diff --git a/profiles/github/artifacts/artifact-signature-extended.yaml b/profiles/github/artifacts/artifact-signature-extended.yaml index 143fc7c..d9ca6f6 100644 --- a/profiles/github/artifacts/artifact-signature-extended.yaml +++ b/profiles/github/artifacts/artifact-signature-extended.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: artifact-signature-extended +display_name: "Validate artifact signatures (against custom sigstore instance)" context: provider: github artifact: diff --git a/profiles/github/artifacts/artifact-signature-simple.yaml b/profiles/github/artifacts/artifact-signature-simple.yaml index 4566e3f..2cbdcd7 100644 --- a/profiles/github/artifacts/artifact-signature-simple.yaml +++ b/profiles/github/artifacts/artifact-signature-simple.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: artifact-signature-simple +display_name: Validate artifact signatures context: provider: github artifact: diff --git a/profiles/github/branch-protection.yaml b/profiles/github/branch-protection.yaml index 68c8151..41f6646 100644 --- a/profiles/github/branch-protection.yaml +++ b/profiles/github/branch-protection.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: branch-protection-github-profile +display_name: GitHub Branch Protection context: provider: github alert: "off" diff --git a/profiles/github/dependabot_ghactions.yaml b/profiles/github/dependabot_ghactions.yaml index a3854af..3d3301d 100644 --- a/profiles/github/dependabot_ghactions.yaml +++ b/profiles/github/dependabot_ghactions.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-github-actions-github-profile +display_name: Dependabot for GitHub Actions context: provider: github alert: "on" diff --git a/profiles/github/dependabot_go.yaml b/profiles/github/dependabot_go.yaml index 7d847fd..8b8913f 100644 --- a/profiles/github/dependabot_go.yaml +++ b/profiles/github/dependabot_go.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-go-github-profile +display_name: Dependabot for Go projects context: provider: github alert: "on" diff --git a/profiles/github/dependabot_npm_docs.yaml b/profiles/github/dependabot_npm.yaml similarity index 78% rename from profiles/github/dependabot_npm_docs.yaml rename to profiles/github/dependabot_npm.yaml index f520070..2cffcf4 100644 --- a/profiles/github/dependabot_npm_docs.yaml +++ b/profiles/github/dependabot_npm.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-npm-docs-github-profile +display_name: Dependabot for JavaScript projects context: provider: github alert: "on" @@ -12,4 +13,4 @@ repository: def: package_ecosystem: npm schedule_interval: daily - apply_if_file: docs/package.json + apply_if_file: package.json diff --git a/profiles/github/dependabot_pip.yaml b/profiles/github/dependabot_pip.yaml index aa87909..da37b25 100644 --- a/profiles/github/dependabot_pip.yaml +++ b/profiles/github/dependabot_pip.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-pip-github-profile +display_name: Dependabot for Python projects context: provider: github alert: "on" diff --git a/profiles/github/dependencies.yaml b/profiles/github/dependencies.yaml index bb0f934..5e126cd 100644 --- a/profiles/github/dependencies.yaml +++ b/profiles/github/dependencies.yaml @@ -1,8 +1,9 @@ --- -# Profile showing off feature settings for GitHub Advanced Security +# Profile to help secure dependencies version: v1 type: profile name: dependencies-github-profile +display_name: Dependencies Security context: provider: github alert: "on" @@ -37,3 +38,25 @@ pull_request: score: 5 - name: pypi score: 5 +repository: + - type: dependabot_configured + name: dependabot_configured_go + displayName: "Dependabot is configured (for Go modules)" + def: + package_ecosystem: gomod + schedule_interval: daily + apply_if_file: go.mod + - type: dependabot_configured + name: dependabot_configured_npm + displayName: "Dependabot is configured (for JavaScript packages)" + def: + package_ecosystem: npm + schedule_interval: daily + apply_if_file: package.json + - type: dependabot_configured + name: dependabot_configured_pip + displayName: "Dependabot is configured (for Python packages)" + def: + package_ecosystem: pip + schedule_interval: daily + apply_if_file: requirements.txt diff --git a/profiles/github/ghas.yaml b/profiles/github/ghas.yaml index d13554a..409a3c1 100644 --- a/profiles/github/ghas.yaml +++ b/profiles/github/ghas.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: ghas-profile +display_name: GitHub Advanced Security settings context: provider: github alert: "on" diff --git a/profiles/github/homoglyphs.yaml b/profiles/github/homoglyphs.yaml index 1f8c674..51a99f3 100644 --- a/profiles/github/homoglyphs.yaml +++ b/profiles/github/homoglyphs.yaml @@ -1,6 +1,7 @@ version: v1 type: profile name: homoglyphs-github-profile +display_name: Identify homoglyphs in pull requests context: provider: github alert: "off" diff --git a/profiles/github/profile.yaml b/profiles/github/profile.yaml index f0fb6bb..b271100 100644 --- a/profiles/github/profile.yaml +++ b/profiles/github/profile.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: acme-github-profile +display_name: Sample Profile context: provider: github alert: "on" diff --git a/profiles/github/repo_security.yaml b/profiles/github/repo_security.yaml new file mode 100644 index 0000000..6bf63d3 --- /dev/null +++ b/profiles/github/repo_security.yaml @@ -0,0 +1,21 @@ +--- +# Profile ensuring that repository settings are configured +version: v1 +type: profile +name: repository-github-profile +display_name: Repository Security +context: + provider: github +alert: "on" +remediate: "off" +repository: + - type: secret_scanning + def: + enabled: true + - type: secret_push_protection + def: + enabled: true + - type: codeql_enabled + def: + languages: [go, javascript, typescript] + schedule_interval: '30 4-6 * * *' diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 0831337..c245399 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: stacklok-health-check +display_name: Stacklok Health Check context: provider: github alert: "off" diff --git a/profiles/github/stacklok-profile-remediate.yaml b/profiles/github/stacklok-profile-remediate.yaml index bdeacf0..adba3b2 100644 --- a/profiles/github/stacklok-profile-remediate.yaml +++ b/profiles/github/stacklok-profile-remediate.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: stacklok-remediate-profile +display_name: Stacklok example remedation profile context: provider: github alert: "off" @@ -26,7 +27,7 @@ repository: - type: default_workflow_permissions def: default_workflow_permissions: read - can_approve_pull_request_reviews: true + can_approve_pull_request_reviews: false - type: dockerfile_no_latest_tag def: {} - type: branch_protection_enabled diff --git a/profiles/github/trivy.yaml b/profiles/github/trivy.yaml index c5675f5..625ef17 100644 --- a/profiles/github/trivy.yaml +++ b/profiles/github/trivy.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: trivy-github-profile +display_name: Trivy action is enabled context: provider: github alert: "on" diff --git a/profiles/github/workflow_security.yaml b/profiles/github/workflow_security.yaml index 8dae00f..2f3f33a 100644 --- a/profiles/github/workflow_security.yaml +++ b/profiles/github/workflow_security.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: workflow-security-github-profile +display_name: GitHub Actions workflow security context: provider: github alert: "on" @@ -16,3 +17,7 @@ repository: def: default_workflow_permissions: read can_approve_pull_request_reviews: false + - type: dependabot_configured + def: + package_ecosystem: github-actions + schedule_interval: daily