core/mondoo-github-security.mql.yaml

# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

policies:
  - uid: mondoo-github-organization-security
    name: GitHub Organization Security
    version: 1.5.0
    license: BUSL-1.1
    tags:
      mondoo.com/category: security
      mondoo.com/platform: github
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |
        ## Overview

        GitHub Organization Security by Mondoo provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations.

        ## About remote scanning

        Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets.

        A complete list of providers can be found by running this command:

        ```bash
        cnspec scan --help
        ```

        ### cnspec GitHub provider

        This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command:

        ```bash
        cnspec scan github --help
        ```

        ## Configuring the GitHub provider

        The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. Access to an organization is determined by the level of access the token cnspec is configured with when it runs.

        ### Create a personal access token

        To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.

        ### Configure a GITHUB_TOKEN environment variable

        You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable.

        #### Linux / macOS

        ```bash
        export GITHUB_TOKEN=<your personal access token>
        ```

        #### Windows

        ```powershell
        $Env:GITHUB_TOKEN = "<personal-access-token>"
        ```

        ## Scan a GitHub organization

        To scan the configuration of your GitHub organization, run this command:

        ```bash
        cnspec scan github org <ORG_NAME>
        ```

        ## Scan a GitHub organization and all repositories

        cnspec can also scan a GitHub organization and all of its repositories using the `--discover all` flag. To scan your GitHub organization and discover and scan all of the repositories within your organization, run this command:

        ```bash
        cnspec scan github org <ORG_NAME> --discover all
        ```

        > Note: Scanning large GitHub organizations may exceed GitHub API rate limits. For more information see [About rate limits](https://docs.github.com/en/rest/rate-limit?apiVersion=2022-11-28#about-rate-limits) in the GitHub documentation.

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
    groups:
      - title: GitHub Org
        filters: asset.platform == "github-org"
        checks:
          - uid: mondoo-github-organization-security-default-permission-level
          - uid: mondoo-github-organization-security-two-factor-auth
          - uid: mondoo-github-organization-security-verified-domain
          - uid: mondoo-github-organization-security-security-policy
    scoring_system: highest impact
  - uid: mondoo-github-repository-security
    name: GitHub Repository Security
    version: 1.5.0
    license: BUSL-1.1
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |
        # Overview

        GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments.

        ## About remote scanning

        Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets.

        A complete list of providers can be found by running this command:

        ```bash
        cnspec scan --help
        ```

        ### cnspec GitHub Provider

        This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command:

        ```bash
        cnspec scan github --help
        ```

        ## Configuring the GitHub provider

        The `github` provider for cnspec requires a GitHub personal access token to authenticate with GitHub's API. The personal access token is required regardless of whether you are scanning a public or a private repository. Access to private repositories is determined by the level of access the token cnspec is configured with when it runs.

        ### Create a personal access token

        To create a read-only personal access token, see [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) on GitHub's documentation site.

        ### Configure a GITHUB_TOKEN environment variable

        You supply your personal access token to cnspec using the `GITHUB_TOKEN` environment variable.

        #### Linux / macOS

        ```bash
        export GITHUB_TOKEN=<your personal access token>
        ```

        #### Windows

        ```powershell
        $Env:GITHUB_TOKEN = "<personal-access-token>"
        ```

        ## Scanning GitHub repositories

        To scan the configuration of a GitHub repository:

