feat: add support for branch protections via rules #147
Conversation
Kusari Analysis Results:Caution Flagged Issues Detected While dependency analysis shows no concerning changes, critical security vulnerabilities were identified in the code analysis that must be addressed immediately. The terraform.tfstate file contains exposed GitHub tokens and should never be committed to version control, creating a high risk of credential compromise. Additionally, the workflow uses unpinned action references which poses supply chain security risks. These critical issues outweigh the clean dependency findings and require remediation before the PR can be safely merged. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code MitigationsRemove terraform.tfstate from version control entirely. Add terraform.tfstate and terraform.tfstate.backup to .gitignore file. Use remote state storage (like Terraform Cloud, AWS S3, or Azure Storage) instead of committing state files.
Pin the GitHub action to a specific commit hash instead of using a mutable tag reference for better security and reproducibility.
Found this helpful? Give it a 👍 or 👎 reaction! |
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
6181f79 to
bd752b0
Compare
|
Kusari PR Analysis rerun based on - bd752b0 performed at: 2025-09-21T19:59:37Z - link to updated analysis |
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
bd752b0 to
c03b6ca
Compare
|
Kusari PR Analysis rerun based on - c03b6ca performed at: 2025-09-21T20:00:49Z - link to updated analysis |
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
c03b6ca to
3a03cd1
Compare
|
Kusari PR Analysis rerun based on - 3a03cd1 performed at: 2025-09-21T20:09:10Z - link to updated analysis |
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
3a03cd1 to
2395e30
Compare
|
Kusari PR Analysis rerun based on - 2395e30 performed at: 2025-09-21T20:11:51Z - link to updated analysis |
This commit adds support for reading and interpreting the rules applied to the default branch of the repo. Evaluations that previously only considered the state of branch protection rules will now also consider the state of branch rules. Signed-off-by: Travis Truman <[email protected]>
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
2395e30 to
371db9c
Compare
|
Kusari PR Analysis rerun based on - 371db9c performed at: 2025-09-21T20:12:50Z - link to updated analysis |
|
Kusari PR Analysis rerun based on - 2f4a56e performed at: 2025-09-21T23:17:41Z - link to updated analysis |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| {"version":4,"terraform_version":"1.10.6","serial":2,"lineage":"7bc637ea-e7ff-1f51-242c-395719e69890","outputs":{},"resources":[{"mode":"managed","type":"github_repository","name":"example_osps_baseline_level_1","provider":"provider[\"registry.opentofu.org/integrations/github\"]","instances":[{"schema_version":1,"attributes":{"allow_auto_merge":false,"allow_merge_commit":true,"allow_rebase_merge":true,"allow_squash_merge":true,"allow_update_branch":false,"archive_on_destroy":null,"archived":false,"auto_init":false,"default_branch":"main","delete_branch_on_merge":false,"description":"Example repository for integration testing of pvtr-github-repo","etag":"W/\"a18fbc4b4371fb3fd92f89c85eff300333be99f12c796276ec71f4a170512568\"","full_name":"revanite-io/example-osps-baseline-level-1","git_clone_url":"git://github.com/revanite-io/example-osps-baseline-level-1.git","gitignore_template":null,"has_discussions":false,"has_downloads":true,"has_issues":true,"has_projects":true,"has_wiki":true,"homepage_url":"","html_url":"https://github.com/revanite-io/example-osps-baseline-level-1","http_clone_url":"https://github.com/revanite-io/example-osps-baseline-level-1.git","id":"example-osps-baseline-level-1","ignore_vulnerability_alerts_during_read":null,"is_template":false,"license_template":null,"merge_commit_message":"PR_TITLE","merge_commit_title":"MERGE_MESSAGE","name":"example-osps-baseline-level-1","node_id":"R_kgDOP0IKkg","pages":[],"primary_language":"Python","private":false,"repo_id":1061292690,"security_and_analysis":[{"advanced_security":[],"secret_scanning":[{"status":"disabled"}],"secret_scanning_push_protection":[{"status":"disabled"}]}],"squash_merge_commit_message":"COMMIT_MESSAGES","squash_merge_commit_title":"COMMIT_OR_PR_TITLE","ssh_clone_url":"[email