diff --git a/core/mondoo-gitlab-security.mql.yaml b/core/mondoo-gitlab-security.mql.yaml index d70477b5..bd5b3a11 100644 --- a/core/mondoo-gitlab-security.mql.yaml +++ b/core/mondoo-gitlab-security.mql.yaml @@ -1,7 +1,7 @@ policies: - uid: mondoo-gitlab-security name: GitLab Security - version: 1.2.0 + version: 1.3.0 license: MPL-2.0 tags: mondoo.com/category: security @@ -10,14 +10,18 @@ policies: - name: Mondoo, Inc email: hello@mondoo.com docs: - desc: "## Overview\n\nThe GitLab Security by Mondoo policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitLab. This policy is early access.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n``` \n\n### Prerequisites\n\nRemote scans of GitLab requires a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group.\n\n### Run a scan of a GitLab group\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN= \n```\n\nRun a remote scan of your GitLab group: \n\n```bash\ncnspec scan gitlab --group \n``` \n \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." + desc: "## Overview\n\nThe GitLab Security by Mondoo policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitLab groups and projects. This policy is early access.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n``` \n\n### Prerequisites\n\nRemote scans of GitLab requires a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group.\n\n### Run a scan of a GitLab group\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN= \n```\n\nRun a remote scan of your GitLab group: \n\n```bash\ncnspec scan gitlab --group \n``` \n \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions." groups: - - title: GitLab + - title: GitLab Group filters: asset.platform == "gitlab" || asset.platform == "gitlab-group" checks: - uid: mondoo-gitlab-security-private-group - uid: mondoo-gitlab-security-private-projects - uid: mondoo-gitlab-security-require-two-factor + - title: GitLab Project + filters: asset.platform == "gitlab-project" + checks: + - uid: mondoo-gitlab-security-private-project queries: - uid: mondoo-gitlab-security-private-group title: Ensure the group is private @@ -25,7 +29,7 @@ queries: gitlab.group.visibility != "public" docs: desc: | - GitLab allows users with the Owner role to set a project's or group's visibility as: + GitLab allows users with the Owner role to set a group's visibility as: - Public - Internal @@ -38,7 +42,7 @@ queries: __cnspec Shell__ 1. Open a Terminal. - 2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=` + 2. Connect cnspec shell to GitLab `cnspec shell gitlab --token ${GITLAB_TOKEN} --group ` 3. Run the following query ```mql @@ -57,7 +61,7 @@ queries: __cnspec Shell__ 1. Open a Terminal. - 2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=` + 2. Connect cnspec shell to GitLab `cnspec shell gitlab --token ${GITLAB_TOKEN} --group ` 3. Run the following query ```mql @@ -70,7 +74,7 @@ queries: mql: gitlab.group.projects { visibility != "public" } docs: desc: | - GitLab allows users with the Owner role to set a project's or group's visibility as: + GitLab allows users with the Owner role to set a project's visibility as: - Public - Internal @@ -78,17 +82,42 @@ queries: These visibility levels affect who can see the project in the public access directory (/public for your GitLab instance). For example, https://gitlab.com/public. You can control the visibility of individual features with project feature settings. + Private projects can only be cloned and viewed by project members (except for guests). They appear in the public access directory (`/public``) for project members only. + audit: | + __cnspec Shell__ + + 1. Open a Terminal. + 2. Connect cnspec shell to GitLab `cnspec shell gitlab --token ${GITLAB_TOKEN} --group ` + 3. Run the following query + + ```mql + gitlab.group.projects { visibility != "public" } + ``` + remediation: | + To make the visibility of a GitLab project private, see [Change project visibility](https://docs.gitlab.com/ee/user/public_access.html#change-project-visibility). + - uid: mondoo-gitlab-security-private-project + title: Ensure the project is private + mql: gitlab.project { visibility != "public" } + docs: + desc: | + GitLab allows users with the Owner role to set a project's visibility as: + + - Public + - Internal + - Private + + These visibility levels affect who can see the project in the public access directory (/public for your GitLab instance). For example, https://gitlab.com/public. You can control the visibility of individual features with project feature settings. Private projects can only be cloned and viewed by project members (except for guests). They appear in the public access directory (`/public``) for project members only. audit: | __cnspec Shell__ 1. Open a Terminal. - 2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=` + 2. Connect cnspec shell to GitLab `cnspec shell gitlab --token ${GITLAB_TOKEN} --group --project ` 3. Run the following query ```mql - gitlab.group.visibility + gitlab.project.visibility ``` remediation: | To make the visibility of a GitLab project private, see [Change project visibility](https://docs.gitlab.com/ee/user/public_access.html#change-project-visibility).