Merge pull request #127 from stacklok/scorecard-action

Scorecard action
mindersec · Jul 25, 2024 · 17c5553 · 17c5553
2 parents 9ba25f2 + 582dbec
commit 17c5553
Show file tree

Hide file tree

Showing 2 changed files with 163 additions and 0 deletions.
diff --git a/profiles/github/scorecard-action.yaml b/profiles/github/scorecard-action.yaml
@@ -0,0 +1,17 @@
+---
+# Provisioning configuration for the OpenSSF Scorecard Action
+version: v1
+type: profile
+name: scorecard-action-profile
+display_name: OpenSSF Scorecard Action
+context:
+  provider: github
+alert: "off"
+remediate: "on"
+repository:
+  - type: scorecard_enabled
+    def:
+      schedule_interval: "30 4-6 * * *" # Run every day between 4-6am
+      publish_results: true
+      retention_days: 5
+      sarif_file: "results.sarif"
diff --git a/rule-types/github/scorecard_enabled.yaml b/rule-types/github/scorecard_enabled.yaml
@@ -0,0 +1,146 @@
+---
+version: v1
+type: rule-type
+name: scorecard_enabled
+severity:
+  value: medium
+context:
+  provider: github
+description: Verifies that Scorecard action is present and configured
+guidance: |
+  Ensure that Scorecard Action is configured and enabled for the repository.
+
+  Scorecard is a tool by the OpenSSF that can be used to analyze repositories 
+  for security best practises.
+
+  For more information, see
+  https://scorecard.dev/
+def:
+  # Defines the section of the pipeline the rule will appear in.
+  # This will affect the template used to render multiple parts
+  # of the rule.
+  in_entity: repository
+  # Defines the schema for writing a rule with this rule being checked
+  rule_schema:
+    type: object
+    properties:
+      languages:
+        type: array
+        items:
+          type: string
+        description: |
+          Only applicable for remediation.
+        default: []
+      schedule_interval:
+        type: string
+        description: |
+          Sets the schedule interval in cron format for the workflow. Only applicable for remediation.
+      publish_results:
+        type: boolean
+        description: |
+          Publish the results of the analysis.
+        default: true
+      retention_days:
+        type: integer
+        description: |
+          Number of days to retain the SARIF file.
+        default: 5
+      sarif_file:
+        type: string
+        description: |
+          Name of the SARIF file.
+        default: "results.sarif"
+    required:
+      - schedule_interval
+      - publish_results
+  # Defines the configuration for ingesting data relevant for the rule
+  ingest:
+    type: git
+    git: {}
+  # Defines the configuration for evaluating data ingested against the given profile
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        default allow := false
+
+        allow {
+            # List all workflows
+            workflows := file.ls("./.github/workflows")
+
+            # Read all workflows
+            some w
+            workflowstr := file.read(workflows[w])
+
+            workflow := yaml.unmarshal(workflowstr)
+
+            # Ensure a workflow contains the codel-ql action
+            some i
+            steps := workflow.jobs.analyze.steps[i]
+            startswith(steps.uses, "ossf/scorecard-action@")
+        }
+  remediate:
+    type: pull_request
+    pull_request:
+      title: "Add Scorecard Action"
+      body: |
+        This is a Minder automated pull request.
+        
+        This pull request adds a Scorecard Action workflow to the repository.
+        
+        For more information, see: https://github.com/ossf/scorecard-action
+      contents:
+        - path: .github/workflows/scorecard-analysis.yml
+          action: replace
+          content: |
+            # Adapted from https://raw.githubusercontent.com/ossf/scorecard/main/.github/workflows/scorecard-analysis.yml
+            name: Scorecard analysis workflow
+            on:
+              workflow_dispatch:
+              push:
+                branches: [ "main" ]
+              schedule:
+                - cron: '{{ .Profile.schedule_interval }}'
+            jobs:
+              analyze:
+                name: Scorecard analysis
+                runs-on: ubuntu-latest
+                permissions:
+                  # Needed for Code scanning upload
+                  security-events: write
+                  # Needed for GitHub OIDC token if publish_results is true
+                  id-token: write
+
+                steps:
+                  - name: "Checkout code"
+                    uses: actions/checkout@v3
+                  
+                  - name: "Run analysis"
+                    uses: ossf/[email protected]
+                    with:
+                      results_file: '{{ .Profile.sarif_file }}'
+                      results_format: sarif
+                      publish_results: '{{ .Profile.publish_results }}'
+
+                  # Upload the results as artifacts (optional). Commenting out will disable
+                  # uploads of run results in SARIF format to the repository Actions tab.
+                  # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+                  - name: "Upload artifact"
+                    uses: actions/[email protected]
+                    with:
+                      name: SARIF file
+                      path: '{{ .Profile.sarif_file }}'
+                      retention-days: '{{ .Profile.retention_days }}'
+                  # Upload the results to GitHub's code scanning dashboard (optional).
+                  # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+                  - name: "Upload to code-scanning"
+                    uses: github/codeql-action/[email protected]
+                    with:
+                      sarif_file: '{{ .Profile.sarif_file }}'
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}