Merge pull request #80 from stacklok/ethomson/displaynames

Some tweaks to sample profiles

profiles/github/artifacts/artifact-signature-extended.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: artifact-signature-extended
+display_name: "Validate artifact signatures (against custom sigstore instance)"
 context:
   provider: github
 artifact:

profiles/github/artifacts/artifact-signature-simple.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: artifact-signature-simple
+display_name: Validate artifact signatures
 context:
   provider: github
 artifact:

profiles/github/branch-protection.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: branch-protection-github-profile
+display_name: GitHub Branch Protection
 context:
   provider: github
 alert: "off"

profiles/github/dependabot_ghactions.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: dependabot-github-actions-github-profile
+display_name: Dependabot for GitHub Actions
 context:
   provider: github
 alert: "on"

profiles/github/dependabot_go.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: dependabot-go-github-profile
+display_name: Dependabot for Go projects
 context:
   provider: github
 alert: "on"

profiles/github/dependabot_npm_docs.yaml → profiles/github/dependabot_npm.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: dependabot-npm-docs-github-profile
+display_name: Dependabot for JavaScript projects
 context:
   provider: github
 alert: "on"
@@ -12,4 +13,4 @@ repository:
     def:
       package_ecosystem: npm
       schedule_interval: daily
-      apply_if_file: docs/package.json
+      apply_if_file: package.json

profiles/github/dependabot_pip.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: dependabot-pip-github-profile
+display_name: Dependabot for Python projects
 context:
   provider: github
 alert: "on"

profiles/github/dependencies.yaml

@@ -1,8 +1,9 @@
 ---
-# Profile showing off feature settings for GitHub Advanced Security
+# Profile to help secure dependencies
 version: v1
 type: profile
 name: dependencies-github-profile
+display_name: Dependencies Security
 context:
   provider: github
 alert: "on"
@@ -37,3 +38,25 @@ pull_request:
           score: 5
         - name: pypi
           score: 5
+repository:
+  - type: dependabot_configured
+    name: dependabot_configured_go
+    displayName: "Dependabot is configured (for Go modules)"
+    def:
+      package_ecosystem: gomod
+      schedule_interval: daily
+      apply_if_file: go.mod
+  - type: dependabot_configured
+    name: dependabot_configured_npm
+    displayName: "Dependabot is configured (for JavaScript packages)"
+    def:
+      package_ecosystem: npm
+      schedule_interval: daily
+      apply_if_file: package.json
+  - type: dependabot_configured
+    name: dependabot_configured_pip
+    displayName: "Dependabot is configured (for Python packages)"
+    def:
+      package_ecosystem: pip
+      schedule_interval: daily
+      apply_if_file: requirements.txt

profiles/github/ghas.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: ghas-profile
+display_name: GitHub Advanced Security settings
 context:
   provider: github
 alert: "on"

profiles/github/homoglyphs.yaml

@@ -1,6 +1,7 @@
 version: v1
 type: profile
 name: homoglyphs-github-profile
+display_name: Identify homoglyphs in pull requests
 context:
   provider: github
 alert: "off"

profiles/github/profile.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: acme-github-profile
+display_name: Sample Profile
 context:
   provider: github
 alert: "on"

profiles/github/repo_security.yaml

@@ -0,0 +1,21 @@
+---
+# Profile ensuring that repository settings are configured
+version: v1
+type: profile
+name: repository-github-profile
+display_name: Repository Security
+context:
+  provider: github
+alert: "on"
+remediate: "off"
+repository:
+  - type: secret_scanning
+    def:
+      enabled: true
+  - type: secret_push_protection
+    def:
+      enabled: true
+  - type: codeql_enabled
+    def:
+      languages: [go, javascript, typescript]
+      schedule_interval: '30 4-6 * * *'

profiles/github/stacklok-health-check.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: stacklok-health-check
+display_name: Stacklok Health Check
 context:
   provider: github
 alert: "off"

profiles/github/stacklok-profile-remediate.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: stacklok-remediate-profile
+display_name: Stacklok example remedation profile
 context:
   provider: github
 alert: "off"
@@ -26,7 +27,7 @@ repository:
   - type: default_workflow_permissions
     def:
       default_workflow_permissions: read
-      can_approve_pull_request_reviews: true
+      can_approve_pull_request_reviews: false
   - type: dockerfile_no_latest_tag
     def: {}
   - type: branch_protection_enabled

profiles/github/trivy.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: trivy-github-profile
+display_name: Trivy action is enabled
 context:
   provider: github
 alert: "on"

profiles/github/workflow_security.yaml

@@ -3,6 +3,7 @@
 version: v1
 type: profile
 name: workflow-security-github-profile
+display_name: GitHub Actions workflow security
 context:
   provider: github
 alert: "on"
@@ -16,3 +17,7 @@ repository:
     def:
       default_workflow_permissions: read
       can_approve_pull_request_reviews: false
+  - type: dependabot_configured
+    def:
+      package_ecosystem: github-actions
+      schedule_interval: daily