadata := {
"id": "REQUIRED_S3_BUCKET_TAGS",
"severity": "high",
"title": "S3 Bucket Tags",
"description": "All S3 Buckets must be tagged properly - they need to have an owner tag, and a classification tag with the proper values.",
"product": [
"iac",
"cloud",
],
}
buckets := snyk.resources("aws_s3_bucket")
owners := {
"devteam1",
"devteam2",
"devteam3",
"devteam4"
}
classifications := {