diff --git a/rule-types/github/actions_check_default_permissions.yaml b/rule-types/github/actions_check_default_permissions.yaml index 18f1d06..bff72fd 100644 --- a/rule-types/github/actions_check_default_permissions.yaml +++ b/rule-types/github/actions_check_default_permissions.yaml @@ -1,6 +1,7 @@ version: v1 type: rule-type name: actions_check_default_permissions +display_name: Ensure GitHub Actions workflows set their permissions severity: value: medium context: diff --git a/rule-types/github/actions_check_pinned_tags.yaml b/rule-types/github/actions_check_pinned_tags.yaml index 4a57d06..d70d239 100644 --- a/rule-types/github/actions_check_pinned_tags.yaml +++ b/rule-types/github/actions_check_pinned_tags.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: actions_check_pinned_tags +display_name: Ensure immutable version of GitHub action severity: value: medium context: diff --git a/rule-types/github/allowed_selected_actions.yaml b/rule-types/github/allowed_selected_actions.yaml index a637048..9e166ad 100644 --- a/rule-types/github/allowed_selected_actions.yaml +++ b/rule-types/github/allowed_selected_actions.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: allowed_selected_actions +display_name: Limit the permitted GitHub actions by creator severity: value: medium context: diff --git a/rule-types/github/artifact_attestation_slsa.yaml b/rule-types/github/artifact_attestation_slsa.yaml index ba9807a..4af938d 100644 --- a/rule-types/github/artifact_attestation_slsa.yaml +++ b/rule-types/github/artifact_attestation_slsa.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: artifact_attestation_slsa +display_name: Verify the integrity of an artifact context: provider: github description: | diff --git a/rule-types/github/artifact_signature.yaml b/rule-types/github/artifact_signature.yaml index af3621d..2efa292 100644 --- a/rule-types/github/artifact_signature.yaml +++ b/rule-types/github/artifact_signature.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: artifact_signature +display_name: Ensure artifacts are signed and verified severity: value: high context: diff --git a/rule-types/github/automatic_branch_deletion.yaml b/rule-types/github/automatic_branch_deletion.yaml index e2a0cfa..2b8e060 100644 --- a/rule-types/github/automatic_branch_deletion.yaml +++ b/rule-types/github/automatic_branch_deletion.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: automatic_branch_deletion +display_name: Automatically delete branch after merge severity: value: info context: diff --git a/rule-types/github/branch_protection_allow_deletions.yaml b/rule-types/github/branch_protection_allow_deletions.yaml index f46d475..3a2da4a 100644 --- a/rule-types/github/branch_protection_allow_deletions.yaml +++ b/rule-types/github/branch_protection_allow_deletions.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_allow_deletions +display_name: Prevent permanent branch deletion severity: value: medium context: diff --git a/rule-types/github/branch_protection_allow_force_pushes.yaml b/rule-types/github/branch_protection_allow_force_pushes.yaml index c5cc9aa..e1eb06e 100644 --- a/rule-types/github/branch_protection_allow_force_pushes.yaml +++ b/rule-types/github/branch_protection_allow_force_pushes.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_allow_force_pushes +display_name: Prevent overwriting git history severity: value: medium context: diff --git a/rule-types/github/branch_protection_allow_fork_syncing.yaml b/rule-types/github/branch_protection_allow_fork_syncing.yaml index 04a5357..6f7bc62 100644 --- a/rule-types/github/branch_protection_allow_fork_syncing.yaml +++ b/rule-types/github/branch_protection_allow_fork_syncing.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_allow_fork_syncing +display_name: Allow forks to pull changes from locked branches severity: value: low context: diff --git a/rule-types/github/branch_protection_enabled.yaml b/rule-types/github/branch_protection_enabled.yaml index 53f3181..7f3e589 100644 --- a/rule-types/github/branch_protection_enabled.yaml +++ b/rule-types/github/branch_protection_enabled.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_enabled +display_name: Ensure a branch protection rule is set up severity: value: high context: diff --git a/rule-types/github/branch_protection_enforce_admins.yaml b/rule-types/github/branch_protection_enforce_admins.yaml index 71c1928..1fe12bc 100644 --- a/rule-types/github/branch_protection_enforce_admins.yaml +++ b/rule-types/github/branch_protection_enforce_admins.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_enforce_admins +display_name: Enforce branch protection rules for admins severity: value: medium context: diff --git a/rule-types/github/branch_protection_lock_branch.yaml b/rule-types/github/branch_protection_lock_branch.yaml index b2d0375..1286194 100644 --- a/rule-types/github/branch_protection_lock_branch.yaml +++ b/rule-types/github/branch_protection_lock_branch.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_lock_branch +display_name: Set a branch as read-only severity: value: medium context: diff --git a/rule-types/github/branch_protection_require_conversation_resolution.yaml b/rule-types/github/branch_protection_require_conversation_resolution.yaml index 9fdaf15..69fc196 100644 --- a/rule-types/github/branch_protection_require_conversation_resolution.yaml +++ b/rule-types/github/branch_protection_require_conversation_resolution.