-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add rule to check for high number of new dependencies
- Loading branch information
1 parent
1e61ca0
commit 0f74242
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
version: v1 | ||
type: data-source | ||
name: insights | ||
context: {} | ||
rest: | ||
def: | ||
dependencies: | ||
endpoint: https://api.insight.stacklok.com/v2/dependencies?package_name={package}&package_type={ecosystem} | ||
parse: json | ||
input_schema: | ||
type: object | ||
properties: | ||
package: | ||
type: string | ||
ecosystem: | ||
type: string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
--- | ||
version: v1 | ||
type: rule-type | ||
name: pr_vulnerability_check | ||
severity: | ||
value: medium | ||
context: | ||
provider: github | ||
description: | | ||
Verifies that pull requests do not add any vulnerable dependencies | ||
For every pull request submitted to a repository, this rule will check if the pull request | ||
adds a new dependency with known vulnerabilities. If it does, the rule will fail and the | ||
pull request will be rejected or commented on. | ||
guidance: | | ||
Ensure that the pull request does not add any vulnerable dependencies. Vulnerable dependencies can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and do not contain any known vulnerabilities. | ||
def: | ||
in_entity: pull_request | ||
rule_schema: | ||
type: object | ||
properties: | ||
action: | ||
type: string | ||
description: "The action to take if a vulnerability is found." | ||
enum: | ||
# minder will review the PR, suggest changes and mark the PR as changes requested if a vulnerability is found | ||
- review | ||
# minder will comment and suggest changes on the PR if a vulnerability is found. Additionally, minder | ||
# will set the commit_status of the PR HEAD to failed to prevent the commit from being merged | ||
- commit_status | ||
# minder will comment and suggest changes on the PR if a vulnerability is found, but not request changes | ||
- comment | ||
# the evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found | ||
- profile_only | ||
# the evaluator engine will add a single summary comment with a table listing the vulnerabilities found | ||
- summary | ||
default: review | ||
ecosystem_config: | ||
type: array | ||
description: "The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used." | ||
items: | ||
type: object | ||
properties: | ||
name: | ||
type: string | ||
description: "The name of the ecosystem to check. Currently `npm`, `go` and `pypi` are supported." | ||
vulnerability_database_type: | ||
type: string | ||
"description": "The kind of vulnerability database to use. Currently only `osv` is supported." | ||
vulnerability_database_endpoint: | ||
type: string | ||
"description": "The endpoint of the vulnerability database to use." | ||
package_repository: | ||
type: object | ||
properties: | ||
url: | ||
type: string | ||
description: "The URL of the package repository to use." | ||
"description": "The package repository to use." | ||
sum_repository: | ||
type: object | ||
properties: | ||
url: | ||
type: string | ||
description: "The URL of the Go sum repository to use. Only used if the ecosystem is `go`." | ||
"description": "The Go sum repository to use." | ||
ingest: | ||
type: diff | ||
diff: | ||
type: new-dep | ||
ecosystems: | ||
- name: npm | ||
depfile: package-lock.json | ||
- name: go | ||
depfile: go.mod | ||
- name: pypi | ||
depfile: requirements.txt | ||
# Defines the configuration for evaluating data ingested against the given profile | ||
eval: | ||
type: rego | ||
rego: | ||
type: deny-by-default | ||
def: | | ||
package minder | ||
import rego.v1 | ||
default allow := false | ||
allow if { | ||
print("Input:", input) | ||
dep := input.ingested.deps[_] | ||
dep.dep.name == "dompurify" | ||
} | ||
# Defines the configuration for alerting on the rule | ||
alert: | ||
type: security_advisory | ||
security_advisory: {} |