chore(github): enhance metadata for repository service (#9659)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Kubernetes Scheduler service metadata to new format [(#9679)](https://github.com/prowler-cloud/prowler/pull/9679)
 - Update MongoDB Atlas Organizations service metadata to new format [(#9658)](https://github.com/prowler-cloud/prowler/pull/9658)
 - Update MongoDB Atlas clusters service metadata to new format [(#9657)](https://github.com/prowler-cloud/prowler/pull/9657)
+- Update GitHub Repository service metadata to new format [(#9659)](https://github.com/prowler-cloud/prowler/pull/9659)
 
 ---
 

prowler/providers/github/services/repository/repository_branch_delete_on_merge_enabled/repository_branch_delete_on_merge_enabled.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "github",
   "CheckID": "repository_branch_delete_on_merge_enabled",
-  "CheckTitle": "Check if a repository deletes the branch after merging",
+  "CheckTitle": "Repository deletes branches after pull request merge",
   "CheckType": [],
   "ServiceName": "repository",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "GitHubRepository",
+  "Severity": "low",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "devops",
-  "Description": "Ensure that the repository deletes the branch after merging.",
-  "Risk": "Inactive branches pose a security risk as they can accumulate outdated code, dependencies, and potential vulnerabilities over time. Malicious actors may exploit these branches, and they can clutter the repository, making it harder to manage and track the active code. Additionally, stale branches may unintentionally be accessed or used inappropriately, leading to potential security breaches.",
-  "RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
+  "Description": "**GitHub repository** setting that enables **automatic deletion of head branches** when pull requests merge into the default branch (`delete_branch_on_merge`).",
+  "Risk": "Without automatic deletion, merged branches persist, weakening **integrity** and **confidentiality**: outdated code may be reused, secret remnants can linger, and reviews become ambiguous. Stale refs can still trigger CI with obsolete workflows, raising risks of supply-chain tampering and faulty deployments.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gh api -X PATCH repos/<OWNER>/<REPO> -f delete_branch_on_merge=true",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In GitHub, open the repository and click Settings\n2. Under General, scroll to Pull Requests\n3. Check Automatically delete head branches\n4. Click Save",
+      "Terraform": "```hcl\nresource \"github_repository\" \"<example_resource_name>\" {\n  name                   = \"<example_resource_name>\"\n  delete_branch_on_merge = true  # Enables automatic deletion of PR head branches after merge\n}\n```"
     },
     "Recommendation": {
-      "Text": "Regularly review and remove inactive branches from your repositories. This helps reduce the risk of malicious code injection, sensitive data leaks, and unnecessary clutter in the repository. By keeping branches active and up to date, you ensure that your codebase remains secure and manageable.",
-      "Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-the-automatic-deletion-of-branches"
+      "Text": "Enable **automatic head-branch deletion** after merges to minimize stale refs and confusion.\n- Enforce **least privilege** for branch creation\n- Apply **branch protection** and rulesets\n- Prefer short-lived feature branches with periodic pruning\n- Guard CI to avoid runs from obsolete branches",
+      "Url": "https://hub.prowler.com/check/repository_branch_delete_on_merge_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "software-supply-chain"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/github/services/repository/repository_default_branch_deletion_disabled/repository_default_branch_deletion_disabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "github",
   "CheckID": "repository_default_branch_deletion_disabled",
-  "CheckTitle": "Check if a repository denies default branch deletion",
+  "CheckTitle": "Repository denies default branch deletion",
   "CheckType": [],
   "ServiceName": "repository",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "GitHubRepository",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "devops",
-  "Description": "Ensure that the repository denies default branch deletion.",
-  "Risk": "Allowing the deletion of protected branches by users with push access increases the risk of accidental or intentional branch removal, potentially resulting in significant data loss or disruption to the development process.",
-  "RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-deletions",
+  "Description": "**GitHub repository default branch** have **branch protections** or **rulesets** with `Allow deletions` disabled.",
+  "Risk": "Permitting default branch deletion undermines **availability** by breaking CI/CD, releases, and PR targets.\n\nIt also impacts **integrity**: the canonical ref can be removed, enabling history tampering, branch hijacking, and harder audits/rollbacks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gh api -X DELETE repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/allow_deletions",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In GitHub, open the repository and go to Settings > Branches\n2. Edit the branch protection rule for the default branch (or Add rule if none exists)\n3. Ensure \"Allow deletions\" is unchecked\n4. Click Save changes",