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_conversation_resolution +display_name: Prevent merging PRs with unresolved conversations severity: value: info context: diff --git a/rule-types/github/branch_protection_require_linear_history.yaml b/rule-types/github/branch_protection_require_linear_history.yaml index bde32e4..6f8087c 100644 --- a/rule-types/github/branch_protection_require_linear_history.yaml +++ b/rule-types/github/branch_protection_require_linear_history.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_linear_history +display_name: Forbid merge commits severity: value: info context: diff --git a/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml b/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml index 126df2f..d2b4f56 100644 --- a/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml +++ b/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_pull_request_approving_review_count +display_name: Require a number of reviews before merging a PR severity: value: medium context: diff --git a/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml b/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml index d6beb51..8e4186d 100644 --- a/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml +++ b/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_pull_request_code_owners_review +display_name: Require a code owner review before merging a PR severity: value: low context: diff --git a/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml b/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml index 0a8afb2..02dbcf4 100644 --- a/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml +++ b/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_pull_request_dismiss_stale_reviews +display_name: Forbid merging PRs with un-approved commits severity: value: info context: diff --git a/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml b/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml index 5e9acbb..53af6f8 100644 --- a/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml +++ b/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_pull_request_last_push_approval +display_name: Disregard self-approvals on PRs severity: value: low context: diff --git a/rule-types/github/branch_protection_require_pull_requests.yaml b/rule-types/github/branch_protection_require_pull_requests.yaml index 143d1eb..0a031e5 100644 --- a/rule-types/github/branch_protection_require_pull_requests.yaml +++ b/rule-types/github/branch_protection_require_pull_requests.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_pull_requests +display_name: Only merge code from pull requests severity: value: medium context: diff --git a/rule-types/github/branch_protection_require_signatures.yaml b/rule-types/github/branch_protection_require_signatures.yaml index 1d44ad7..7c393d8 100644 --- a/rule-types/github/branch_protection_require_signatures.yaml +++ b/rule-types/github/branch_protection_require_signatures.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: branch_protection_require_signatures +display_name: Require commits to be signed severity: value: medium context: diff --git a/rule-types/github/codeql_enabled.yaml b/rule-types/github/codeql_enabled.yaml index 9bc356f..bfc7621 100644 --- a/rule-types/github/codeql_enabled.yaml +++ b/rule-types/github/codeql_enabled.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: codeql_enabled +display_name: Enable CodeQL for vulnerability scanning severity: value: medium context: diff --git a/rule-types/github/default_workflow_permissions.yaml b/rule-types/github/default_workflow_permissions.yaml index b52a2e4..e87b0c7 100644 --- a/rule-types/github/default_workflow_permissions.yaml +++ b/rule-types/github/default_workflow_permissions.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: default_workflow_permissions +display_name: Customize the default GitHub workflow permissions severity: value: high context: diff --git a/rule-types/github/dependabot_configured.yaml b/rule-types/github/dependabot_configured.yaml index ae02d49..aa7b71e 100644 --- a/rule-types/github/dependabot_configured.yaml +++ b/rule-types/github/dependabot_configured.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: dependabot_configured +display_name: Enable Dependabot for automated dependency updates severity: value: medium context: diff --git a/rule-types/github/dockerfile_no_latest_tag.yaml b/rule-types/github/dockerfile_no_latest_tag.yaml index e9f2f5a..9f70caf 100644 --- a/rule-types/github/dockerfile_no_latest_tag.yaml +++ b/rule-types/github/dockerfile_no_latest_tag.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: dockerfile_no_latest_tag +display_name: Prevent Dockerfile from using volatile 'latest' tag severity: value: medium context: diff --git a/rule-types/github/github_actions_allowed.yaml b/rule-types/github/github_actions_allowed.yaml index 11e0e61..a0bdfbc 100644 --- a/rule-types/github/github_actions_allowed.yaml +++ b/rule-types/github/github_actions_allowed.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: github_actions_allowed +display_name: Limit the permitted GitHub actions by type severity: value: medium context: diff --git a/rule-types/github/invisible_characters_check.yaml b/rule-types/github/invisible_characters_check.yaml index 1262cb5..f42ff95 100644 --- a/rule-types/github/invisible_characters_check.yaml +++ b/rule-types/github/invisible_characters_check.yaml @@ -1,6 +1,7 @@ version: v1 type: rule-type name: invisible_characters_check +display_name: Check for invisible characters in pull requests severity: value: high context: diff --git a/rule-types/github/license.yaml b/rule-types/github/license.yaml index 731911a..d54120c 100644 --- a/rule-types/github/license.yaml +++ b/rule-types/github/license.