feat(github): add organization domain verification check (#10033)

Co-authored-by: Kush321 <kushp2018@gmail.com>
Co-authored-by: Andoni A. <14891798+andoniaf@users.noreply.github.com>

Author: 3 people

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `organization_verified_badge` check for GitHub provider [(#10033)](https://github.com/prowler-cloud/prowler/pull/10033)
 - OpenStack provider `clouds_yaml_content` parameter for API integration [(#10003)](https://github.com/prowler-cloud/prowler/pull/10003)
 - `defender_safe_attachments_policy_enabled` check for M365 provider [(#9833)](https://github.com/prowler-cloud/prowler/pull/9833)
 - `defender_safelinks_policy_enabled` check for M365 provider [(#9832)](https://github.com/prowler-cloud/prowler/pull/9832)

prowler/compliance/github/cis_1.0_github.json

@@ -778,7 +778,9 @@
     {
       "Id": "1.3.9",
       "Description": "Confirm the domains an organization owns with a \"Verified\" badge.",
-      "Checks": [],
+      "Checks": [
+        "organization_verified_badge"
+      ],
       "Attributes": [
         {
           "Section": "1 Source Code",

prowler/providers/github/services/organization/organization_service.py

@@ -76,6 +76,7 @@ def _list_organizations(self):
                                             id=user.id,
                                             name=user.login,
                                             mfa_required=None,  # Users don't have MFA requirements like orgs
+                                            is_verified=None,
                                         )
                                         logger.info(
                                             f"Added user '{user.login}' as organization for checks"
@@ -195,7 +196,7 @@ def _extract_flag(attribute: str, expected_type: type):
             if isinstance(base_permission_raw, str)
             else None
         )
-
+        is_verified = _extract_flag("is_verified", bool)
         organizations[org.id] = Org(
             id=org.id,
             name=org.login,
@@ -216,6 +217,7 @@ def _extract_flag(attribute: str, expected_type: type):
                 "members_allowed_repository_creation_type"
             ],
             base_permission=base_permission,
+            is_verified=is_verified,
         )
 
 
@@ -231,3 +233,4 @@ class Org(BaseModel):
     members_can_create_internal_repositories: Optional[bool] = None
     members_allowed_repository_creation_type: Optional[str] = None
     base_permission: Optional[str] = None
+    is_verified: Optional[bool] = None

prowler/providers/github/services/organization/organization_verified_badge/__init__.py

@@ -0,0 +1,36 @@
+{
+  "Provider": "github",
+  "CheckID": "organization_verified_badge",
+  "CheckTitle": "Ensure GitHub organization has a verified badge",
+  "CheckType": [],
+  "ServiceName": "organization",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "GitHubOrganization",
+  "ResourceGroup": "governance",
+  "Description": "Checks whether a GitHub organization has a verified badge.",
+  "Risk": "Unverified organizations may be easier to impersonate, increasing the risk of phishing or trust abuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Verify the organization identity by completing GitHub organization verification.",
+      "Url": "https://hub.prowler.com/check/organization_verified_badge"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check uses the GitHub API field is_verified from organization metadata."
+}

prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.metadata.json

@@ -0,0 +1,31 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGithub
+from prowler.providers.github.services.organization.organization_client import (
+    organization_client,
+)
+
+
+class organization_verified_badge(Check):
+    """Check if GitHub organizations are verified."""
+
+    def execute(self) -> List[CheckReportGithub]:
+        findings: List[CheckReportGithub] = []
+
+        for org in organization_client.organizations.values():
+            report = CheckReportGithub(metadata=self.metadata(), resource=org)
+
+            if org.is_verified:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Organization {org.name} is verified on GitHub."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Organization {org.name} is not verified on GitHub."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/github/services/organization/organization_verified_badge/organization_verified_badge.py

@@ -0,0 +1,137 @@
+from unittest import mock
+
+from prowler.providers.github.services.organization.organization_service import Org
+from tests.providers.github.github_fixtures import set_mocked_github_provider
+
+
+class Test_organization_verified_badge:
+    def test_no_organizations(self):
+        organization_client = mock.MagicMock
+        organization_client.organizations = {}
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_github_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge.organization_client",
+                new=organization_client,
+            ),
+        ):
+            from prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge import (
+                organization_verified_badge,
+            )
+
+            check = organization_verified_badge()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_organization_is_verified_true_pass(self):
+        organization_client = mock.MagicMock
+        org_name = "test-organization"
+        organization_client.organizations = {
+            1: Org(
+                id=1,
+                name=org_name,
+                is_verified=True,
+            ),
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_github_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge.organization_client",
+                new=organization_client,
+            ),
+        ):
+            from prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge import (
+                organization_verified_badge,
+            )
+
+            check = organization_verified_badge()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == 1
+            assert result[0].resource_name == org_name
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Organization {org_name} is verified on GitHub."
+            )
+
+    def test_organization_is_verified_false_fail(self):
+        organization_client = mock.MagicMock
+        org_name = "test-organization"
+        organization_client.organizations = {
+            1: Org(
+                id=1,
+                name=org_name,
+                is_verified=False,
+            ),
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_github_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge.organization_client",
+                new=organization_client,
+            ),
+        ):
+            from prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge import (
+                organization_verified_badge,
+            )
+
+            check = organization_verified_badge()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == 1
+            assert result[0].resource_name == org_name
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Organization {org_name} is not verified on GitHub."
+            )
+
+    def test_organization_is_verified_none_edge_case(self):
+        organization_client = mock.MagicMock
+        org_name = "test-organization"
+        organization_client.organizations = {
+            1: Org(
+                id=1,
+                name=org_name,
+                is_verified=None,
+            ),
+        }
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_github_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge.organization_client",
+                new=organization_client,
+            ),
+        ):
+            from prowler.providers.github.services.organization.organization_verified_badge.organization_verified_badge import (
+                organization_verified_badge,
+            )
+
+            check = organization_verified_badge()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].resource_id == 1
+            assert result[0].resource_name == org_name
+            # Treat none like not verified (false)
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Organization {org_name} is not verified on GitHub."
+            )