Add osps-qa-02 rule (#275)

* Add OSPS Baseline Level 1 rules.

This change adds all currently implemented rule types for OSPS
Baseline Level 1.

Some rules were copy-pasted from rules like
e.g. `branch_protection_allow_deletions` in order to (a) be able to
change them independently and (b) change the name to something
descriptive in the scope of Security Baseline. We generally do not
foster this, but in this case we deemed simplicity was preferable to
avoiding duplication.

Along the rules themselves, tests were added to new, existing ones,
and their copies.

Fixes stacklok/minder-stories#198

* add: osps-qa-02 rule

* update: use rest

---------

Co-authored-by: Michelangelo Mori <[email protected]>

Author: teodor-yanev

security-baseline/profiles/security-baseline-level-1.yaml

@@ -35,3 +35,7 @@ repository:
   - name: osps-qa-01
     type: osps-qa-01
     def: {}
+  # OSPS-QA-02: Maintain publicly readable change history
+  - name: osps-qa-02
+    type: osps-qa-02
+    def: {}    

security-baseline/rule-types/github/osps-qa-02.yaml

@@ -0,0 +1,47 @@
+version: v1
+release_phase: alpha
+type: rule-type
+name: osps-qa-02
+display_name: Maintain publicly readable change history
+short_failure_message: Repository must be public and prevent force pushes
+severity:
+  value: info
+context:
+  provider: github
+description: |
+  Ensure that the project's change history is publicly readable and 
+  cannot be overwritten, maintaining transparency and trust in the 
+  development process. This helps maintain a complete and accurate history of all
+  changes made to the codebase.
+guidance: |
+  1. Make sure the repository is public via the
+     [Repository Settings](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility) page.
+  2. Ensure force pushes are disabled in branch protection rules via the
+     [Branch protection settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: rest
+    rest:
+      endpoint: '/repos/{{.Entity.Owner}}/{{.Entity.Name}}/branches/{{.Entity.DefaultBranch}}/protection'
+      parse: json
+      fallback:
+        - http_code: 404
+          body: |
+            {"http_status": 404, "message": "Not Protected"}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import rego.v1
+
+        default allow := false
+
+        allow if {
+            not input.properties["is_private"]
+            not input.ingested.allow_force_pushes.enabled
+        }