-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathl3_3_version_update_approvals.py
33 lines (29 loc) · 1.46 KB
/
l3_3_version_update_approvals.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import subprocess
import json
# Required Github permissions: "Pull requests" repository permissions (read)
# L3.1 (Version Update Approvals)
# Description: On each new version (e.g. Pull Request) of source code or infrastructure components a security peer review of the changes
# is performed (two eyes principle) and approval given by the reviewer.
# Rule: Check if the last PR has requested reviewers
# Ideas: Check if the main branch has prtection rule that allow only to be merged with at least 1 approval (Prevent merging unsigned commits)
# Check if the last x prs are has reviewer (Ensure that two eyes principle are being used in the past)
# Some PRs are automated so it will not have a review for example the PRs that are created by dependabot
def check_l3_3_version_update_approvals(repo):
try:
result = subprocess.run(
['gh', 'api', f'/repos/{repo}/pulls'],
capture_output=True, text=True, check=True
)
pull_requests = json.loads(result.stdout)
if len(pull_requests) == 0:
return "No PRs"
if len(pull_requests[0]['requested_reviewers']) > 0:
return 'Last PR requested for review'
else:
return 'Not Detected'
except subprocess.CalledProcessError as e:
return "Unable to check"
except json.JSONDecodeError:
return "Error"
except Exception as e:
return "Error exception"