PyPI - prowler-cloud - Versions diffs - 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl - Mend

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_logging_enabled/cloudstorage_bucket_logging_enabled.py ADDED Viewed

@@ -0,0 +1,40 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+class cloudstorage_bucket_logging_enabled(Check):
+    """
+    Ensure Cloud Storage buckets have Usage and Storage Logs enabled.
+    Reports PASS if a bucket has logging configured (logBucket defined),
+    otherwise FAIL.
+    """
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Bucket {bucket.name} does not have Usage and Storage Logs enabled."
+            )
+            if bucket.logging_bucket:
+                report.status = "PASS"
+                if bucket.logging_prefix:
+                    report.status_extended = (
+                        f"Bucket {bucket.name} has Usage and Storage Logs enabled. "
+                        f"Logs are stored in bucket '{bucket.logging_bucket}' with prefix '{bucket.logging_prefix}'."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Bucket {bucket.name} has Usage and Storage Logs enabled. "
+                        f"Logs are stored in bucket '{bucket.logging_bucket}' with default prefix."
+                    )
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_soft_delete_enabled",
+  "CheckTitle": "Cloud Storage buckets have Soft Delete enabled",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Soft Delete** is enabled. Soft Delete helps protect data from accidental or malicious deletion by retaining deleted objects for a specified duration, allowing recovery within that retention window.",
+  "Risk": "Buckets without Soft Delete enabled are at higher risk of irreversible data loss caused by accidental or unauthorized deletions, since deleted objects cannot be recovered once removed.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/storage/docs/soft-delete",
+    "https://cloud.google.com/blog/products/storage-data-transfer/understanding-cloud-storages-new-soft-delete-feature"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --soft-delete-retention-duration=<SECONDS>",
+      "NativeIaC": "",
+      "Other": "1) Open Google Cloud Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Soft Delete', click 'Enable Soft Delete'\n4) Set the desired retention duration and save changes",
+      "Terraform": "```hcl\n# Example: enable Soft Delete on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  soft_delete_policy {\n    retention_duration_seconds = 604800  # 7 days\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Soft Delete on Cloud Storage buckets to retain deleted objects for a defined period, improving data recoverability and resilience against accidental or malicious deletions.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_soft_delete_enabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_soft_delete_enabled/cloudstorage_bucket_soft_delete_enabled.py ADDED Viewed

@@ -0,0 +1,31 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+class cloudstorage_bucket_soft_delete_enabled(Check):
+    """
+    Ensure Cloud Storage buckets have Soft Delete enabled.
+    Reports PASS if a bucket has Soft Delete enabled (retentionDurationSeconds > 0),
+    otherwise FAIL.
+    """
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Bucket {bucket.name} does not have Soft Delete enabled."
+            )
+            if bucket.soft_delete_enabled:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Bucket {bucket.name} has Soft Delete enabled."
+                )
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.metadata.json ADDED Viewed

@@ -0,0 +1,35 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_sufficient_retention_period",
+  "CheckTitle": "Cloud Storage bucket has a sufficient Retention Policy period",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "Cloud Storage bucket has a bucket-level Retention Policy with a retentionPeriod that meets or exceeds the organization-defined minimum, preventing deletion or modification of objects before the required time.",
+  "Risk": "Insufficient or missing retention allows premature deletion or modification of objects, weakening data recovery and compliance with retention requirements.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/sufficient-retention-period.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --retention-period=<SECONDS>",
+      "NativeIaC": "",
+      "Other": "1) Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Configuration' → 'Retention policy'\n3) Set the required retention period (e.g., 90 or 365 days) and save\n4) (Optional) Lock the policy if required by compliance",
+      "Terraform": "```hcl\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  retention_policy {\n    retention_period = 7776000 # 90 days in seconds\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Define and apply a bucket-level Retention Policy that meets your minimum retention requirement (e.g., 90 or 365 days) to enforce data recoverability and compliance.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_sufficient_retention_period"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_sufficient_retention_period/cloudstorage_bucket_sufficient_retention_period.py ADDED Viewed

