From 5b81d16bd4de73d6dcd5bfdea07660fc7499cd6e Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Mon, 8 Apr 2024 16:54:30 +0200 Subject: [PATCH 1/2] Update the names in the health check profile Update the names in the health check profile to be more descriptive. --- profiles/github/stacklok-health-check.yaml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index c245399..d5374a3 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -10,6 +10,7 @@ alert: "off" remediate: "off" repository: - type: actions_check_pinned_tags + name: "Actions workflows reference pinned tags" def: exclude: # generator_generic_slsa3 does not support pinning and will fail to retrieve the @@ -17,51 +18,59 @@ repository: # See https://github.com/slsa-framework/slsa-github-generator/issues/2993 - slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - type: branch_protection_allow_force_pushes + name: "Branch protection disallows force pushes" def: allow_force_pushes: false params: branch: "" - type: branch_protection_require_pull_request_dismiss_stale_reviews + name: "Branch protection dismisses stale reviews on PR" def: dismiss_stale_reviews: true params: branch: "" - type: default_workflow_permissions + name: "GitHub Actions workflows have limit permissions" def: default_workflow_permissions: read can_approve_pull_request_reviews: false - type: dependabot_configured - name: go_dependabot + name: "Dependabot configured for Go projects" def: package_ecosystem: gomod schedule_interval: "" apply_if_file: go.mod - type: dependabot_configured - name: npm_dependabot + name: "Dependabot configured for JavaScript projects" def: package_ecosystem: npm schedule_interval: "" apply_if_file: package.json - type: dependabot_configured - name: pypi_dependabot + name: "Dependabot configured for Python projects" def: package_ecosystem: pypi schedule_interval: "" apply_if_file: requirements.txt - type: dockerfile_no_latest_tag + name: "Dockerfile references a specific tags" def: {} - type: secret_push_protection + name: "Secret push protection is enabled" def: enabled: true skip_private_repos: true - - type: "secret_scanning" + - type: secret_scanning + name: "Secret scanning is enabled" def: enabled: true skip_private_repos: true pull_request: - type: invisible_characters_check + name: "Pull requests do not introduce invisible characters" def: {} params: {} - type: mixed_scripts_check + name: "Pull requests do not introduce mixed scripts" def: {} params: {} From c57183d79fad08e5a3e71f38ab7bd366e6763885 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Tue, 9 Apr 2024 09:14:34 +0200 Subject: [PATCH 2/2] Remove --- profiles/github/stacklok-health-check.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index d5374a3..e99f780 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -65,12 +65,3 @@ repository: def: enabled: true skip_private_repos: true -pull_request: - - type: invisible_characters_check - name: "Pull requests do not introduce invisible characters" - def: {} - params: {} - - type: mixed_scripts_check - name: "Pull requests do not introduce mixed scripts" - def: {} - params: {}