feat(github): Add GitHub check ensuring repository creation is limited (#8844)

Signed-off-by: Mauricio Harley <mauricioharley@gmail.com>
Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>

Author: mauricioharley

poetry.lock

@@ -13,6 +13,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `cloudstorage_bucket_logging_enabled` check for GCP provider [(#9091)](https://github.com/prowler-cloud/prowler/pull/9091)
 - C5 compliance framework for Azure provider [(#9081)](https://github.com/prowler-cloud/prowler/pull/9081)
 - C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
+- `organization_repository_creation_limited` check for GitHub provider [(#8844)](https://github.com/prowler-cloud/prowler/pull/8844)
 - HIPAA compliance framework for the GCP provider [(#8955)](https://github.com/prowler-cloud/prowler/pull/8955)
 - Add multiple compliance improvements [(#9145)](https://github.com/prowler-cloud/prowler/pull/9145)
 - Added validation for invalid checks, services, and categories in `load_checks_to_execute` function [(#8971)](https://github.com/prowler-cloud/prowler/pull/8971)

prowler/CHANGELOG.md

@@ -476,7 +476,9 @@
     {
       "Id": "1.2.2",
       "Description": "Limit the ability to create repositories to trusted users and teams.",
-      "Checks": [],
+      "Checks": [
+        "organization_repository_creation_limited"
+      ],
       "Attributes": [
         {
           "Section": "1 Source Code",

prowler/compliance/github/cis_1.0_github.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "github",
+  "CheckID": "organization_repository_creation_limited",
+  "CheckTitle": "Ensure repository creation is limited to trusted organization members.",
+  "CheckType": [],
+  "ServiceName": "organization",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "GitHubOrganization",
+  "Description": "Ensure that repository creation is restricted so that only trusted owners or specific teams can create new repositories within the organization.",
+  "Risk": "Allowing all members to create repositories increases the likelihood of shadow repositories, data leakage, or malicious projects being introduced without oversight.",
+  "RelatedUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable repository creation for members or limit it to specific trusted teams by adjusting Member privileges in the organization's settings.",
+      "Url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py

@@ -0,0 +1,106 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGithub
+from prowler.providers.github.services.organization.organization_client import (
+    organization_client,
+)
+
+
+def _join_human_readable(items: List[str]) -> str:
+    """Return a simple human readable comma-separated list."""
+    if not items:
+        return ""
+    if len(items) == 1:
+        return items[0]
+    return ", ".join(items[:-1]) + f" and {items[-1]}"
+
+
+class organization_repository_creation_limited(Check):
+    """Check if repository creation is limited to trusted organization members."""
+
+    def execute(self) -> List[CheckReportGithub]:
+        findings = []
+        for org in organization_client.organizations.values():
+            repo_data = [
+                getattr(org, "members_can_create_repositories", None),
+                getattr(org, "members_can_create_public_repositories", None),
+                getattr(org, "members_can_create_private_repositories", None),
+                getattr(org, "members_can_create_internal_repositories", None),
+                getattr(org, "members_allowed_repository_creation_type", None),
+            ]
+
+            if all(value is None for value in repo_data):
+                continue
+
+            report = CheckReportGithub(metadata=self.metadata(), resource=org)
+
+            global_creation = getattr(org, "members_can_create_repositories", None)
+            public_creation = getattr(
+                org, "members_can_create_public_repositories", None
+            )
+            private_creation = getattr(
+                org, "members_can_create_private_repositories", None
+            )
+            internal_creation = getattr(
+                org, "members_can_create_internal_repositories", None
+            )
+            creation_type = getattr(
+                org, "members_allowed_repository_creation_type", None
+            )
+
+            type_flags = []
+            enabled_types = []
+
+            if global_creation is not None:
+                if global_creation:
+                    enabled_types.append("repositories of any type")
+                else:
+                    type_flags.append(False)
+
+            visibility_flags = [
+                (public_creation, "public repositories"),
+                (private_creation, "private repositories"),
+                (internal_creation, "internal repositories"),
+            ]
+
+            for flag, label in visibility_flags:
+                if flag is not None:
+                    type_flags.append(flag)
+                    if flag:
+                        enabled_types.append(label)
+
+            if creation_type:
+                normalized_type = creation_type.lower()
+                if normalized_type == "none":
+                    type_flags.append(False)
+                else:
+                    creation_messages = {
+                        "all": "repositories of any type",
+                        "public": "public repositories",
+                        "private": "private repositories",
+                        "internal": "internal repositories",
+                        "selected": "repositories for selected members or teams",
+                    }
+                    enabled_types.append(
+                        creation_messages.get(
+                            normalized_type, f"{creation_type} repositories"
+                        )
+                    )
+
+            restricted = bool(type_flags) and all(flag is False for flag in type_flags)
+
+            if restricted:
+                report.status = "PASS"
+                report.status_extended = f"Organization {org.name} has disabled repository creation for members."
+            else:
+                report.status = "FAIL"
+                unique_enabled = list(dict.fromkeys(enabled_types))
+                allowed_desc = _join_human_readable(unique_enabled)
+                if allowed_desc:
+                    report.status_extended = f"Organization {org.name} allows members to create {allowed_desc}."
+                else:
+                    report.status_extended = f"Organization {org.name} does not have enough data to confirm repository creation restrictions."
+
+            findings.append(report)
+
+        return findings

prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json

@@ -38,8 +38,9 @@ def _list_organizations(self):
         org_names_to_check = set()
 
         try:
-            for client in getattr(self, "clients", []) or []:
-                if getattr(self.provider, "organizations", None):
+            clients = getattr(self, "clients", [])
+            for client in clients:
+                if self.provider.organizations:
                     org_names_to_check.update(self.provider.organizations)
 
                 # If repositories are specified without organizations, don't perform organization checks
@@ -147,22 +148,74 @@ def _process_organization(self, org, organizations):
             logger.error(
                 f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
+        repo_creation_settings = {
+            "members_can_create_repositories": None,
+            "members_can_create_public_repositories": None,
+            "members_can_create_private_repositories": None,
+            "members_can_create_internal_repositories": None,
+            "members_allowed_repository_creation_type": None,
+        }
+
+        def _extract_flag(attribute: str, expected_type: type):
+            """Return attribute value if it matches expected type and is not a mock placeholder."""
+            try:
+                value = getattr(org, attribute, None)
+                if hasattr(value, "_mock_parent"):
+                    return None
+                if expected_type is bool and isinstance(value, bool):
+                    return value
+                if expected_type is str and isinstance(value, str):
+                    return value
+                return None
+            except Exception as error:
+                logger.error(
+                    f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+                return None
+
+        repo_creation_settings["members_can_create_repositories"] = _extract_flag(
+            "members_can_create_repositories", bool
+        )
+        repo_creation_settings["members_can_create_public_repositories"] = (
+            _extract_flag("members_can_create_public_repositories", bool)
+        )
+        repo_creation_settings["members_can_create_private_repositories"] = (
+            _extract_flag("members_can_create_private_repositories", bool)
+        )
+        repo_creation_settings["members_can_create_internal_repositories"] = (
+            _extract_flag("members_can_create_internal_repositories", bool)
+        )
+        repo_creation_settings["members_allowed_repository_creation_type"] = (
+            _extract_flag("members_allowed_repository_creation_type", str)
+        )
 
-        # Base permission (default repository permission for members)
-        base_perm: Optional[str] = None
-        try:
-            base_perm = getattr(org, "default_repository_permission", None)
-        except Exception as error:
-            logger.error(
-                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
-            )
-            base_perm = None
+        base_permission_raw = _extract_flag("default_repository_permission", str)
+        base_permission = (
+            base_permission_raw.lower()
+            if isinstance(base_permission_raw, str)
+            else None
+        )
 
         organizations[org.id] = Org(
             id=org.id,
             name=org.login,
             mfa_required=require_mfa,
-            base_permission=base_perm,
+            members_can_create_repositories=repo_creation_settings[
+                "members_can_create_repositories"
+            ],
+            members_can_create_public_repositories=repo_creation_settings[
+                "members_can_create_public_repositories"
+            ],
+            members_can_create_private_repositories=repo_creation_settings[
+                "members_can_create_private_repositories"
+            ],
+            members_can_create_internal_repositories=repo_creation_settings[
+                "members_can_create_internal_repositories"
+            ],
+            members_allowed_repository_creation_type=repo_creation_settings[
+                "members_allowed_repository_creation_type"
+            ],
+            base_permission=base_permission,
         )
 
 
@@ -172,4 +225,9 @@ class Org(BaseModel):
     id: int
     name: str
     mfa_required: Optional[bool] = False
+    members_can_create_repositories: Optional[bool] = None
+    members_can_create_public_repositories: Optional[bool] = None
+    members_can_create_private_repositories: Optional[bool] = None
+    members_can_create_internal_repositories: Optional[bool] = None
+    members_allowed_repository_creation_type: Optional[str] = None
     base_permission: Optional[str] = None