feat: add support for branch protections via rules

trumant · trumant · commit 6181f79a75b1 · 2025-09-21T15:30:32.000-04:00
This commit adds support for reading and interpreting
the rules applied to the default branch of the repo.

Evaluations that previously only considered the state
of branch protection rules will now also consider the state
of branch rules.

Signed-off-by: Travis Truman &lt;trumant@gmail.com&gt;
diff --git a/data/repository_metadata.go b/data/repository_metadata.go
@@ -11,13 +11,15 @@ type RepositoryMetadata interface {
 	IsPublic() bool
 	OrganizationBlogURL() *string
 	IsMFARequiredForAdministrativeActions() *bool
+	IsDefaultBranchProtected() *bool
+	DefaultBranchRequiresPRReviews() *bool
 }
 
 type GitHubRepositoryMetadata struct {
-	Releases []ReleaseData
-	Rulesets []Ruleset
-	ghRepo   *github.Repository
-	ghOrg    *github.Organization
+	Releases           []ReleaseData
+	defaultBranchRules *github.BranchRules
+	ghRepo             *github.Repository
+	ghOrg              *github.Organization
 }
 
 func (r *GitHubRepositoryMetadata) IsActive() bool {
@@ -28,6 +30,22 @@ func (r *GitHubRepositoryMetadata) IsPublic() bool {
 	return !r.ghRepo.GetPrivate()
 }
 
+func (r *GitHubRepositoryMetadata) IsDefaultBranchProtected() *bool {
+	if r.defaultBranchRules == nil {
+		return nil
+	}
+	updateBlockedByRule := r.defaultBranchRules != nil && len(r.defaultBranchRules.Update) > 0
+	return &updateBlockedByRule
+}
+
+func (r *GitHubRepositoryMetadata) DefaultBranchRequiresPRReviews() *bool {
+	if r.defaultBranchRules == nil {
+		return nil
+	}
+	requiresReviews := r.defaultBranchRules != nil && r.defaultBranchRules.PullRequest != nil && len(r.defaultBranchRules.PullRequest) > 0 && r.defaultBranchRules.PullRequest[0].Parameters.RequiredApprovingReviewCount > 0
+	return &requiresReviews
+}
+
 func (r *GitHubRepositoryMetadata) OrganizationBlogURL() *string {
 	if r.ghOrg != nil {
 		return r.ghOrg.Blog
@@ -53,8 +71,30 @@ func loadRepositoryMetadata(ghClient *github.Client, owner, repo string) (ghRepo
 			ghRepo: repository,
 		}, nil
 	}
+	branchRules, err := getRuleset(ghClient, owner, repo, repository.GetDefaultBranch())
+	if err != nil {
+		return repository, &GitHubRepositoryMetadata{
+			ghRepo: repository,
+			ghOrg:  organization,
+		}, nil
+	}
 	return repository, &GitHubRepositoryMetadata{
-		ghRepo: repository,
-		ghOrg:  organization,
+		ghRepo:             repository,
+		ghOrg:              organization,
+		defaultBranchRules: branchRules,
 	}, nil
 }
+
+func getRuleset(ghClient *github.Client, owner, repo string, branchName string) (*github.BranchRules, error) {
+	branchRules, _, err := ghClient.Repositories.GetRulesForBranch(
+		context.Background(),
+		owner,
+		repo,
+		branchName,
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return branchRules, nil
+}
diff --git a/evaluation_plans/osps/access_control/evaluations.go b/evaluation_plans/osps/access_control/evaluations.go
@@ -65,7 +65,7 @@ func OSPS_AC_03() (evaluation *layer4.ControlEvaluation) {
 		},
 		[]layer4.AssessmentStep{
 			reusable_steps.IsCodeRepo,
-			branchProtectionRestrictsPushes, // This checks branch protection, but not rulesets yet
+			defaultBranchRestrictsPushes,
 		},
 	)
 
diff --git a/evaluation_plans/osps/access_control/steps.go b/evaluation_plans/osps/access_control/steps.go
@@ -22,7 +22,7 @@ func orgRequiresMFA(payloadData any, _ map[string]*layer4.Change) (result layer4
 	return layer4.Failed, "Two-factor authentication is NOT configured as required by the parent organization"
 }
 
-func branchProtectionRestrictsPushes(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
+func defaultBranchRestrictsPushes(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {
 	payload, message := reusable_steps.VerifyPayload(payloadData)
 	if message != "" {
 		return layer4.Unknown, message
@@ -39,10 +39,18 @@ func branchProtectionRestrictsPushes(payloadData any, _ map[string]*layer4.Chang
 		result = layer4.Passed
 		message = "Branch protection rule requires approving reviews"
 	} else {
-		result = layer4.NeedsReview
-		message = "Branch protection rule does not restrict pushes or require approving reviews; Rulesets not yet evaluated."
+		if payload.RepositoryMetadata.IsDefaultBranchProtected() != nil && *payload.RepositoryMetadata.IsDefaultBranchProtected() {
+			result = layer4.Passed
+			message = "Branch rule restricts pushes"
+		} else if payload.RepositoryMetadata.DefaultBranchRequiresPRReviews() != nil && *payload.RepositoryMetadata.DefaultBranchRequiresPRReviews() {
+			result = layer4.Passed
+			message = "Branch rule requires approving reviews"
+		} else {
+			result = layer4.Failed
+			message = "Default branch is not protected"
+		}
 	}
-	return
+	return result, message
 }
 
 func branchProtectionPreventsDeletion(payloadData any, _ map[string]*layer4.Change) (result layer4.Result, message string) {

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ func OSPS_AC_03() (evaluation *layer4.ControlEvaluation) {`
`65`	`65`	`},`
`66`	`66`	`[]layer4.AssessmentStep{`
`67`	`67`	`reusable_steps.IsCodeRepo,`
`68`		`- branchProtectionRestrictsPushes, // This checks branch protection, but not rulesets yet`
	`68`	`+ defaultBranchRestrictsPushes,`
`69`	`69`	`},`
`70`	`70`	`)`
`71`	`71`