diff --git a/rule-types/github/talisman_secrets_scanning.test.yaml b/rule-types/github/talisman_secrets_scanning.test.yaml new file mode 100644 index 0000000..8e1025d --- /dev/null +++ b/rule-types/github/talisman_secrets_scanning.test.yaml @@ -0,0 +1,13 @@ +tests: + - name: "Should have Talisman pre-commit hook configured" + def: {} + params: {} + expect: "pass" + git: + repo_base: correct + - name: "Should fail Talisman pre-commit hook is not configured" + def: {} + params: {} + expect: "fail" + git: + repo_base: misconfigured diff --git a/rule-types/github/talisman_secrets_scanning.testdata/correct/.pre-commit-config.yaml b/rule-types/github/talisman_secrets_scanning.testdata/correct/.pre-commit-config.yaml new file mode 100644 index 0000000..cbfca36 --- /dev/null +++ b/rule-types/github/talisman_secrets_scanning.testdata/correct/.pre-commit-config.yaml @@ -0,0 +1,16 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + args: ['--maxkb=600'] +- repo: https://github.com/thoughtworks/talisman + rev: 'v1.28.0' # Update me! + hooks: + # both pre-commit and pre-push supported + # - id: talisman-push + - id: talisman-commit + entry: cmd --githook pre-commit diff --git a/rule-types/github/talisman_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml b/rule-types/github/talisman_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml new file mode 100644 index 0000000..98d3157 --- /dev/null +++ b/rule-types/github/talisman_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml @@ -0,0 +1,9 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + args: ['--maxkb=600'] diff --git a/rule-types/github/talisman_secrets_scanning.yaml b/rule-types/github/talisman_secrets_scanning.yaml new file mode 100644 index 0000000..d99755f --- /dev/null +++ b/rule-types/github/talisman_secrets_scanning.yaml @@ -0,0 +1,55 @@ +--- +version: v1 +release_phase: alpha +type: rule-type +name: talisman_secrets_scanning +display_name: Enable Talisman Pre-commit hooks for detecting secrets +short_failure_message: Talisman Pre-commit hook is not configured for the repository +severity: + value: medium +context: {} +description: | + Verifies that Talisman Pre-commit hook is configured via a GitHub action for the repository +guidance: | + Ensure that Talisman is configured pre-commit hook for the repository. + Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys. + For more information, see the [GitHub Talisman Pre-commit](https://github.com/thoughtworks/talisman?tab=readme-ov-file#pre-commit) documentation. +def: + in_entity: repository + rule_schema: + type: object + properties: {} + ingest: + type: git + git: {} + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + import future.keywords.if + import future.keywords.every + + default message := "Talisman pre-commit hook is not configured for the repository" + default allow := false + + + # pre-commit hook + precommit := file.read(".pre-commit-config.yaml") + + parsed_data := parse_yaml(precommit) + + allow if { + some repo_id, hook_id + repo_data := parsed_data.repos[repo_id] + endswith(repo_data["repo"], "https://github.com/thoughtworks/talisman") + talisman_hooks = repo_data["hooks"] + talisman_hooks[hook_id].id == "talisman-commit" + talisman_hooks[hook_id].entry == "cmd --githook pre-commit" + } + + message := "" if allow + alert: + type: security_advisory + security_advisory: {} \ No newline at end of file