From 772a7943a14f1a32f585b5093c30eb67d7fe4668 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Thu, 25 Jul 2024 20:53:38 -0600 Subject: [PATCH] Baseline: Add security profile check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Adolfo GarcĂ­a Veytia (Puerco) --- .../github/openssf_security_baseline.yaml | 9 +++- rule-types/github/security_policy.yaml | 46 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 rule-types/github/security_policy.yaml diff --git a/profiles/github/openssf_security_baseline.yaml b/profiles/github/openssf_security_baseline.yaml index b669661..b62c5ba 100644 --- a/profiles/github/openssf_security_baseline.yaml +++ b/profiles/github/openssf_security_baseline.yaml @@ -67,7 +67,14 @@ repository: def: required_approving_review_count: 2 - # (TODO) Security policy published + # Security policy published + # Check for a Security Insights file in the repo + - type: security_policy + name: security_policy + displayName: "Ensure there is a security policy file" + def: + filename: SECURITY.md + # (TODO) No vulnerabilities # (TODO) 60 day SLA on HIGH/MED vulnerabilities # (TODO) No checked-in binaries diff --git a/rule-types/github/security_policy.yaml b/rule-types/github/security_policy.yaml new file mode 100644 index 0000000..b89d1c2 --- /dev/null +++ b/rule-types/github/security_policy.yaml @@ -0,0 +1,46 @@ +version: v1 +type: rule-type +name: security_policy +severity: + value: medium +context: + provider: github +description: Raise an alert if a repository is missing a security policy file. +guidance: | + Ensure that a repository has a security policy file +def: + in_entity: repository + rule_schema: + type: object + properties: + filename: + type: string + description: | + Path to the security policy file + default: SECURITY.md + required: + - filename + # Defines the configuration for ingesting data relevant for the rule + ingest: + type: git + git: + branch: master + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + import rego.v1 + + default allow := false + allow if { + file.exists(input.profile.filename) + } + + # We don't have a remediation method in place yet. + + # Defines the configuration for alerting on the rule + alert: + type: security_advisory + security_advisory: {}