feat: modified too many admins policy from flat number to percentage based

policies/github/repository.rego

@@ -31,8 +31,8 @@ repository_not_maintained := false {
 }
 # METADATA
 # scope: rule
-# title: Repository Should Have Fewer Than Three Admins
-# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Repository Admins to the minimum required (recommended maximum 3 admins).
+# title: Repository Should Have A Low Admin Count
+# description: Repository admins are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of repository admins to the minimum required, and no more than 5% of the userbase (Up to 3 admins are always allowed).
 # custom:
 #   severity: LOW
 #   remediationSteps:
@@ -49,7 +49,10 @@ default repository_has_too_many_admins := true
 
 repository_has_too_many_admins := false {
 	admins := [admin | admin := input.collaborators[_]; admin.permissions.admin]
-	count(admins) <= 3
+	adminNum := count(admins)
+	userNum := count(input.collaborators)
+	maxAdmins := max([3, ceil(userNum * 0.05)])
+	adminNum <= maxAdmins
 }
 
 # METADATA
@@ -739,4 +742,4 @@ default secret_scanning_not_enabled := true
 
 secret_scanning_not_enabled := false{
     input.security_and_analysis.secret_scanning.status == "enabled"
-}
+}

policies/gitlab/repository.rego

@@ -26,8 +26,8 @@ project_not_maintained := false {
 
 # METADATA
 # scope: rule
-# title: Project Should Have Fewer Than Three Owners
-# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required (recommended maximum 3 admins).
+# title: Project Should Have A Low Owner Count
+# description: Projects owners are highly privileged and could create great damage if they are compromised. It is recommended to limit the number of Project Owners to the minimum required, and no more than 5% of the userbase (Up to 3 owners are always allowed).
 # custom:
 #   severity: LOW
 #   remediationSteps:
@@ -41,7 +41,10 @@ default project_has_too_many_admins := true
 
 project_has_too_many_admins := false {
 	admins := [admin | admin := input.members[_]; admin.access_level == 50]
-	count(admins) <= 3
+	adminNum := count(admins)
+	userNum := count(input.members)
+	maxAdmins := max([3, ceil(userNum * 0.05)])
+	adminNum <= maxAdmins
 }
 
 # METADATA

test/repository_test.go

@@ -403,11 +403,21 @@ func TestGitlabRepositoryTooManyAdmins(t *testing.T) {
 		}
 	}
 
-	tmpMember := &gitlab2.ProjectMember{
+	tmpAdminMember := &gitlab2.ProjectMember{
 		AccessLevel: 50,
 	}
-	trueCase := []*gitlab2.ProjectMember{tmpMember, tmpMember, tmpMember, tmpMember}
-	falseCase := []*gitlab2.ProjectMember{tmpMember, tmpMember}
+	tmpRegMember := &gitlab2.ProjectMember{
+		AccessLevel: 20,
+	}
+	trueCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
+	for i := 0; i < 10; i++ {
+		trueCase = append(trueCase, tmpRegMember)
+	}
+	falseCase := []*gitlab2.ProjectMember{tmpAdminMember, tmpAdminMember, tmpAdminMember, tmpAdminMember}
+	for i := 0; i < 57; i++ {
+		falseCase = append(falseCase, tmpRegMember)
+	}
+
 	options := map[bool][]*gitlab2.ProjectMember{
 		false: falseCase,
 		true:  trueCase,