@@ -0,0 +1,55 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+class cloudstorage_bucket_sufficient_retention_period(Check):
+    """
+    Ensure there is a sufficient bucket-level retention period configured for GCS buckets.
+    PASS: retentionPolicy.retentionPeriod >= min threshold (days)
+    FAIL: no retention policy or period < threshold
+    """
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        min_retention_days = int(
+            getattr(cloudstorage_client, "audit_config", {}).get(
+                "storage_min_retention_days", 90
+            )
+        )
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            retention_policy = bucket.retention_policy
+            if retention_policy is None:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Bucket {bucket.name} does not have a retention policy "
+                    f"(minimum required: {min_retention_days} days)."
+                )
+                findings.append(report)
+                continue
+            days = retention_policy.retention_period // 86400  # seconds to days
+            if days >= min_retention_days:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Bucket {bucket.name} has a sufficient retention policy of {days} days "
+                    f"(minimum required: {min_retention_days})."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Bucket {bucket.name} has an insufficient retention policy of {days} days "
+                    f"(minimum required: {min_retention_days})."
+                )
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/__init__.py ADDED Viewed

File without changes

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.metadata.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "cloudstorage_bucket_versioning_enabled",
+  "CheckTitle": "Cloud Storage buckets have Object Versioning enabled",
+  "CheckType": [],
+  "ServiceName": "cloudstorage",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "storage.googleapis.com/Bucket",
+  "Description": "**Google Cloud Storage buckets** are evaluated to ensure that **Object Versioning** is enabled. Object Versioning preserves older versions of objects, allowing data recovery, maintaining audit trails, and protecting against accidental deletions or overwrites.",
+  "Risk": "Buckets without Object Versioning enabled cannot recover previous object versions, which increases the risk of permanent data loss from accidental deletion or modification.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudStorage/enable-versioning.html",
+    "https://cloud.google.com/storage/docs/object-versioning"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud storage buckets update gs://<BUCKET_NAME> --versioning",
+      "NativeIaC": "",
+      "Other": "1) Open Google Cloud Console → Storage → Buckets → <BUCKET_NAME>\n2) Tab 'Configuration'\n3) Under 'Object versioning', click 'Enable Object Versioning'\n4) Save changes",
+      "Terraform": "```hcl\n# Example: enable Object Versioning on a Cloud Storage bucket\nresource \"google_storage_bucket\" \"example\" {\n  name     = var.bucket_name\n  location = var.location\n\n  versioning {\n    enabled = true\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable Object Versioning on Cloud Storage buckets to preserve previous object versions and improve data recoverability and auditability.",
+      "Url": "https://hub.prowler.com/check/cloudstorage_bucket_versioning_enabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Buckets missing the 'versioning' block are treated as having Object Versioning disabled."
+}

prowler/providers/gcp/services/cloudstorage/cloudstorage_bucket_versioning_enabled/cloudstorage_bucket_versioning_enabled.py ADDED Viewed

@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.cloudstorage.cloudstorage_client import (
+    cloudstorage_client,
+)
+class cloudstorage_bucket_versioning_enabled(Check):
+    """
+    Ensure Cloud Storage buckets have Object Versioning enabled.
+    Reports PASS if a bucket has versioning enabled, otherwise FAIL.
+    """
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for bucket in cloudstorage_client.buckets:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=bucket)
+            report.status = "FAIL"
+            report.status_extended = (
+                f"Bucket {bucket.name} does not have Object Versioning enabled."
+            )
+            if bucket.versioning_enabled:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Bucket {bucket.name} has Object Versioning enabled."
+                )
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/cloudstorage/cloudstorage_service.py CHANGED Viewed

