Does Panther's GHAS Change detection account for archived repositories?

Last updated
Save as PDF

QUESTION

Does this Panther detection, GitHub Advanced Security Change, account for archived repositories in GitHub?

ANSWER

Panther does not support this today, so you may see false-positive alerts if you enable this detection. If this kind of false positive causes problems for your team, please contact Panther Support to request a change to this detection.

As a workaround, you can clone and modify the detection and downgrade its severity to INFO, or otherwise adjust how it sends alerts.

Alternatively, you could use caching and a separate detection to help prevent false positives. For example:

1. Using info from our caching docs, you could create a rule like this:

def rule(event):
    if event.get("action") == "repo.archive":
        add_to_string_set('archived_gh_repos', event.get('repo', ''))
        return True
    elif event.get("action") == "repo.unarchived":
        remove_from_string_set('archived_gh_repos', event.get('repo', ''))
    return False

2. Then, in github_advanced_security_change.py, you can edit the severity:

def severity(event):
    if event.get('action') == 'repo.advanced_security_disabled' and event.get('repo') in get_string_set('archived_gh_repos'):
        return "INFO"
    return ADV_SEC_ACTIONS.get(event.get("action", ""), "Low")