Branch protection remediation now uses default branch if none provide…

…d. (#3436) Branch protection remediation now checks if branch name is empty and gets the default branch if available. If both are unavailable, remediation is skipped. Co-authored-by: Juan Antonio Osorio [email protected] Fixes #3430
mindersec · May 27, 2024 · db00a0f · db00a0f
1 parent 64a22e8
commit db00a0f
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/internal/engine/actions/remediate/gh_branch_protect/gh_branch_protect.go b/internal/engine/actions/remediate/gh_branch_protect/gh_branch_protect.go
@@ -132,6 +132,18 @@ func (r *GhBranchProtectRemediator) Do(
 		return nil, fmt.Errorf("error reading branch from params: %w", err)
 	}
 
+	// This check avoids passing around an empty branch name which
+	// causes issues down the road. Besides, it does not make
+	// sense to protect what does not exist. (cit. Ozz 2024-05-27)
+	if branch == "" && repo.DefaultBranch == "" {
+		return nil, fmt.Errorf("both rule param and default branch names are empty: %w", engerrors.ErrActionSkipped)
+	}
+	// This sets the branch to the default one of the repository
+	// in case no branch is configured via rule parameters.
+	if branch == "" {
+		branch = repo.DefaultBranch
+	}
+
 	// get the current protection
 	res, err := r.cli.GetBranchProtection(ctx, repo.Owner, repo.Name, branch)
 	if errors.Is(err, github.ErrBranchNotProtected) {