@@ -39,6 +39,38 @@ class CloudStorage(GCPService):
                             if isinstance(rules, list):
                                 lifecycle_rules = rules
+                        versioning_enabled = bucket.get("versioning", {}).get(
+                            "enabled", False
+                        )
+                        soft_delete_enabled = False
+                        soft_delete_policy = bucket.get("softDeletePolicy")
+                        if isinstance(soft_delete_policy, dict):
+                            retention = soft_delete_policy.get(
+                                "retentionDurationSeconds"
+                            )
+                            if retention and int(retention) > 0:
+                                soft_delete_enabled = True
+                        logging_info = bucket.get("logging", {})
+                        logging_bucket = logging_info.get("logBucket")
+                        logging_prefix = logging_info.get("logObjectPrefix")
+                        retention_policy_raw = bucket.get("retentionPolicy")
+                        retention_policy = None
+                        if isinstance(retention_policy_raw, dict):
+                            rp_seconds = retention_policy_raw.get("retentionPeriod")
+                            if rp_seconds:
+                                retention_policy = RetentionPolicy(
+                                    retention_period=int(rp_seconds),
+                                    is_locked=bool(
+                                        retention_policy_raw.get("isLocked", False)
+                                    ),
+                                    effective_time=retention_policy_raw.get(
+                                        "effectiveTime"
+                                    ),
+                                )
                         self.buckets.append(
                             Bucket(
                                 name=bucket["name"],
@@ -48,9 +80,13 @@ class CloudStorage(GCPService):
                                     "uniformBucketLevelAccess"
                                 ]["enabled"],
                                 public=public,
-                                retention_policy=bucket.get("retentionPolicy"),
+                                retention_policy=retention_policy,
                                 project_id=project_id,
                                 lifecycle_rules=lifecycle_rules,
+                                versioning_enabled=versioning_enabled,
+                                soft_delete_enabled=soft_delete_enabled,
+                                logging_bucket=logging_bucket,
+                                logging_prefix=logging_prefix,
                             )
                         )
@@ -63,6 +99,12 @@ class CloudStorage(GCPService):
                 )
+class RetentionPolicy(BaseModel):
+    retention_period: int
+    is_locked: bool
+    effective_time: Optional[str] = None
 class Bucket(BaseModel):
     name: str
     id: str
@@ -70,5 +112,9 @@ class Bucket(BaseModel):
     uniform_bucket_level_access: bool
     public: bool
     project_id: str
-    retention_policy: Optional[dict] = None
+    retention_policy: Optional[RetentionPolicy] = None
     lifecycle_rules: Optional[list[dict]] = None
+    versioning_enabled: Optional[bool] = False
+    soft_delete_enabled: Optional[bool] = False
+    logging_bucket: Optional[str] = None
+    logging_prefix: Optional[str] = None

prowler/providers/github/services/organization/organization_default_repository_permission_strict/__init__.py ADDED Viewed

File without changes

prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.metadata.json ADDED Viewed

@@ -0,0 +1,35 @@
+{
+  "Provider": "github",
+  "CheckID": "organization_default_repository_permission_strict",
+  "CheckTitle": "Organization base repository permission is read or none",
+  "CheckType": [],
+  "ServiceName": "organization",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "GitHubOrganization",
+  "Description": "**GitHub organization** base repository permission for members uses a **strict setting** such as `read` or `none` rather than permissive options like `write` or `admin`. *Applies to members, not outside collaborators.*",
+  "Risk": "**Excessive default permissions** (`write`/`admin`) erode code **integrity** and **availability**.\n\nAny member-or a compromised account-can alter many repos, inject malicious commits, change tags/releases, or delete branches, enabling supply-chain compromise and large-scale disruptions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/setting-base-permissions-for-an-organization"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to GitHub as an organization owner\n2. Go to the organization > Settings\n3. Under \"Access\" in the sidebar, click \"Member privileges\"\n4. Under \"Base permissions\", select \"Read\" (or \"None\")\n5. Click \"Change default permission\" to confirm",
+      "Terraform": "```hcl\nresource \"github_organization_settings\" \"<example_resource_name>\" {\n  default_repository_permission = \"read\" # Critical: sets the org's base repository permission to a strict level (read/none passes)\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Apply **least privilege**: set base permission to `none` or `read`.\n\nGrant higher access explicitly via teams per repo and enforce **separation of duties** with required reviews and **branch protection**. Regularly audit memberships and access to limit blast radius and maintain **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/organization_default_repository_permission_strict"
+    }
+  },
+  "Categories": [
+    "identity-access"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/github/services/organization/organization_default_repository_permission_strict/organization_default_repository_permission_strict.py ADDED Viewed

