Verify GitHub Organization Requires Signoff on Web Commits
Type: Rule
ID: github-org-web-commit-signoff
Source: v2/rules/github/org/web-commit-signoff.yaml
Rego Source: web-commit-signoff.rego
Labels: GitHub, Organization
Verify contributors sign commits through the GitHub web interface.
This rule requires Github Organization Discovery Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: github/org/web-commit-signoff@v2
Mitigation
Ensure that the Web Commit Signoff setting under the GitHub organization is enabled to require signoff on all web-based commits, enhancing security and accountability.
Description
This rule checks if the web_commit_signoff setting is enabled to ensure all web-based commits are signed off.
It performs the following steps:
- Checks the web commit signoff settings of the GitHub organization.
- Verifies that the web commit signoff setting is enabled.
Evidence Requirements:
- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitHub organization resources.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=github - asset_type=organization |