+      "Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n  repository_id    = \"<example_resource_name>\"\n  pattern          = \"<default_branch>\"\n  allows_deletions = false  # Critical: disables deletion of the default branch\n}\n```"
     },
     "Recommendation": {
-      "Text": "Deny the ability to delete protected branches to ensure the preservation of critical branch data. This prevents accidental or malicious deletions and helps maintain the integrity and stability of the repository.",
-      "Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+      "Text": "Disable deletions on the **default branch** using **branch protection** or **rulesets** (`Allow deletions=false`). Apply controls to admins, minimize bypass lists, and enforce **least privilege**. Combine with required pull requests and status checks for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/repository_default_branch_deletion_disabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "software-supply-chain"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/github/services/repository/repository_default_branch_disallows_force_push/repository_default_branch_disallows_force_push.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "github",
   "CheckID": "repository_default_branch_disallows_force_push",
-  "CheckTitle": "Check if repository denies force push",
+  "CheckTitle": "Repository default branch denies force pushes",
   "CheckType": [],
   "ServiceName": "repository",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "GithubRepository",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "devops",
-  "Description": "Ensure that the repository denies force push to protected branches.",
-  "Risk": "Permitting force pushes to branches can lead to accidental or intentional overwrites of the commit history, resulting in potential data loss, code inconsistencies, or the introduction of malicious changes. This compromises the stability and security of the repository.",
-  "RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes",
+  "Description": "**GitHub repository default branch** blocks **force pushes** through branch protection.\n\nEvaluates whether the default branch permits force pushes.",
+  "Risk": "Allowing **force pushes on the default branch** erodes **integrity** and **auditability** by enabling history rewrites and deletion of commits. Attackers or insiders can inject unreviewed code, bypass reviews and status checks, and corrupt PRs, risking supply-chain compromise and reduced **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#allow-force-pushes"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In GitHub, open the repository and go to Settings\n2. In the sidebar, click Branches\n3. Edit the protection rule for the default branch (or Add rule with the default branch name)\n4. Ensure Allow force pushes is unchecked/disabled\n5. Click Save changes",
+      "Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n  repository_id       = \"<example_resource_id>\"\n  pattern             = \"<default_branch_name>\"\n\n  allows_force_pushes = false # Critical: disallows force pushes on the default branch\n}\n```"
     },
     "Recommendation": {
-      "Text": "Disable force pushes on protected branches to preserve the commit history and ensure the integrity of the repository. This measure helps prevent unintentional data loss and protects the repository from malicious changes.",
-      "Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+      "Text": "Disable `Allow force pushes` on the default branch. Enforce PR-based changes with required reviews and status checks, require signed commits and linear history, and restrict bypass to minimal actors. Apply protections to admins too to uphold **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/repository_default_branch_disallows_force_push"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "software-supply-chain"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/github/services/repository/repository_default_branch_protection_applies_to_admins/repository_default_branch_protection_applies_to_admins.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "github",
   "CheckID": "repository_default_branch_protection_applies_to_admins",
-  "CheckTitle": "Check if repository enforces admin branch protection",
+  "CheckTitle": "Repository default branch protection applies to administrators",
   "CheckType": [],
   "ServiceName": "repository",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "GithubRepository",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "devops",
-  "Description": "Ensure that the repository enforces branch protection rules for administrators.",
-  "Risk": "Excluding administrators from branch protection rules introduces a significant risk of unauthorized or unreviewed changes being pushed to protected branches. This can lead to vulnerabilities, including the potential insertion of malicious code, especially if an administrator account is compromised.",
-  "RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings",
+  "Description": "**GitHub repository default branch** applies **branch protection rules** to **administrators** via `enforce_admins`, holding admin pushes to the same requirements as other contributors (reviews, status checks, and push restrictions).",
