DOS5705

Repository Rulesets - Should not be 'disabled'

DOS5705

GitHub repository Severitymedium builtIn

Description

A ruleset with enforcement set to 'disabled' provides no protection at all - it exists only as configuration history. Disabled rulesets typically indicate that a previously enforced policy was deactivated and should be reviewed: either re-enable it ('active'), set it to dry-run ('evaluate') for observation, or remove it entirely.

Learn More

Recommendation

1. Go to Repository or Organization Settings -> Rules -> Rulesets. 
2. Identify any rulesets in 'Disabled' state. 
3. Decide whether to re-enable ('Active'), observe ('Evaluate'), or delete each disabled ruleset.

Policy Rule

{
  "target": "GHRuleset",
  "if": {
    "allOf": [
      {
        "resource": "GHRuleset",
        "property": "Enforcement",
        "operator": "notEquals",
        "value": "disabled"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5700 DOS5710 »
Rule Details
  • Rule ID: DOS5705
  • Code: GH_Repository_Rulesets_Should_Not_Be_Disabled
  • Platform: GitHub
  • Category: repository
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2