chore: update AMPEL policy and schedule compliance checks#98
chore: update AMPEL policy and schedule compliance checks#98marcusburghardt wants to merge 2 commits intocomplytime:mainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| actions: read | ||
| id-token: write | ||
| attestations: write | ||
| uses: complytime/org-infra/.github/workflows/reusable_compliance.yml@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
marcusburghardt
changed the title
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
update_ampel
branch
from
e18dfab to
d06c4cb
Compare
|
Rebased. |
| "controls": [ { "framework": "MYORG", "class": "ORG", "id": "02" } ] | ||
| "description": "Validate admin bypass prevention is enabled via GitHub API or GitLab API", | ||
| "controls": [ | ||
| { "framework": "SC", "class": "SC-CODE", "id": "03" }, |
There was a problem hiding this comment.
@marcusburghardt Should the SC-CODE be "04" instead?
| "guidance": "Create a branch ruleset protecting your default branch and enable \"Require signed commits\"" | ||
| "message": "Force pushes can be sent to main branch", | ||
| "guidance": "Create a branch ruleset protecting your default branch and enable \"Block force pushes\"" | ||
| } |
There was a problem hiding this comment.
@marcusburghardt The tenets messages are same for both "SC-CODE-03.01" and "SC-CODE-04.01".
| "meta": { | ||
| "description": "Require signed commits before merging", | ||
| "controls": [ { "framework": "MYORG", "class": "ORG", "id": "02" } ] | ||
| "description": "Validate admin bypass prevention is enabled via GitHub API or GitLab API", |
There was a problem hiding this comment.
@marcusburghardt My question is do we need "SC-CODE-04.01"? To properly support SC-CODE-04.01, we would need to contribute a new spec with "rulesets" to snappy. The data needed for admin bypass validation (bypass_actors, enforcement) as per Github API.
sonupreetam
left a comment
sonupreetam
left a comment
There was a problem hiding this comment.
@marcusburghardt I have added few comments to the branch protection rules.
| name: Compliance Evaluation | ||
| permissions: | ||
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
@marcusburghardt The "actions: read" not required by the reusable_compliance workflow, may be we dont need it.
|
After working on complytime/complyctl#380 I noticed upcoming changes for this PR, so it is no longer time-sensitive. Therefore I am moving it to draft until other related activities are progressing. |
3 participants
Summary
Reviewed and updated Ampel policy for branch protection rules.
This PR also enables a scheduled job to check the branch protection rules and save the results as attestation artifact.
Related Issues
Review Hints