        ```bash
        cnspec scan github repo <ORG_NAME/REPO_NAME>
        ```

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
    groups:
      - filters: |
          asset.platform == "github-repo"
        checks:
          - uid: mondoo-github-repository-security-binary-artifacts
          - uid: mondoo-github-repository-security-enforce-branch-protection
          - uid: mondoo-github-repository-security-ensure-default-branch-protection
          - uid: mondoo-github-repository-security-ensure-dependabot-workflow
          - uid: mondoo-github-repository-security-ensure-release-branch-protection
          - uid: mondoo-github-repository-security-prevent-force-pushes-default-branch
          - uid: mondoo-github-repository-security-prevent-force-pushes-release-branch
          - uid: mondoo-github-repository-security-require-conversation-resolution
          - uid: mondoo-github-repository-security-require-status-checks-before-merging
          - uid: mondoo-github-repository-security-required-signed-commits
          - uid: mondoo-github-repository-security-security-policy
    scoring_system: highest impact
props:
  - uid: mondooGithubSecurityRequiredPullRequestReviews
    title: Define the required number of reviewers on pull requests
    mql: "1"
queries:
  - uid: mondoo-github-organization-security-two-factor-auth
    title: Enable Two-factor authentication for all users in the organization
    impact: 90
    mql: github.organization.twoFactorRequirementEnabled
    docs:
      desc: |
        Two-factor authentication (2FA) is an extra layer of security used when logging into websites or apps. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to. It is highly recommended that GitHub Organizations are configured to require all users to configure 2FA.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.organization.twoFactorRequirementEnabled
           ```
      remediation: |
        GitHub has several options for configuring 2FA for your organization. To enable 2FA, see [Configuring two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) in GitHub's documentation.
    refs:
      - url: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa
        title: Securing your account with two-factor authentication (2FA)
  - uid: mondoo-github-organization-security-verified-domain
    title: Organization should have a verified domain attached
    impact: 80
    mql: github.organization.isVerified
    docs:
      desc: |
        You can verify your ownership of domains with GitHub to confirm your organization's identity. You can also approve domains that GitHub can send email notifications to members of your organization. After verifying ownership of your organization's domains, a "Verified" badge will display on the organization's profile.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.organization.isVerified
           ```
      remediation: |
        To achieve verified status for your GitHub organization, see [Verifying or approving a domain for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization) in the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization
        title: Verifying or approving a domain for your organization
  - uid: mondoo-github-organization-security-default-permission-level
    title: Ensure GitHub Organization has base permissions configured
    impact: 50
    mql: github.organization.defaultRepositoryPermission == "read"
    docs:
      desc: |
        You can set base permissions that apply to all members of an organization when accessing any of the organization's repositories. Base permissions do not apply to outside collaborators.

        By default, members of an organization will have Read permissions to the organization's repositories.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github org <org_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.organization.defaultRepositoryPermission
           ```
      remediation: |
        To set base permissions for GitHub, see [Setting base permissions for an organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/setting-base-permissions-for-an-organization) in GitHub's documentation.
    refs:
      - url: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization
        title: Setting base permissions for an organization
  - uid: mondoo-github-organization-security-security-policy
    title: Ensure repository defines a security policy
    impact: 30
    mql: |
      if ( github.organization.repositories.one(name == ".github") ) {
        github.organization.repositories.where( name == ".github").all(
          files.one( name.downcase == "security.md")
        ) || github.repository.files.one( name.downcase == "security.md")
      } else {
        github.repository.files.one( name.downcase == "security.md")
      }
    docs:
      desc: |
        This check tries to determine that the repository defines a security policy.

        It is recommended projects provide instructions for reporting a security vulnerability in your project by adding a security policy to your repository.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.files.where( name == /SECURITY.md/ )
           ```
      remediation: |
        See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
        title: GitHub Docs - Adding a security policy to your repository
  - uid: mondoo-github-repository-security-ensure-default-branch-protection
    title: Ensure GitHub repository default branch is protected
    impact: 90
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
    docs:
      desc: |
        This check ensures that the default branch for the repository has branch protection enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended that the default branch has branch protection enabled, with branch protection rules applied.
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: About Branch protection
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch
        title: Changing the default branch
  - uid: mondoo-github-repository-security-ensure-release-branch-protection
    title: Ensure GitHub repository release branches are protected
    impact: 90
    props:
      - uid: mondooGithubReleaseBranches
        title: Pattern for release branch
        mql: |
          return  /^release/
    mql: |
      github.repository.branches
        .where( name == props.mondooGithubReleaseBranches )
        .all( isProtected == true )
    docs:
      desc: |
        This check ensures that any release branches (i.e. 'release-x.y.z') have branch protection rules enabled. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that any release branches have branch protection enabled, with branch protection rules applied.
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site.
  - uid: mondoo-github-repository-security-prevent-force-pushes-default-branch
    title: Ensure repository does not allow force pushes to the default branch
    impact: 80
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
      github.repository.branches
        .where( isDefault == true )
        .all( protectionRules { allowForcePushes['enabled'] == false } )
    docs:
      desc: |
        This check ensures that the default branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is highly recommended to disable force pushes to the default repository branch. By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:

        - Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.
        - Allow only specific people or teams to force push to the branch.

        If someone force pushes to a branch, the force push may overwrite commits that other collaborators based their work on. People may have merge conflicts or corrupted pull requests.

        Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.branches.where( isDefault == true) { isProtected protectionRules { allowForcePushes['enabled'] } }
           ```
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
  - uid: mondoo-github-repository-security-prevent-force-pushes-release-branch
    title: Ensure repository does not allow force pushes to any release branches
    impact: 80
    props:
      - uid: mondooGithubReleaseBranches
        title: Pattern for release branch
        mql: |
          return  /^release/
    mql: |
      github.repository.branches
        .where( name == props.mondooGithubReleaseBranches )
        .all( isProtected == true )
      github.repository.branches
        .where( name == props.mondooGithubReleaseBranches )
        .all( protectionRules { allowForcePushes['enabled'] == false } )
    docs:
      desc: |
        This check ensures that the release branch does not allow force pushes. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended to disable force pushes to any release branches.

        By default, GitHub blocks force pushes on all protected branches. When you enable force pushes to a protected branch, you can choose one of two groups who can force push:

        - Allow everyone with at least write permissions to the repository to force push to the branch, including those with admin permissions.
        - Allow only specific people or teams to force push to the branch.

        If someone force pushes to a branch, the force push may overwrite commits that other collaborators have made. Force pushing may cause merge conflicts or corrupted pull requests for other users.

        Enabling force pushes will not override any other branch protection rules. For example, if a branch requires a linear commit history, you cannot force push merge commits to that branch.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.branches.where( isDefault == true) { isProtected protectionRules { allowForcePushes['enabled'] } }
           ```
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Allow force pushes](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes) on the GitHub documentation site, and make sure the repository is not configured to allow force pushes.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
  - uid: mondoo-github-repository-security-require-conversation-resolution
    title: Ensure branch protection requires conversation resolution before merging
    impact: 80
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
      github.repository.branches
        .where( isDefault == true )
        .all( protectionRules { requiredConversationResolution['enabled'] == true } )
    docs:
      desc: |
        This checks that a branch protection rule is configured to require all comments on the pull request to be resolved before it can be merged to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require conversation resolution before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-conversation-resolution-before-merging
        title: GitHub Documentation - Require conversation resolution before merging
  - uid: mondoo-github-repository-security-require-status-checks-before-merging
    title: Ensure status checks are passing before merging PRs on the default branch
    impact: 80
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
      github.repository.branches
        .where( isDefault == true )
        .all( protectionRules { requiredStatusChecks.length > 0 } )
    docs:
      desc: |
        This check ensures that all required CI tests pass before collaborators can merge changes to a protected branch. Branch protection enforces certain workflows or requirements are met before a collaborator can push changes to a branch in a repository. It is recommended that both the default branch and any release branches have branch protection enabled, with branch protection rules applied.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.branches.where( isDefault == true) { isProtected protectionRules { requiredStatusChecks.length } }
           ```
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require status checks before merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging
        title: Require status checks before merging
  - uid: mondoo-github-repository-security-required-signed-commits
    title: Ensure repository branch protection requires signed commits
    impact: 80
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
      github.repository.branches
        .where( isDefault == true )
        .all( protectionRules { requiredSignatures == true } )
    docs:
      desc: |
        This check ensures a branch protection rule exists to require signed commits on the default branch. Signing commits and tags locally gives other people confidence about the origin of changes made to a project. If a commit or tag has a GPG, SSH, or S/MIME signature that is cryptographically verifiable, GitHub marks the commit or tag "Verified" or "Partially verified."
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.branches.where( isDefault == true) { isProtected protectionRules { requiredSignatures } }
           ```
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Require signed commits](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
      - url: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
        title: GitHub Docs - About commit signature verification
  - uid: mondoo-github-repository-security-enforce-branch-protection
    title: Ensure repository does not allow bypassing of branch protections rules
    impact: 70
    mql: |
      github.repository.branches
        .where( isDefault == true )
        .all( isProtected == true )
      github.repository.branches
        .where( isDefault == true )
        .all( protectionRules.enforceAdmins['enabled'] == true )
    docs:
      desc: |
        This check ensures branch protection rules cannot be bypassed. By default, the restrictions of a branch protection rule do not apply to people with admin permissions to the repository or custom roles with the "bypass branch protections" permission in a repository.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.branches.where( isDefault == true) { isProtected protectionRules { enforceAdmins['enabled'] } }
           ```
      remediation: |
        To enable branch protection, see [About protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) on the GitHub documentation site. Once branch protection is enabled, see [Do not allow bypassing the above settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
        title: GitHub Docs - About protected branches
  - uid: mondoo-github-repository-security-security-policy
    title: Ensure repository defines a security policy
    impact: 30
    mql: |
      github.repository.files.one( name.downcase == "security.md")
    docs:
      desc: |
        This check tries to determine that the repository defines a security policy.