@@ -0,0 +1,36 @@
+from typing import List
+from prowler.lib.check.models import Check, CheckReportGithub
+from prowler.providers.github.services.organization.organization_client import (
+    organization_client,
+)
+class organization_default_repository_permission_strict(Check):
+    """Check if an organization's base repository permission is set to a strict level.
+    PASS: base permission is "read" or "none"
+    FAIL: base permission is "write" or "admin" (or any other non-strict value)
+    """
+    def execute(self) -> List[CheckReportGithub]:
+        findings = []
+        for org in organization_client.organizations.values():
+            base_perm = getattr(org, "base_permission", None)
+            if base_perm is None:
+                # Unknown / no permission to read → skip producing a finding
+                continue
+            p = str(base_perm).lower()
+            report = CheckReportGithub(metadata=self.metadata(), resource=org)
+            if p in ("read", "none"):
+                report.status = "PASS"
+                report.status_extended = f"Organization {org.name} base repository permission is '{p}', which is strict."
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"Organization {org.name} base repository permission is '{p}', which is not strict."
+            findings.append(report)
+        return findings

prowler/providers/github/services/organization/organization_members_mfa_required/organization_members_mfa_required.metadata.json CHANGED Viewed

@@ -1,29 +1,35 @@
 {
   "Provider": "github",
   "CheckID": "organization_members_mfa_required",
-  "CheckTitle": "Check if organization members are required to have MFA enabled.",
+  "CheckTitle": "Organization requires members to have two-factor authentication enabled",
   "CheckType": [],
   "ServiceName": "organization",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "critical",
   "ResourceType": "GitHubOrganization",
-  "Description": "Ensure that all organization members are required to have multi-factor authentication (MFA) enabled. Enforcing MFA for all organization members helps protect the organization's resources and data from unauthorized access and security breaches.",
-  "Risk": "Without Multi-Factor Authentication (MFA), user accounts are vulnerable to unauthorized access if their passwords are compromised. This can lead to unauthorized actions such as data theft, malicious code commits, and repository manipulation, potentially compromising the organization's source code and intellectual property.",
-  "RelatedUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
+  "Description": "GitHub organization settings require all members to use **two-factor authentication** (2FA).\n\nThe evaluation determines whether access to organization resources is conditioned on members having 2FA enabled.",
+  "Risk": "Without enforced **2FA**, stolen or reused passwords enable account takeover, leading to:\n- Loss of code integrity via unauthorized commits\n- Confidential data exposure from repos and secrets\n- Availability impact from settings changes, token revocation, or deletions",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization",
+    "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to GitHub as an organization owner with 2FA enabled\n2. Go to your organization > Settings\n3. In the left sidebar, click Security > Authentication security\n4. Under Two-factor authentication, select Require two-factor authentication for everyone in your organization\n5. Click Save, then Confirm",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Mandate the use of MFA for all organization members. This significantly enhances account security by adding an additional layer of protection beyond a username and password. MFA ensures that even if a password is compromised, unauthorized access to user accounts and repositories is prevented, safeguarding sensitive data and critical assets.",
-      "Url": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization"
+      "Text": "Enforce org-wide **2FA** for all members and collaborators, preferring **secure methods** (passkeys, security keys, authenticator apps, GitHub Mobile) over SMS.\n\nApply **least privilege**, integrate with **SSO**, restrict token scopes, and use **branch protection** for defense-in-depth. Include bots/service accounts and define recovery options.",
+      "Url": "https://hub.prowler.com/check/organization_members_mfa_required"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/github/services/organization/organization_repository_creation_limited/__init__.py ADDED Viewed

