From 5d144bbafec7cd30e31e22cab5719a9b8102b6e9 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 09:29:47 +0100 Subject: [PATCH 1/6] Introduce display names for profiles --- profiles/github/artifacts/artifact-signature-extended.yaml | 1 + profiles/github/artifacts/artifact-signature-simple.yaml | 1 + profiles/github/branch-protection.yaml | 1 + profiles/github/dependabot_ghactions.yaml | 1 + profiles/github/dependabot_go.yaml | 1 + profiles/github/dependabot_npm_docs.yaml | 1 + profiles/github/dependabot_pip.yaml | 1 + profiles/github/dependencies.yaml | 1 + profiles/github/ghas.yaml | 1 + profiles/github/homoglyphs.yaml | 1 + profiles/github/profile.yaml | 1 + profiles/github/stacklok-health-check.yaml | 1 + profiles/github/stacklok-profile-remediate.yaml | 1 + profiles/github/trivy.yaml | 1 + profiles/github/workflow_security.yaml | 1 + 15 files changed, 15 insertions(+) diff --git a/profiles/github/artifacts/artifact-signature-extended.yaml b/profiles/github/artifacts/artifact-signature-extended.yaml index 143fc7c..d9ca6f6 100644 --- a/profiles/github/artifacts/artifact-signature-extended.yaml +++ b/profiles/github/artifacts/artifact-signature-extended.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: artifact-signature-extended +display_name: "Validate artifact signatures (against custom sigstore instance)" context: provider: github artifact: diff --git a/profiles/github/artifacts/artifact-signature-simple.yaml b/profiles/github/artifacts/artifact-signature-simple.yaml index 4566e3f..2cbdcd7 100644 --- a/profiles/github/artifacts/artifact-signature-simple.yaml +++ b/profiles/github/artifacts/artifact-signature-simple.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: artifact-signature-simple +display_name: Validate artifact signatures context: provider: github artifact: diff --git a/profiles/github/branch-protection.yaml b/profiles/github/branch-protection.yaml index 68c8151..41f6646 100644 --- a/profiles/github/branch-protection.yaml +++ b/profiles/github/branch-protection.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: branch-protection-github-profile +display_name: GitHub Branch Protection context: provider: github alert: "off" diff --git a/profiles/github/dependabot_ghactions.yaml b/profiles/github/dependabot_ghactions.yaml index a3854af..3d3301d 100644 --- a/profiles/github/dependabot_ghactions.yaml +++ b/profiles/github/dependabot_ghactions.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-github-actions-github-profile +display_name: Dependabot for GitHub Actions context: provider: github alert: "on" diff --git a/profiles/github/dependabot_go.yaml b/profiles/github/dependabot_go.yaml index 7d847fd..8b8913f 100644 --- a/profiles/github/dependabot_go.yaml +++ b/profiles/github/dependabot_go.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-go-github-profile +display_name: Dependabot for Go projects context: provider: github alert: "on" diff --git a/profiles/github/dependabot_npm_docs.yaml b/profiles/github/dependabot_npm_docs.yaml index f520070..b4c9413 100644 --- a/profiles/github/dependabot_npm_docs.yaml +++ b/profiles/github/dependabot_npm_docs.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-npm-docs-github-profile +display_name: Dependabot for JavaScript projects context: provider: github alert: "on" diff --git a/profiles/github/dependabot_pip.yaml b/profiles/github/dependabot_pip.yaml index aa87909..da37b25 100644 --- a/profiles/github/dependabot_pip.yaml +++ b/profiles/github/dependabot_pip.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependabot-pip-github-profile +display_name: Dependabot for Python projects context: provider: github alert: "on" diff --git a/profiles/github/dependencies.yaml b/profiles/github/dependencies.yaml index bb0f934..e2fe2fc 100644 --- a/profiles/github/dependencies.yaml +++ b/profiles/github/dependencies.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: dependencies-github-profile +display_name: Dependencies Security context: provider: github alert: "on" diff --git a/profiles/github/ghas.yaml b/profiles/github/ghas.yaml index d13554a..409a3c1 100644 --- a/profiles/github/ghas.yaml +++ b/profiles/github/ghas.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: ghas-profile +display_name: GitHub Advanced Security settings context: provider: github alert: "on" diff --git a/profiles/github/homoglyphs.yaml b/profiles/github/homoglyphs.yaml index 1f8c674..51a99f3 100644 --- a/profiles/github/homoglyphs.yaml +++ b/profiles/github/homoglyphs.yaml @@ -1,6 +1,7 @@ version: v1 type: profile name: homoglyphs-github-profile +display_name: Identify homoglyphs in pull requests context: provider: github alert: "off" diff --git a/profiles/github/profile.yaml b/profiles/github/profile.yaml index f0fb6bb..b271100 100644 --- a/profiles/github/profile.yaml +++ b/profiles/github/profile.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: acme-github-profile +display_name: Sample Profile context: provider: github alert: "on" diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 0831337..c245399 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: stacklok-health-check +display_name: Stacklok Health Check context: provider: github alert: "off" diff --git a/profiles/github/stacklok-profile-remediate.yaml b/profiles/github/stacklok-profile-remediate.yaml index bdeacf0..9085e20 100644 --- a/profiles/github/stacklok-profile-remediate.yaml +++ b/profiles/github/stacklok-profile-remediate.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: stacklok-remediate-profile +display_name: Stacklok example remedation profile context: provider: github alert: "off" diff --git a/profiles/github/trivy.yaml b/profiles/github/trivy.yaml index c5675f5..625ef17 100644 --- a/profiles/github/trivy.yaml +++ b/profiles/github/trivy.