mindersec · teodor-yanev · Jan 21, 2025 · Jan 10, 2025 · Jan 17, 2025 · Jan 20, 2025
@@ -35,3 +35,7 @@ repository:
   - name: osps-qa-01
     type: osps-qa-01
     def: {}
+  # OSPS-QA-02: Maintain publicly readable change history
+  - name: osps-qa-02
+    type: osps-qa-02
+    def: {}    
@@ -0,0 +1,47 @@
+version: v1
+release_phase: alpha
+type: rule-type
+name: osps-qa-02
+display_name: Maintain publicly readable change history
+short_failure_message: Repository must be public and prevent force pushes
+severity:
+  value: info
+context:
+  provider: github
+description: |
+  Ensure that the project's change history is publicly readable and 
+  cannot be overwritten, maintaining transparency and trust in the 
+  development process. This helps maintain a complete and accurate history of all
+  changes made to the codebase.
+guidance: |
+  1. Make sure the repository is public via the
+     [Repository Settings](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility) page.
+  2. Ensure force pushes are disabled in branch protection rules via the
+     [Branch protection settings](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: rest
+    rest:
+      endpoint: '/repos/{{.Entity.Owner}}/{{.Entity.Name}}/branches/{{.Entity.DefaultBranch}}/protection'
+      parse: json
+      fallback:
+        - http_code: 404
+          body: |
+            {"http_status": 404, "message": "Not Protected"}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import rego.v1
+
+        default allow := false
+
+        allow if {
+            not input.properties["is_private"]
+            not input.ingested.allow_force_pushes.enabled
+        }