File without changes

prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.metadata.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "Provider": "github",
+  "CheckID": "organization_repository_creation_limited",
+  "CheckTitle": "Ensure repository creation is limited to trusted organization members.",
+  "CheckType": [],
+  "ServiceName": "organization",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "GitHubOrganization",
+  "Description": "Ensure that repository creation is restricted so that only trusted owners or specific teams can create new repositories within the organization.",
+  "Risk": "Allowing all members to create repositories increases the likelihood of shadow repositories, data leakage, or malicious projects being introduced without oversight.",
+  "RelatedUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable repository creation for members or limit it to specific trusted teams by adjusting Member privileges in the organization's settings.",
+      "Url": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/github/services/organization/organization_repository_creation_limited/organization_repository_creation_limited.py ADDED Viewed

@@ -0,0 +1,106 @@
+from typing import List
+from prowler.lib.check.models import Check, CheckReportGithub
+from prowler.providers.github.services.organization.organization_client import (
+    organization_client,
+)
+def _join_human_readable(items: List[str]) -> str:
+    """Return a simple human readable comma-separated list."""
+    if not items:
+        return ""
+    if len(items) == 1:
+        return items[0]
+    return ", ".join(items[:-1]) + f" and {items[-1]}"
+class organization_repository_creation_limited(Check):
+    """Check if repository creation is limited to trusted organization members."""
+    def execute(self) -> List[CheckReportGithub]:
+        findings = []
+        for org in organization_client.organizations.values():
+            repo_data = [
+                getattr(org, "members_can_create_repositories", None),
+                getattr(org, "members_can_create_public_repositories", None),
+                getattr(org, "members_can_create_private_repositories", None),
+                getattr(org, "members_can_create_internal_repositories", None),
+                getattr(org, "members_allowed_repository_creation_type", None),
+            ]
+            if all(value is None for value in repo_data):
+                continue
+            report = CheckReportGithub(metadata=self.metadata(), resource=org)
+            global_creation = getattr(org, "members_can_create_repositories", None)
+            public_creation = getattr(
+                org, "members_can_create_public_repositories", None
+            )
+            private_creation = getattr(
+                org, "members_can_create_private_repositories", None
+            )
+            internal_creation = getattr(
+                org, "members_can_create_internal_repositories", None
+            )
+            creation_type = getattr(
+                org, "members_allowed_repository_creation_type", None
+            )
+            type_flags = []
+            enabled_types = []
+            if global_creation is not None:
+                if global_creation:
+                    enabled_types.append("repositories of any type")
+                else:
+                    type_flags.append(False)
+            visibility_flags = [
+                (public_creation, "public repositories"),
+                (private_creation, "private repositories"),
+                (internal_creation, "internal repositories"),
+            ]
+            for flag, label in visibility_flags:
+                if flag is not None:
+                    type_flags.append(flag)
+                    if flag:
+                        enabled_types.append(label)
+            if creation_type:
+                normalized_type = creation_type.lower()
+                if normalized_type == "none":
+                    type_flags.append(False)
+                else:
+                    creation_messages = {
+                        "all": "repositories of any type",
+                        "public": "public repositories",
+                        "private": "private repositories",
+                        "internal": "internal repositories",
+                        "selected": "repositories for selected members or teams",
+                    }
+                    enabled_types.append(
+                        creation_messages.get(
+                            normalized_type, f"{creation_type} repositories"
+                        )
+                    )
+            restricted = bool(type_flags) and all(flag is False for flag in type_flags)
+            if restricted:
+                report.status = "PASS"
+                report.status_extended = f"Organization {org.name} has disabled repository creation for members."
+            else:
+                report.status = "FAIL"
+                unique_enabled = list(dict.fromkeys(enabled_types))
+                allowed_desc = _join_human_readable(unique_enabled)
+                if allowed_desc:
+                    report.status_extended = f"Organization {org.name} allows members to create {allowed_desc}."
+                else:
+                    report.status_extended = f"Organization {org.name} does not have enough data to confirm repository creation restrictions."
+            findings.append(report)
+        return findings

prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler-cloud 5.13.1py3-none-any.whl → 5.14.1py3-none-any.whl