GitHub Repository defined in Terraform doesn't have vulnerability alerts enabled
Description
GitHub has the ability to scan dependencies for vulnerabilities. To enable this, you must also enable it at the owner level as well. By default, this is enabled for public repos but not for private repos.
Code Example
hcl
resource "github_repository" "example" {
name = "example"
description = "Example repository"
private = true # or false for public repositories
# Enable vulnerability alerts for the repository
+ vulnerability_alerts = true
# ... other configurations ...
# If the repository is archived, alerts are disabled, and this configuration will not apply
# archived = false
}Remediation
Terraform
- Resource: github_repository
- Attribute: vulnerability_alerts
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1034 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV_GIT_3 |