feat: add support for branch protections via rules

trumant · trumant · commit 371db9ca6878 · 2025-09-21T16:12:28.000-04:00
This commit adds support for reading and interpreting
the rules applied to the default branch of the repo.

Evaluations that previously only considered the state
of branch protection rules will now also consider the state
of branch rules.

Signed-off-by: Travis Truman &lt;trumant@gmail.com&gt;
diff --git a/data/repository_metadata.go b/data/repository_metadata.go
@@ -11,13 +11,16 @@ type RepositoryMetadata interface {
 	IsPublic() bool
 	OrganizationBlogURL() *string
 	IsMFARequiredForAdministrativeActions() *bool
+	IsDefaultBranchProtected() *bool
+	DefaultBranchRequiresPRReviews() *bool
+	IsDefaultBranchProtectedFromDeletion() *bool
 }
 
 type GitHubRepositoryMetadata struct {
-	Releases []ReleaseData
-	Rulesets []Ruleset
-	ghRepo   *github.Repository
-	ghOrg    *github.Organization
+	Releases           []ReleaseData
+	defaultBranchRules *github.BranchRules
+	ghRepo             *github.Repository
+	ghOrg              *github.Organization
 }
 
 func (r *GitHubRepositoryMetadata) IsActive() bool {
@@ -28,6 +31,30 @@ func (r *GitHubRepositoryMetadata) IsPublic() bool {
 	return !r.ghRepo.GetPrivate()
 }
 
+func (r *GitHubRepositoryMetadata) IsDefaultBranchProtected() *bool {
+	if r.defaultBranchRules == nil {
+		return nil
+	}
+	updateBlockedByRule := r.defaultBranchRules != nil && len(r.defaultBranchRules.Update) > 0
+	return &updateBlockedByRule
+}
+
+func (r *GitHubRepositoryMetadata) IsDefaultBranchProtectedFromDeletion() *bool {
+	if r.defaultBranchRules == nil {
+		return nil
+	}
+	deletionBlockedByRule := r.defaultBranchRules != nil && len(r.defaultBranchRules.Deletion) > 0
+	return &deletionBlockedByRule
+}
+
+func (r *GitHubRepositoryMetadata) DefaultBranchRequiresPRReviews() *bool {
+	if r.defaultBranchRules == nil {
+		return nil
+	}
+	requiresReviews := r.defaultBranchRules != nil && r.defaultBranchRules.PullRequest != nil && len(r.defaultBranchRules.PullRequest) > 0 && r.defaultBranchRules.PullRequest[0].Parameters.RequiredApprovingReviewCount > 0
+	return &requiresReviews
+}
+
 func (r *GitHubRepositoryMetadata) OrganizationBlogURL() *string {
 	if r.ghOrg != nil {
 		return r.ghOrg.Blog
@@ -53,8 +80,30 @@ func loadRepositoryMetadata(ghClient *github.Client, owner, repo string) (ghRepo
 			ghRepo: repository,
 		}, nil
 	}
+	branchRules, err := getRuleset(ghClient, owner, repo, repository.GetDefaultBranch())
+	if err != nil {
+		return repository, &GitHubRepositoryMetadata{
+			ghRepo: repository,
+			ghOrg:  organization,
+		}, nil
+	}
 	return repository, &GitHubRepositoryMetadata{
-		ghRepo: repository,
-		ghOrg:  organization,
+		ghRepo:             repository,
+		ghOrg:              organization,
+		defaultBranchRules: branchRules,
 	}, nil
 }
+
+func getRuleset(ghClient *github.Client, owner, repo string, branchName string) (*github.BranchRules, error) {
+	branchRules, _, err := ghClient.Repositories.GetRulesForBranch(
+		context.Background(),
+		owner,
+		repo,
+		branchName,
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return branchRules, nil
+}
diff --git a/evaluation_plans/osps/access_control/evaluations.go b/evaluation_plans/osps/access_control/evaluations.go
@@ -64,7 +64,7 @@ func OSPS_AC_03() (evaluation *layer4.ControlEvaluation) {
 			"Maturity Level 3",
 		},
 		[]layer4.AssessmentStep{
-			branchProtectionRestrictsPushes, // This checks branch protection, but not rulesets yet
+			defaultBranchRestrictsPushes,
 		},
 	)
 
@@ -77,7 +77,7 @@ func OSPS_AC_03() (evaluation *layer4.ControlEvaluation) {
 			"Maturity Level 3",
 		},
 		[]layer4.AssessmentStep{
-			branchProtectionPreventsDeletion, // This checks branch protection, but not rulesets yet
+			defaultBranchPreventsDeletion,
 		},
 	)
 
diff --git a/evaluation_plans/osps/access_control/steps.go b/evaluation_plans/osps/access_control/steps.go
@@ -22,7 +22,7 @@ func orgRequiresMFA(payloadData any, _ map[string]*layer4.Change) (result layer4
 	return layer4.Failed, "Two-factor authentication is NOT configured as required by the parent organization"
 }
 
-func branchProtectionRestrictsPushes(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
+func defaultBranchRestrictsPushes(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
 	payload, message := reusable_steps.VerifyPayload(payloadData)
 	if message != "" {
 		return layer4.Unknown, message
@@ -36,28 +36,42 @@ func branchProtectionRestrictsPushes(payloadData any, _ map[string]*layer4.Chang
 		result = layer4.Passed
 		message = "Branch protection rule requires approving reviews"
 	} else {
-		result = layer4.NeedsReview
-		message = "Branch protection rule does not restrict pushes or require approving reviews; Rulesets not yet evaluated."
+		if payload.RepositoryMetadata.IsDefaultBranchProtected() != nil && *payload.RepositoryMetadata.IsDefaultBranchProtected() {
+			result = layer4.Passed
+			message = "Branch rule restricts pushes"
+		} else if payload.RepositoryMetadata.DefaultBranchRequiresPRReviews() != nil && *payload.RepositoryMetadata.DefaultBranchRequiresPRReviews() {
+			result = layer4.Passed
+			message = "Branch rule requires approving reviews"
+		} else {
+			result = layer4.Failed
+			message = "Default branch is not protected"
+		}
 	}
-	return
+	return result, message
 }
 
-func branchProtectionPreventsDeletion(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
+func defaultBranchPreventsDeletion(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
 	payload, message := reusable_steps.VerifyPayload(payloadData)
 	if message != "" {
 		return layer4.Unknown, message
 	}
 
-	allowsDeletion := payload.Repository.DefaultBranchRef.RefUpdateRule.AllowsDeletions
+	branchProtectionAllowsDeletion := payload.Repository.DefaultBranchRef.RefUpdateRule.AllowsDeletions
+	deletionRule := payload.RepositoryMetadata.IsDefaultBranchProtectedFromDeletion()
+	branchRulesAllowDeletion := deletionRule == nil || !*deletionRule
 
-	if allowsDeletion {
+	if branchProtectionAllowsDeletion && branchRulesAllowDeletion {
 		result = layer4.Failed
-		message = "Branch protection rule allows deletions"
+		message = "Default branch is not protected from deletions"
 	} else {
 		result = layer4.Passed
-		message = "Branch protection rule prevents deletions"
+		if *deletionRule {
+			message = "Default branch is protected from deletions by rulesets"
+		} else {
+			message = "Default branch is protected from deletions by branch protection rules"
+		}
 	}
-	return
+	return result, message
 }
 
 func workflowDefaultReadPermissions(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
