Skip to content

Commit

Permalink
Add rule to check for high number of new dependencies
Browse files Browse the repository at this point in the history
  • Loading branch information
evankanderson committed Dec 20, 2024
1 parent 1e61ca0 commit 0f74242
Show file tree
Hide file tree
Showing 2 changed files with 111 additions and 0 deletions.
16 changes: 16 additions & 0 deletions data-sources/trusty.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: v1
type: data-source
name: insights
context: {}
rest:
def:
dependencies:
endpoint: https://api.insight.stacklok.com/v2/dependencies?package_name={package}&package_type={ecosystem}
parse: json
input_schema:
type: object
properties:
package:
type: string
ecosystem:
type: string
95 changes: 95 additions & 0 deletions rule-types/github/pr_rego_check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
---
version: v1
type: rule-type
name: pr_vulnerability_check
severity:
value: medium
context:
provider: github
description: |
Verifies that pull requests do not add any vulnerable dependencies
For every pull request submitted to a repository, this rule will check if the pull request
adds a new dependency with known vulnerabilities. If it does, the rule will fail and the
pull request will be rejected or commented on.
guidance: |
Ensure that the pull request does not add any vulnerable dependencies. Vulnerable dependencies can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and do not contain any known vulnerabilities.
def:
in_entity: pull_request
rule_schema:
type: object
properties:
action:
type: string
description: "The action to take if a vulnerability is found."
enum:
# minder will review the PR, suggest changes and mark the PR as changes requested if a vulnerability is found
- review
# minder will comment and suggest changes on the PR if a vulnerability is found. Additionally, minder
# will set the commit_status of the PR HEAD to failed to prevent the commit from being merged
- commit_status
# minder will comment and suggest changes on the PR if a vulnerability is found, but not request changes
- comment
# the evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found
- profile_only
# the evaluator engine will add a single summary comment with a table listing the vulnerabilities found
- summary
default: review
ecosystem_config:
type: array
description: "The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used."
items:
type: object
properties:
name:
type: string
description: "The name of the ecosystem to check. Currently `npm`, `go` and `pypi` are supported."
vulnerability_database_type:
type: string
"description": "The kind of vulnerability database to use. Currently only `osv` is supported."
vulnerability_database_endpoint:
type: string
"description": "The endpoint of the vulnerability database to use."
package_repository:
type: object
properties:
url:
type: string
description: "The URL of the package repository to use."
"description": "The package repository to use."
sum_repository:
type: object
properties:
url:
type: string
description: "The URL of the Go sum repository to use. Only used if the ecosystem is `go`."
"description": "The Go sum repository to use."
ingest:
type: diff
diff:
type: new-dep
ecosystems:
- name: npm
depfile: package-lock.json
- name: go
depfile: go.mod
- name: pypi
depfile: requirements.txt
# Defines the configuration for evaluating data ingested against the given profile
eval:
type: rego
rego:
type: deny-by-default
def: |
package minder
import rego.v1
default allow := false
allow if {
print("Input:", input)
dep := input.ingested.deps[_]
dep.dep.name == "dompurify"
}
# Defines the configuration for alerting on the rule
alert:
type: security_advisory
security_advisory: {}

0 comments on commit 0f74242

Please sign in to comment.