protected]:revanite-io/example-osps-baseline-level-1.git","svn_url":"https://github.com/revanite-io/example-osps-baseline-level-1","template":[],"topics":[],"visibility":"public","vulnerability_alerts":true,"web_commit_signoff_required":false},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"github_repository_ruleset","name":"default_branch_protection","provider":"provider[\"registry.opentofu.org/integrations/github\"]","instances":[{"schema_version":1,"attributes":{"bypass_actors":[],"conditions":[{"ref_name":[{"exclude":[],"include":["~DEFAULT_BRANCH"]}]}],"enforcement":"active","etag":"W/\"4354911cc42f114f622f032d1fedae8c238317d7459bfaca137e33e449db18ab\"","id":"8281062","name":"default","node_id":"RRS_lACqUmVwb3NpdG9yec4_QgqSzgB-W-Y","repository":"example-osps-baseline-level-1","rules":[{"branch_name_pattern":[],"commit_author_email_pattern":[],"commit_message_pattern":[],"committer_email_pattern":[],"creation":false,"deletion":true,"merge_queue":[],"non_fast_forward":true,"pull_request":[{"dismiss_stale_reviews_on_push":false,"require_code_owner_review":false,"require_last_push_approval":false,"required_approving_review_count":1,"required_review_thread_resolution":false}],"required_code_scanning":[],"required_deployments":[],"required_linear_history":false,"required_signatures":false,"required_status_checks":[],"tag_name_pattern":[],"update":true,"update_allows_fetch_and_merge":false}],"ruleset_id":8281062,"target":"branch"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]}],"check_results":null} | |||
There was a problem hiding this comment.
Issue: Remove terraform.tfstate from version control entirely. Add terraform.tfstate and terraform.tfstate.backup to .gitignore file. Use remote state storage (like Terraform Cloud, AWS S3, or Azure Storage) instead of committing state files.
Recommended Code Changes:
# Add to .gitignore:
terraform.tfstate
terraform.tfstate.backup
*.tfstate
*.tfstate.*
There was a problem hiding this comment.
OpenTofu docs claim that because the GH creds for the provider are provided using an environment variable that the value will never be stored in the local state, see https://opentofu.org/docs/language/settings/backends/configuration/#credentials-and-sensitive-data
| resource "github_repository" "example_osps_baseline_level_1" { | ||
| name = "example-osps-baseline-level-1" | ||
| description = "Example repository for integration testing of pvtr-github-repo" | ||
| visibility = "public" |
There was a problem hiding this comment.
Issue: Consider if the repository truly needs to be public. If this is intentional for the example repository, you can suppress this warning. If not, change visibility to private.
Recommended Code Changes:
visibility = "private" # Change from "public" if not intentionally public
| persist-credentials: false | ||
|
|
||
| - name: Set up Tofu | ||
| uses: opentofu/setup-opentofu@v1 |
There was a problem hiding this comment.
Issue: Pin the GitHub action to a specific commit hash instead of using a mutable tag reference for better security and reproducibility.
Recommended Code Changes:
uses: opentofu/setup-opentofu@<commit-hash> # Replace with actual commit hash
This commit adds OpenTofu infrastructure as code to manage the GitHub repo `revanit-io/example-osps-baseline-level-1`. Because this repository can be used for integration testing changes in the project, any changes to the repository should be visible and fail a CI run. Signed-off-by: Travis Truman <[email protected]>
trumant
force-pushed
the
get-repo-rulesets-for-default-branch
branch
from
2f4a56e to
3d1dd9c
Compare
|
Kusari PR Analysis rerun based on - 3d1dd9c performed at: 2025-09-21T23:18:50Z - link to updated analysis |
|
The intention behind adding the The integration test workflow is currently blocked as the default permissions of the |
This commit adds support for reading and interpreting the rules applied to the default branch of the repo.
Evaluations that previously only considered the state of branch protection rules will now also consider the state of branch rules.