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: license +display_name: Ensure a license file is present severity: value: low context: diff --git a/rule-types/github/mixed_scripts_check.yaml b/rule-types/github/mixed_scripts_check.yaml index 6719293..b1e089d 100644 --- a/rule-types/github/mixed_scripts_check.yaml +++ b/rule-types/github/mixed_scripts_check.yaml @@ -1,6 +1,7 @@ version: v1 type: rule-type name: mixed_scripts_check +display_name: Check for mixed scripts in pull requests severity: value: high context: diff --git a/rule-types/github/no_binaries_in_repo.yaml b/rule-types/github/no_binaries_in_repo.yaml index 92c2d54..cb48184 100644 --- a/rule-types/github/no_binaries_in_repo.yaml +++ b/rule-types/github/no_binaries_in_repo.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: no_binaries_in_repo +display_name: Ensure no binary artifacts are committed severity: value: medium context: diff --git a/rule-types/github/no_open_security_advisories.yaml b/rule-types/github/no_open_security_advisories.yaml index e862106..6e6bcbd 100644 --- a/rule-types/github/no_open_security_advisories.yaml +++ b/rule-types/github/no_open_security_advisories.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: no_open_security_advisories +display_name: Verify there are no open security advisories severity: value: low context: diff --git a/rule-types/github/pr_trusty_check.yaml b/rule-types/github/pr_trusty_check.yaml index 6b14309..958148e 100644 --- a/rule-types/github/pr_trusty_check.yaml +++ b/rule-types/github/pr_trusty_check.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: pr_trusty_check +display_name: Ensure pull requests do not add dependencies with a low Trusty severity: value: medium context: diff --git a/rule-types/github/pr_vulnerability_check.yaml b/rule-types/github/pr_vulnerability_check.yaml index 7e527a5..eb70872 100644 --- a/rule-types/github/pr_vulnerability_check.yaml +++ b/rule-types/github/pr_vulnerability_check.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: pr_vulnerability_check +display_name: Ensure pull requests do not add vulnerable dependencies severity: value: medium context: diff --git a/rule-types/github/repo_action_allow_list.yaml b/rule-types/github/repo_action_allow_list.yaml index 079b6d6..87f112d 100644 --- a/rule-types/github/repo_action_allow_list.yaml +++ b/rule-types/github/repo_action_allow_list.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: repo_action_allow_list +display_name: Ensure that only allowed GitHub actions run in a repository severity: value: info context: diff --git a/rule-types/github/repo_workflow_access_level.yaml b/rule-types/github/repo_workflow_access_level.yaml index 5b06136..4371958 100644 --- a/rule-types/github/repo_workflow_access_level.yaml +++ b/rule-types/github/repo_workflow_access_level.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: repo_workflow_access_level +display_name: Limit the external access of private repositories severity: value: medium context: diff --git a/rule-types/github/scorecard_enabled.yaml b/rule-types/github/scorecard_enabled.yaml index 6e21bef..999518f 100644 --- a/rule-types/github/scorecard_enabled.yaml +++ b/rule-types/github/scorecard_enabled.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: scorecard_enabled +display_name: Enable the Scorecard GitHub Action severity: value: medium context: diff --git a/rule-types/github/secret_push_protection.yaml b/rule-types/github/secret_push_protection.yaml index 09614a9..d5511ed 100644 --- a/rule-types/github/secret_push_protection.yaml +++ b/rule-types/github/secret_push_protection.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: secret_push_protection +display_name: Prevent hardcoded secrets from being added severity: value: high context: diff --git a/rule-types/github/secret_scanning.yaml b/rule-types/github/secret_scanning.yaml index 0fe50cf..c8319f0 100644 --- a/rule-types/github/secret_scanning.yaml +++ b/rule-types/github/secret_scanning.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: secret_scanning +display_name: Detect hardcoded secrets severity: value: high context: diff --git a/rule-types/github/security_insights.yaml b/rule-types/github/security_insights.yaml index 35511ab..8bd6e4d 100644 --- a/rule-types/github/security_insights.yaml +++ b/rule-types/github/security_insights.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: security_insights +display_name: Verify the presence of a Security Insights file severity: value: low context: diff --git a/rule-types/github/security_insights_dep_policy.yaml b/rule-types/github/security_insights_dep_policy.yaml index 8a684f8..336018f 100644 --- a/rule-types/github/security_insights_dep_policy.yaml +++ b/rule-types/github/security_insights_dep_policy.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: security_insights_dep_policy +display_name: Verify a dependency policy exists in the Security Insights file severity: value: low context: diff --git a/rule-types/github/security_policy.yaml b/rule-types/github/security_policy.yaml index ef15b61..a96e999 100644 --- a/rule-types/github/security_policy.yaml +++ b/rule-types/github/security_policy.yaml @@ -1,6 +1,7 @@ version: v1 type: rule-type name: security_policy +display_name: Ensure a security policy file exists severity: value: medium context: diff --git a/rule-types/github/trivy_action_enabled.yaml b/rule-types/github/trivy_action_enabled.yaml index 4ddc3af..c69bd6f 100644 --- a/rule-types/github/trivy_action_enabled.yaml +++ b/rule-types/github/trivy_action_enabled.yaml @@ -2,6 +2,7 @@ version: v1 type: rule-type name: trivy_action_enabled +display_name: Ensure Trivy is enabled for vulnerability scanning severity: value: medium context: