Does this Panther detection, GitHub Advanced Security Change, account for archived repositories in GitHub?
Panther does not support this today, so you may see false-positive alerts if you enable this detection. If this kind of false positive causes problems for your team, please contact Panther Support to request a change to this detection.
As a workaround, you can clone and modify the detection and downgrade its severity to INFO, or otherwise adjust how it sends alerts.
Alternatively, you could use caching and a separate detection to help prevent false positives. For example:
1. Using info from our caching docs, you could create a rule like this:
def rule(event):
if event.get("action") == "repo.archive":
add_to_string_set('archived_gh_repos', event.get('repo', ''))
return True
elif event.get("action") == "repo.unarchived":
remove_from_string_set('archived_gh_repos', event.get('repo', ''))
return False2. Then, in github_advanced_security_change.py, you can edit the severity:
def severity(event):
if event.get('action') == 'repo.advanced_security_disabled' and event.get('repo') in get_string_set('archived_gh_repos'):
return "INFO"
return ADV_SEC_ACTIONS.get(event.get("action", ""), "Low")