feat: add more policies for better compliance posture for SOC2#9
feat: add more policies for better compliance posture for SOC2#9gusfcarvalho wants to merge 12 commits intomainfrom
Conversation
fix: support new format for dependabot and secret scanning policies Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Adds several new GitHub organization compliance policies (aimed at improving SOC2 posture) and updates existing secret scanning / Dependabot policies to evaluate GitHub’s newer “default code security configurations” format.
Changes:
- Added new org-level policies (with tests) for SSO, IP allow-list, web commit sign-off, team-based access, repo creation restrictions, default repo permissions, and owner count.
- Updated secret scanning + Dependabot “enabled by default” policies (and tests) to read from
default_security_configsand emit richer violation descriptions. - Extended example org JSON inputs with additional org data (members/SSO/IP allow-list).
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| policies/gh_org_web_commit_signoff.rego | New policy enforcing required web commit sign-off setting. |
| policies/gh_org_web_commit_signoff_test.rego | Tests for web commit sign-off policy. |
| policies/gh_org_team_based_access.rego | New policy requiring at least one org team (RBAC baseline). |
| policies/gh_org_team_based_access_test.rego | Tests for team-based access policy. |
| policies/gh_org_sso_enabled.rego | New policy checking org SAML SSO enabled. |
| policies/gh_org_sso_enabled_test.rego | Tests for SSO-enabled policy. |
| policies/gh_org_secret_scanning_enabled.rego | Updated to evaluate default code security configurations for secret scanning defaults. |
| policies/gh_org_secret_scanning_enabled_test.rego | Updated tests for new secret scanning input shape. |
| policies/gh_org_secret_dependabot_alerts.rego | Updated to evaluate default code security configurations for Dependabot alert defaults. |
| policies/gh_org_secret_dependabot_alerts_test.rego | Updated tests for new Dependabot input shape. |
| policies/gh_org_members_can_create_repos.rego | New policy restricting member repository creation. |
| policies/gh_org_members_can_create_repos_test.rego | Tests for repo creation restriction policy. |
| policies/gh_org_ip_allowlist_enabled.rego | New policy ensuring at least one active IP allow-list entry. |
| policies/gh_org_ip_allowlist_enabled_test.rego | Tests for IP allow-list policy. |
| policies/gh_org_default_repo_permission.rego | New policy enforcing non-permissive default repo permission. |
| policies/gh_org_default_repo_permission_test.rego | Tests for default repo permission policy. |
| policies/gh_org_admin_count.rego | New policy limiting org owner/admin count. |
| policies/gh_org_admin_count_test.rego | Tests for owner/admin count policy. |
| example-data/testorg.json | Example org input updated with members/SSO/IP allow-list data. |
| example-data/testorg-unremediated.json | Unremediated example org input updated with members/SSO/IP allow-list data. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Adds GitHub organization compliance policies for SOC2 posture, including SSO enforcement, IP allow-list coverage, web commit sign-off, team-based access, member repository creation permission, default repository permissions, and owner-count limits.
Also updates the Dependabot alerts and secret scanning policies to evaluate GitHub's default code security configurations format, with example org data and tests covering the new input shape.