From eb2ac6312babf196f33d7ef860d8785cd9d3ac1f Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@gmail.com>
Date: Mon, 18 Dec 2023 18:07:19 -0800
Subject: [PATCH 1/2] Explain what a 2FA null for GH means + remove useless
 data

Company is a self set field so this is pretty useless for an incident.
Also the user ID is a github internal number. Login is what you really
want and we already show that.

Signed-off-by: Tim Smith <tsmith84@gmail.com>
---
 core/mondoo-github-incident-response.mql.yaml | 63 ++++++++++---------
 1 file changed, 33 insertions(+), 30 deletions(-)

diff --git a/core/mondoo-github-incident-response.mql.yaml b/core/mondoo-github-incident-response.mql.yaml
index 9205372..b95056f 100644
--- a/core/mondoo-github-incident-response.mql.yaml
+++ b/core/mondoo-github-incident-response.mql.yaml
@@ -49,7 +49,7 @@ packs:
         title: GitHub Organization MFA status
         docs:
           desc: |
-            This query retrieves whether MFA is required for users of the organization.
+            This query retrieves whether MFA is required for users of the organization. If this value is null the API token used to query the information did not have owner permissions on the organization.
         mql: |
           github.organization.twoFactorRequirementEnabled
       - uid: mondoo-incident-response-github-org-owners
@@ -59,7 +59,13 @@ packs:
             This query retrieves all GitHub organization owners.
         mql: |
           github.organization.owners.length
-          github.organization { owners { name email login } }
+          github.organization {
+            owners {
+              name
+              email
+              login
+            }
+          }
       - uid: mondoo-incident-response-github-org-members
         title: GitHub Organization Members
         docs:
@@ -67,13 +73,11 @@ packs:
             This query retrieves all of the members of the GitHub organization.
         mql: |
           github.organization.members.length
-          github.organization { 
-            members { 
-              name 
-              company 
-              login 
-              email 
-              id 
+          github.organization {
+            members {
+              name
+              login
+              email
             }
           }
       - uid: mondoo-incident-response-github-org-teams
@@ -82,16 +86,15 @@ packs:
           desc: |
             This query retrieves all GitHub organization teams.
         mql: |
-          github.organization { 
-            teams { 
-              slug 
-              privacy 
-              defaultPermission 
-              members { 
-                login 
-                email 
-                company 
-                name 
+          github.organization {
+            teams {
+              slug
+              privacy
+              defaultPermission
+              members {
+                login
+                email
+                name
               }
             }
           }
@@ -102,11 +105,11 @@ packs:
             This query retrieves all of the public repositories within the GitHub organization. The query returns the repo's name and whether the default branch is [protected](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches) using protection rules.
         mql: |
           github.organization.repositories.
-            where( private == false ) { 
-              name 
+            where( private == false ) {
+              name
               branches.
-                where( isDefault ) { 
-                  protected 
+                where( isDefault ) {
+                  protected
                 }
             }
       - uid: mondoo-incident-response-github-packages
@@ -115,13 +118,13 @@ packs:
           desc: |
             This query retrieves the packages published to GHCR.io.
         mql: |
-          github.organization { 
-            packages { 
-              name 
-              visibility 
-              packageType 
-              owner { 
-                name 
+          github.organization {
+            packages {
+              name
+              visibility
+              packageType
+              owner {
+                name
               }
             }
           }

From 86c4b86dd9b910fb879da2969720d7829f593739 Mon Sep 17 00:00:00 2001
From: Tim Smith <tim@mondoo.com>
Date: Tue, 19 Dec 2023 09:26:42 -0800
Subject: [PATCH 2/2] Update core/mondoo-github-incident-response.mql.yaml

Co-authored-by: Letha <letha@mondoo.com>
---
 core/mondoo-github-incident-response.mql.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/mondoo-github-incident-response.mql.yaml b/core/mondoo-github-incident-response.mql.yaml
index b95056f..7db4ba1 100644
--- a/core/mondoo-github-incident-response.mql.yaml
+++ b/core/mondoo-github-incident-response.mql.yaml
@@ -49,7 +49,7 @@ packs:
         title: GitHub Organization MFA status
         docs:
           desc: |
-            This query retrieves whether MFA is required for users of the organization. If this value is null the API token used to query the information did not have owner permissions on the organization.
+            This query retrieves whether multi-factor authentication is required for users of the organization. A null value means the API token used to query the information doesn't have sufficient permissions in the organization. The API token must have owner permissions in the organization to access this data.
         mql: |
           github.organization.twoFactorRequirementEnabled
       - uid: mondoo-incident-response-github-org-owners