        It is recommended projects provide instructions for reporting a security vulnerability in your project by adding a security policy to your repository.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository.files.one( name.downcase == "security.md")
           ```
      remediation: |
        See [Adding a security policy to your repository](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository#adding-a-security-policy-to-your-repository) on the GitHub documentation site.
    refs:
      - url: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
        title: GitHub Docs - Adding a security policy to your repository
  - uid: mondoo-github-repository-security-binary-artifacts
    title: Ensure repository does not generate binary artifacts
    impact: 90
    mql: |
      github.repository.files
        .all( isBinary == false )
      github.repository.files
        .where( type == "dir" )
        .all( files.where( type != "dir").all( isBinary == false) )
    docs:
      desc: |
        This check determines whether the project has generated executable (binary) artifacts in the source repository. Binary artifacts pose security challenges because they cannot be reviewed, and users will often directly use executables if they are included in the source repository, leading to many dangerous behaviors.
      audit: |
        __cnspec shell__

        1. Open a terminal
        2. Connect cnspec shell to GitHub  `cnspec shell github repo <org/repo_name> --token $GITHUB_TOKEN`
        3. Run this query:

           ```mql
           github.repository { files { isBinary } files {files { isBinary } } }
           ```
      remediation: |
        Remove the generated executable artifacts from the repository, and then build from source.
    refs:
      - url: https://github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts
        title: OSSF Scorecard - Binary Artifacts
  - uid: mondoo-github-repository-security-ensure-dependabot-workflow
    title: Ensure a GitHub Actions workflow exists for Dependabot
    impact: 70
    mql: |-
      github.repository.files
        .one( name == ".github" && type == "dir" )
      github.repository.files
        .where( path == ".github" )
        .all( files.one( name == "dependabot.yaml" || name == "dependabot.yml" ) )
    docs:
      desc: |
        This check ensures the existence of a GitHub Actions workflow to run Dependabot checks on the repository by looking for the existence of a `.github/dependabot.yml` or `.github/dependabot.yaml` configuration file.
        Dependabot creates pull requests to keep your dependencies up to date, and you can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modifying the pull request.
      remediation: |
        GitHub Actions provides many different workflows for running Dependabot checks on a project. For more information see [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) in the GitHub documentation site.