+  "Risk": "Without admin enforcement, privileged users can bypass reviews and checks, enabling **unauthorized code changes**. A compromised admin token can inject backdoors, alter dependencies, or disable safeguards, undermining **integrity**, exposing secrets (**confidentiality**), and causing outages (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#do-not-allow-bypassing-the-above-settings"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gh api -X POST /repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/enforce_admins",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In GitHub, go to the repository > Settings > Branches\n2. Edit the branch protection rule that targets the default branch (or Add rule for <DEFAULT_BRANCH>)\n3. Enable: \"Do not allow bypassing the above settings\" (or \"Include administrators\")\n4. Click Save",
+      "Terraform": "```hcl\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n  repository     = \"<example_resource_name>\"\n  branch         = \"<DEFAULT_BRANCH>\"\n  enforce_admins = true  # Critical: applies branch protection to administrators\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enforce branch protection rules for administrators to ensure they adhere to the same security and quality standards as other users. This mitigates the risk of unreviewed or untrusted code being introduced, enhancing the overall integrity of the codebase.",
-      "Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+      "Text": "Enable **branch protection for administrators** and disallow bypasses. Apply **least privilege** and **separation of duties** by requiring PR reviews, required status checks, and signed commits on critical branches. Limit force pushes and deletions, and regularly review admin roles and audit logs.",
+      "Url": "https://hub.prowler.com/check/repository_default_branch_protection_applies_to_admins"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/github/services/repository/repository_default_branch_protection_enabled/repository_default_branch_protection_enabled.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "github",
   "CheckID": "repository_default_branch_protection_enabled",
-  "CheckTitle": "Check if branch protection is enforced on the default branch ",
+  "CheckTitle": "Repository enforces branch protection on the default branch",
   "CheckType": [],
   "ServiceName": "repository",
   "SubServiceName": "",
-  "ResourceIdTemplate": "github:user-id:repository/repository-name",
-  "Severity": "critical",
-  "ResourceType": "GitHubRepository",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "NotDefined",
   "ResourceGroup": "devops",
-  "Description": "Ensure branch protection is enforced on the default branch",
-  "Risk": "The absence of branch protection on the default branch increases the risk of unauthorized, unreviewed, or untested changes being merged. This can compromise the stability, security, and reliability of the codebase, which is especially critical for production deployments.",
-  "RelatedUrl": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
+  "Description": "**GitHub repository default branch** has **branch protection rules** enabled to restrict direct changes and require reviewed, validated merges. The evaluation determines whether the default branch enforces such rules.",
+  "Risk": "Without default-branch protection, changes can bypass reviews and checks, enabling:\n- Unauthorized direct pushes/force pushes\n- Malicious code injection and workflow tampering\n- Accidental deletions or unstable releases\nThis undermines code **integrity** and service **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "gh api -X PUT repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection -f required_status_checks='null' -f required_pull_request_reviews='null' -f enforce_admins=false -f restrictions='null'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In GitHub, open the repository and go to Settings\n2. Under \"Code and automation\", click Branches\n3. Click Add rule under \"Branch protection rules\"\n4. Set Branch name pattern to the default branch (e.g., main)\n5. Click Create to save the rule",
+      "Terraform": "```hcl\n# Enable branch protection on the default branch\n# Minimal: create a protection rule targeting the default branch\n\ndata \"github_repository\" \"repo\" {\n  full_name = \"<OWNER>/<REPO>\"\n}\n\nresource \"github_branch_protection_v3\" \"<example_resource_name>\" {\n  repository_id = data.github_repository.repo.node_id\n  pattern       = \"<DEFAULT_BRANCH>\"  # Critical: protects the default branch so the check passes\n}\n```"
     },
     "Recommendation": {
-      "Text": "Apply branch protection rules to the default branch to ensure it is safeguarded against unauthorized or improper modifications. This helps maintain code quality, enforces proper review and testing procedures, and reduces the risk of accidental or malicious changes.",
-      "Url": "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule"
+      "Text": "Enforce **branch protection** on the default branch:\n- Require pull requests with approvals (least privilege)\n- Enforce required status checks and conversation resolution\n- Require signed commits and linear history; block force pushes/deletions\n- Restrict push to trusted actors and apply rules to admins\nUse **CODEOWNERS** to strengthen review accountability.",
+      "Url": "https://hub.prowler.com/check/repository_default_branch_protection_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access",
+    "software-supply-chain"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""