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: trivy-github-profile +display_name: Trivy action is enabled context: provider: github alert: "on" diff --git a/profiles/github/workflow_security.yaml b/profiles/github/workflow_security.yaml index 8dae00f..c7cde64 100644 --- a/profiles/github/workflow_security.yaml +++ b/profiles/github/workflow_security.yaml @@ -3,6 +3,7 @@ version: v1 type: profile name: workflow-security-github-profile +display_name: GitHub Actions workflow security context: provider: github alert: "on" From 379abd07aac6137852ba8e27432e2dbcd9bd0d21 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 09:30:37 +0100 Subject: [PATCH 2/6] Dependabot (npm) profile should look for `package.json` Instead of looking for `docs/package.json`, we should be looking for `package.json`. The latter is more general. --- .../github/{dependabot_npm_docs.yaml => dependabot_npm.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename profiles/github/{dependabot_npm_docs.yaml => dependabot_npm.yaml} (89%) diff --git a/profiles/github/dependabot_npm_docs.yaml b/profiles/github/dependabot_npm.yaml similarity index 89% rename from profiles/github/dependabot_npm_docs.yaml rename to profiles/github/dependabot_npm.yaml index b4c9413..2cffcf4 100644 --- a/profiles/github/dependabot_npm_docs.yaml +++ b/profiles/github/dependabot_npm.yaml @@ -13,4 +13,4 @@ repository: def: package_ecosystem: npm schedule_interval: daily - apply_if_file: docs/package.json + apply_if_file: package.json From 14ba11380429c5845406f6f5f6c01ab8d4eadc5b Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 09:31:23 +0100 Subject: [PATCH 3/6] Add Dependabot to workflow security (for actions) The workflow security profile could include Dependabot for actions as a useful rule type. --- profiles/github/workflow_security.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/profiles/github/workflow_security.yaml b/profiles/github/workflow_security.yaml index c7cde64..2f3f33a 100644 --- a/profiles/github/workflow_security.yaml +++ b/profiles/github/workflow_security.yaml @@ -17,3 +17,7 @@ repository: def: default_workflow_permissions: read can_approve_pull_request_reviews: false + - type: dependabot_configured + def: + package_ecosystem: github-actions + schedule_interval: daily From f9d3d6b3d62e389e6c57e57d77880c6ab25b4fc4 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 10:12:09 +0100 Subject: [PATCH 4/6] Don't allow actions to update PR Similar to #78, the default should be to _not_ allow actions to update pull requests. --- profiles/github/stacklok-profile-remediate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/github/stacklok-profile-remediate.yaml b/profiles/github/stacklok-profile-remediate.yaml index 9085e20..adba3b2 100644 --- a/profiles/github/stacklok-profile-remediate.yaml +++ b/profiles/github/stacklok-profile-remediate.yaml @@ -27,7 +27,7 @@ repository: - type: default_workflow_permissions def: default_workflow_permissions: read - can_approve_pull_request_reviews: true + can_approve_pull_request_reviews: false - type: dockerfile_no_latest_tag def: {} - type: branch_protection_enabled From 14431f7520e7d8b68f928cac58c38cfaf27052dd Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 10:20:30 +0100 Subject: [PATCH 5/6] Add dependabot to the dependencies profile --- profiles/github/dependencies.yaml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/profiles/github/dependencies.yaml b/profiles/github/dependencies.yaml index e2fe2fc..5e126cd 100644 --- a/profiles/github/dependencies.yaml +++ b/profiles/github/dependencies.yaml @@ -1,5 +1,5 @@ --- -# Profile showing off feature settings for GitHub Advanced Security +# Profile to help secure dependencies version: v1 type: profile name: dependencies-github-profile @@ -38,3 +38,25 @@ pull_request: score: 5 - name: pypi score: 5 +repository: + - type: dependabot_configured + name: dependabot_configured_go + displayName: "Dependabot is configured (for Go modules)" + def: + package_ecosystem: gomod + schedule_interval: daily + apply_if_file: go.mod + - type: dependabot_configured + name: dependabot_configured_npm + displayName: "Dependabot is configured (for JavaScript packages)" + def: + package_ecosystem: npm + schedule_interval: daily + apply_if_file: package.json + - type: dependabot_configured + name: dependabot_configured_pip + displayName: "Dependabot is configured (for Python packages)" + def: + package_ecosystem: pip + schedule_interval: daily + apply_if_file: requirements.txt From 12b104f7992fb9d1b9a04c8aaf0658d2e7a35b2e Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Fri, 5 Apr 2024 10:51:43 +0100 Subject: [PATCH 6/6] Add a repository security sample profile --- profiles/github/repo_security.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 profiles/github/repo_security.yaml diff --git a/profiles/github/repo_security.yaml b/profiles/github/repo_security.yaml new file mode 100644 index 0000000..6bf63d3 --- /dev/null +++ b/profiles/github/repo_security.yaml @@ -0,0 +1,21 @@ +--- +# Profile ensuring that repository settings are configured +version: v1 +type: profile +name: repository-github-profile +display_name: Repository Security +context: + provider: github +alert: "on" +remediate: "off" +repository: + - type: secret_scanning + def: + enabled: true + - type: secret_push_protection + def: + enabled: true + - type: codeql_enabled + def: + languages: [go, javascript, typescript] + schedule_interval: '30 4-6 * * *'