Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV2_GIT_1: "Ensure each Repository has branch protection associated" Failed even when repository has branch protection #6405

Open
yaelvais opened this issue Jun 5, 2024 · 0 comments
Open

CKV2_GIT_1: "Ensure each Repository has branch protection associated" Failed even when repository has branch protection #6405

yaelvais opened this issue Jun 5, 2024 · 0 comments
Labels
checks Check additions or changes

Comments

@yaelvais
Copy link

yaelvais commented Jun 5, 2024

Describe the issue
When creating a github_repository resource, the check fails for:
Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
FAILED for resource: module.github.module.service_name.github_repository.repository[0]

Even though we do create a github_branch_protection_v3 resource with the repository.

Examples
We create the resources using modules:

module "service_name" {
  source = "./repository_mgmt"

  create_repository_enabled   = true
  repository_template         = local.template_repo_name
  repositories_generic_config = local.repositories_generic_config
  repository_name             = "service-name"
  default_branch_name         = local.development_branch_name
  additional_branches         = [
    local.development_branch_name
  ]
  additional_protected_branches = [
    local.main_branch_name
  ]
  required_status_checks = local.tested_services_required_status_checks
}

in repository_mgmt:

resource "github_branch_protection_v3" "protect_branches" {
  for_each = toset(local.protected_branches_list)

  repository = var.repository_name
  branch     = each.key
  required_pull_request_reviews {
    required_approving_review_count = var.approvals_number_for_merging_to_protected_branches
    dismiss_stale_reviews           = true
    require_code_owner_reviews      = var.require_code_owner_reviews
  }
  required_status_checks {
    contexts = concat(local.generic_required_status_checks, var.required_status_checks)
  }

  depends_on = [
    github_branch.additional_branches,
    github_branch_default.default,
  ]
}

Version (please complete the following information):

  • Checkov Version 3.2.7
@yaelvais yaelvais added the checks Check additions or changes label Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yaelvais