Add a ruletype that fails if no workflows contain pull_request

Having a workflow with a pull_request is indicative of having a CI/CD pipeline.
mindersec · Oct 24, 2024 · 19d0a2a · 19d0a2a
1 parent ddccb78
commit 19d0a2a
Show file tree

Hide file tree

Showing 15 changed files with 232 additions and 0 deletions.
diff --git a/rule-types/github/workflow_pull_request.test.yaml b/rule-types/github/workflow_pull_request.test.yaml
@@ -0,0 +1,49 @@
+tests:
+  - name: "Has a pull_request event"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: "has_pull_request_direct"
+  - name: "Does not have a pull_request event"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: "does_not_have_pull_request_array"
+  - name: "Has a pull_request event in an array"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: "has_pull_request_array"
+  - name: "Does not have a pull_request event in an array"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: "does_not_have_pull_request_array"
+  - name: "Has a pull_request event in an object"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: "has_pull_request_object"
+  - name: "Does not have a pull_request event in an object"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: "does_not_have_pull_request_object"
+  - name: "None of multiple workflows have a pull_request event"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: "does_not_have_pull_request_multiple"
+  - name: "One of multiple workflows has a pull_request event"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: "has_pull_request_multiple"
diff --git a/...thub/workflow_pull_request.testdata/does_not_have_pull_request/.github/workflows/bad.yaml b/...thub/workflow_pull_request.testdata/does_not_have_pull_request/.github/workflows/bad.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on: push
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
diff --git a/...orkflow_pull_request.testdata/does_not_have_pull_request_array/.github/workflows/bad.yaml b/...orkflow_pull_request.testdata/does_not_have_pull_request_array/.github/workflows/bad.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on:
+  - push
+  - release
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
diff --git a/...ull_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-array.yaml b/...ull_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-array.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on:
+  - push
+  - release
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
diff --git a/...ll_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-direct.yaml b/...ll_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-direct.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on: push
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
diff --git a/...ll_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-object.yaml b/...ll_request.testdata/does_not_have_pull_request_multiple/.github/workflows/bad-object.yaml
@@ -0,0 +1,9 @@
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
diff --git a/...rkflow_pull_request.testdata/does_not_have_pull_request_object/.github/workflows/bad.yaml b/...rkflow_pull_request.testdata/does_not_have_pull_request_object/.github/workflows/bad.yaml
@@ -0,0 +1,9 @@
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
diff --git a/.../github/workflow_pull_request.testdata/has_pull_request_array/.github/workflows/good.yaml b/.../github/workflow_pull_request.testdata/has_pull_request_array/.github/workflows/good.yaml
@@ -0,0 +1,13 @@
+# INSECURE. Provided as an example only.
+on:
+  - push
+  - pull_request
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
diff --git a/...github/workflow_pull_request.testdata/has_pull_request_direct/.github/workflows/good.yaml b/...github/workflow_pull_request.testdata/has_pull_request_direct/.github/workflows/good.yaml
@@ -0,0 +1,12 @@
+# INSECURE. Provided as an example only.
+on:
+  pull_request
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
diff --git a/...workflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-array.yaml b/...workflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-array.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on:
+  - push
+  - release
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
diff --git a/...orkflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-direct.yaml b/...orkflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-direct.yaml
@@ -0,0 +1,11 @@
+# INSECURE. Provided as an example only.
+on: push
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
diff --git a/...orkflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-object.yaml b/...orkflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/bad-object.yaml
@@ -0,0 +1,9 @@
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
diff --git a/...thub/workflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/good.yaml b/...thub/workflow_pull_request.testdata/has_pull_request_multiple/.github/workflows/good.yaml
@@ -0,0 +1,5 @@
+on:
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
diff --git a/...github/workflow_pull_request.testdata/has_pull_request_object/.github/workflows/good.yaml b/...github/workflow_pull_request.testdata/has_pull_request_object/.github/workflows/good.yaml
@@ -0,0 +1,5 @@
+on:
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
diff --git a/rule-types/github/workflow_pull_request.yaml b/rule-types/github/workflow_pull_request.yaml
@@ -0,0 +1,55 @@
+---
+version: v1
+release_phase: beta
+type: rule-type
+name: workflow_pull_request
+display_name: Ensure there exists a GitHub Actions workflow that uses the pull_request event
+short_failure_message: GitHub Actions workflows do not use the pull_request event
+severity:
+  value: high
+context:
+  provider: github
+description: |
+  Alerts if there are no GitHub Actions workflows that use the pull_request event.
+
+  Workflows that use the pull_request event are often used to run e.g. CI/CD
+  pipelines and are indicators of a healthy repository.
+guidance: |
+  Ensure that there exists at least one GitHub Actions workflow that uses the
+  pull_request event.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import future.keywords.if
+
+        # List all workflows
+        workflows := file.ls("./.github/workflows")
+
+        # Read all workflows and check for pull_request trigger
+        allow if {
+            some w
+
+            # Read the workflow file
+            workflowstr := file.read(workflows[w])
+            parsed := parse_yaml(workflowstr)
+            print(parsed)
+
+            jq_query := ".on | (type == \"string\" and . == \"pull_request\") or (type == \"object\" and has(\"pull_request\")) or (type == \"array\" and any(.[]; . == \"pull_request\"))"
+
+            jq.is_true(parsed, jq_query)
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}