Skip to content

Commit

Permalink
Baseline: Add dependency policy check
Browse files Browse the repository at this point in the history
This commit adds a check to verify that the security insights file
has a dependency policy entry.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
  • Loading branch information
puerco committed Jul 26, 2024
1 parent f245d18 commit 404b749
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 2 deletions.
11 changes: 9 additions & 2 deletions profiles/github/openssf_security_baseline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ repository:
def: {}

# (TODO) Credentials with minimal permissions
# TBD: https://github.com/stacklok/minder-rules-and-profiles/pull/126

# Check for a Security Insights file in the repo
- type: security_insights
Expand All @@ -38,7 +39,13 @@ repository:
def:
filename: SECURITY-INSIGHTS.yml

# (TODO) Dependency Policy published
# Dependency Policy published
# Check for an dependency policy entry in the security insights file.
- type: security_insights_dep_policy
name: security_insights_dep_policy
displayName: "Check for a dependency polcicy in the Security Insights file."
def:
filename: SECURITY-INSIGHTS.yml

# Pinned dependencies
# This rule tells Minder to run Frizbee (https://github.com/stacklok/frizbee/)
Expand All @@ -53,7 +60,7 @@ repository:
- slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

# (TODO) Hardened Workflows

# Static code analysis: CodeQL
- type: codeql_enabled
def:
Expand Down
68 changes: 68 additions & 0 deletions rule-types/github/security_insights_dep_policy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
version: v1
type: rule-type
name: security_insights_dep_policy
severity:
value: low
context:
provider: github
description: |
Parses the repository's `SECURITY_INSIGHTS.yaml` file and looks for a
pointer to a dependency policy.
[Security Insights](https://github.com/ossf/security-insights-spec/) is a
specification that lets projects publish data and pointers to resources about
the repository, maintainers, releases and other security aspects in a
machine-readable format to make it easy for automated tools to locate them.
This ruletype parses the security insights yaml and checks for a pointer to
the dependencies policy (`policy-url`). No attempt to retrieve it is done.
guidance: |
If you have a security insights file (defaults to `SECURITY-INSIGHTS.yml`),
ensure that the dependency policy field is defined
(`dependencies.env-dependencies-policy.policy-url`).
For more information on how to create one, refer to the SI specification at
https://github.com/ossf/security-insights-spec/
def:
# Defines the section of the pipeline the rule will appear in.
# This will affect the template used to render multiple parts
# of the rule.
in_entity: repository
# Defines the schema for writing a rule with this rule being checked
# In this case there are no settings that need to be configured
rule_schema:
type: object
properties:
filename:
type: string
description: |
The path to the Security Insights file
default: SECURITY-INSIGHTS.yml
required:
- filename
# Defines the configuration for ingesting data relevant for the rule
ingest:
type: git
git: {}
eval:
type: rego
rego:
type: deny-by-default
def: |
package minder
import rego.v1
default allow := false
allow if {
file.exists(input.profile.filename)
sifile := file.read(input.profile.filename)
si := yaml.unmarshal(sifile)
si.dependencies["env-dependencies-policy"]["policy-url"] != ""
}
# Defines the configuration for alerting on the rule
alert:
type: security_advisory
security_advisory: {}

0 comments on commit 404b749

Please sign in to comment.