From ad1fa56cff237499aa3cf810135c44e6d0e4e452 Mon Sep 17 00:00:00 2001 From: Eleftheria Stein-Kousathana Date: Tue, 8 Oct 2024 17:16:21 +0200 Subject: [PATCH] Add message to rego rules This displays as the evaluations details message in Minder. Ref https://github.com/stacklok/minder-stories/issues/42 --- rule-types/common/license.yaml | 13 ++++++++++--- .../github/actions_check_default_permissions.yaml | 13 +++++++++++++ rule-types/github/artifact_attestation_slsa.yaml | 1 + rule-types/github/branch_protection_enabled.yaml | 1 + .../branch_protection_require_pull_requests.yaml | 1 + rule-types/github/codeql_enabled.yaml | 1 + rule-types/github/dependabot_configured.yaml | 1 + rule-types/github/scorecard_enabled.yaml | 1 + rule-types/github/secret_push_protection.yaml | 1 + rule-types/github/secret_scanning.yaml | 1 + rule-types/github/security_insights.yaml | 2 ++ rule-types/github/security_insights_dep_policy.yaml | 1 + rule-types/github/security_policy.yaml | 2 ++ rule-types/github/trivy_action_enabled.yaml | 1 + .../gitlab/gitlab_dependency_scanning_enabled.yaml | 1 + rule-types/gitlab/gitlab_protect_branch.yaml | 1 + .../gitlab/gitlab_require_merge_requests.yaml | 1 + 17 files changed, 40 insertions(+), 3 deletions(-) diff --git a/rule-types/common/license.yaml b/rule-types/common/license.yaml index f9e0c02..813d03f 100644 --- a/rule-types/common/license.yaml +++ b/rule-types/common/license.yaml @@ -7,7 +7,7 @@ display_name: Ensure a license file is present short_failure_message: License file does not match the expected license type severity: value: low -context: {} +context: { } description: | Verifies that there's a license file of a given type present in the repository. guidance: | @@ -59,17 +59,24 @@ def: import future.keywords.if default allow := false + fileStr := file.read(input.profile.license_filename) allow if { # Read the license file and check if it contains the license type - fileStr := file.read(input.profile.license_filename) contains(fileStr, input.profile.license_type) } else if { # Check if the file exists and the license type is left blank file.exists(input.profile.license_filename) input.profile.license_type == "" } + + message := sprintf("License file %v does not exist", [input.profile.license_filename]) if { + not file.exists(input.profile.license_filename) + } else := sprintf("License file %v does not match the expected license type %v", [input.profile.license_filename, input.profile.license_type]) if { + not contains(fileStr, input.profile.license_type) + } + # Defines the configuration for alerting on the rule alert: type: security_advisory - security_advisory: {} + security_advisory: { } diff --git a/rule-types/github/actions_check_default_permissions.yaml b/rule-types/github/actions_check_default_permissions.yaml index e30f30d..c0eac29 100644 --- a/rule-types/github/actions_check_default_permissions.yaml +++ b/rule-types/github/actions_check_default_permissions.yaml @@ -69,6 +69,19 @@ def: count(job.permissions) >= 0 } } + + # Get the list of workflows that do not have permissions and create the error message + missing_permissions_workflows = [workflow_name | + filename := workflows[_] # Iterate over each workflow filename + workflowstr := file.read(filename) + workflow := yaml.unmarshal(workflowstr) + + not permissions_ok(workflow) + workflow_name = workflow.name + ] + + # Construct the final message + message := sprintf("Workflows %s do not explicitly set their permissions", [concat(",", missing_permissions_workflows)]) # We don't have a remediation method in place yet. # Defines the configuration for alerting on the rule diff --git a/rule-types/github/artifact_attestation_slsa.yaml b/rule-types/github/artifact_attestation_slsa.yaml index 5761c10..bbfb3a3 100644 --- a/rule-types/github/artifact_attestation_slsa.yaml +++ b/rule-types/github/artifact_attestation_slsa.yaml @@ -91,6 +91,7 @@ def: default allow := false default skip := false + default message := "Cannot verify SLSA provenance" default workflow_ref := "refs/heads/main" workflow_ref := input.profile.workflow_ref diff --git a/rule-types/github/branch_protection_enabled.yaml b/rule-types/github/branch_protection_enabled.yaml index 785297b..81359b3 100644 --- a/rule-types/github/branch_protection_enabled.yaml +++ b/rule-types/github/branch_protection_enabled.yaml @@ -60,6 +60,7 @@ def: import future.keywords.if default allow := false + default message := "No branch protection rule is set" allow if { input.ingested.url != "" diff --git a/rule-types/github/branch_protection_require_pull_requests.yaml b/rule-types/github/branch_protection_require_pull_requests.yaml index 7f88820..b53efc1 100644 --- a/rule-types/github/branch_protection_require_pull_requests.yaml +++ b/rule-types/github/branch_protection_require_pull_requests.yaml @@ -70,6 +70,7 @@ def: import future.keywords.if default allow := false + default message := "Pull requests are not required" allow if { input.ingested.required_pull_request_reviews.url != "" diff --git a/rule-types/github/codeql_enabled.yaml b/rule-types/github/codeql_enabled.yaml index b4eef74..82d6fef 100644 --- a/rule-types/github/codeql_enabled.yaml +++ b/rule-types/github/codeql_enabled.yaml @@ -59,6 +59,7 @@ def: package minder default allow := false + default message := "CodeQL is not enabled" allow { # List all workflows diff --git a/rule-types/github/dependabot_configured.yaml b/rule-types/github/dependabot_configured.yaml index 4f9efd0..cadd8ee 100644 --- a/rule-types/github/dependabot_configured.yaml +++ b/rule-types/github/dependabot_configured.yaml @@ -65,6 +65,7 @@ def: package minder default allow := false + default message := "Dependabot is not configured" # Set allow if we don't need to skip and the rule evaluation passes allow { diff --git a/rule-types/github/scorecard_enabled.yaml b/rule-types/github/scorecard_enabled.yaml index 49b0a35..0161f6f 100644 --- a/rule-types/github/scorecard_enabled.yaml +++ b/rule-types/github/scorecard_enabled.yaml @@ -69,6 +69,7 @@ def: package minder default allow := false + default message := "Scorecard Action is not configured for any workflow" allow { # List all workflows diff --git a/rule-types/github/secret_push_protection.yaml b/rule-types/github/secret_push_protection.yaml index affc0fa..68bca7c 100644 --- a/rule-types/github/secret_push_protection.yaml +++ b/rule-types/github/secret_push_protection.yaml @@ -61,6 +61,7 @@ def: default allow := false default skip := false + default message := "Secret push protection is disabled" allow if { input.ingested.security_and_analysis.secret_scanning_push_protection.status == "enabled" diff --git a/rule-types/github/secret_scanning.yaml b/rule-types/github/secret_scanning.yaml index a54042c..f7cf56b 100644 --- a/rule-types/github/secret_scanning.yaml +++ b/rule-types/github/secret_scanning.yaml @@ -60,6 +60,7 @@ def: default allow := false default skip := false + default message := "Secret scanning is disabled" allow if { input.ingested.security_and_analysis.secret_scanning.status == "enabled" diff --git a/rule-types/github/security_insights.yaml b/rule-types/github/security_insights.yaml index 435a4c9..9e5cc7c 100644 --- a/rule-types/github/security_insights.yaml +++ b/rule-types/github/security_insights.yaml @@ -55,6 +55,8 @@ def: import rego.v1 default allow := false + default message := "Security Insights file is missing" + allow if { file.exists(input.profile.filename) } diff --git a/rule-types/github/security_insights_dep_policy.yaml b/rule-types/github/security_insights_dep_policy.yaml index e9a6685..8e193bf 100644 --- a/rule-types/github/security_insights_dep_policy.yaml +++ b/rule-types/github/security_insights_dep_policy.yaml @@ -59,6 +59,7 @@ def: import rego.v1 default allow := false + default message := "Dependency policy is missing from the Security Insights file" allow if { file.exists(input.profile.filename) diff --git a/rule-types/github/security_policy.yaml b/rule-types/github/security_policy.yaml index 75bf068..842dee5 100644 --- a/rule-types/github/security_policy.yaml +++ b/rule-types/github/security_policy.yaml @@ -40,6 +40,8 @@ def: import rego.v1 default allow := false + default message := "Security policy file is missing" + allow if { file.exists(input.profile.filename) } diff --git a/rule-types/github/trivy_action_enabled.yaml b/rule-types/github/trivy_action_enabled.yaml index 77fbe0b..a6a2b22 100644 --- a/rule-types/github/trivy_action_enabled.yaml +++ b/rule-types/github/trivy_action_enabled.yaml @@ -54,6 +54,7 @@ def: package minder default allow := false + default message := "Trivy action is not enabled" allow { # List all workflows diff --git a/rule-types/gitlab/gitlab_dependency_scanning_enabled.yaml b/rule-types/gitlab/gitlab_dependency_scanning_enabled.yaml index 80327f2..bb5fc7a 100644 --- a/rule-types/gitlab/gitlab_dependency_scanning_enabled.yaml +++ b/rule-types/gitlab/gitlab_dependency_scanning_enabled.yaml @@ -40,6 +40,7 @@ def: package minder default allow := false + default message := "GitLab Dependency Scanning is not enabled" allow { # Read the .gitlab-ci.yml file diff --git a/rule-types/gitlab/gitlab_protect_branch.yaml b/rule-types/gitlab/gitlab_protect_branch.yaml index 1bd2410..2321861 100644 --- a/rule-types/gitlab/gitlab_protect_branch.yaml +++ b/rule-types/gitlab/gitlab_protect_branch.yaml @@ -37,6 +37,7 @@ def: package minder default allow := false + default message := "Branch is not set as protected" allow { # Check that there is at least one protected branch diff --git a/rule-types/gitlab/gitlab_require_merge_requests.yaml b/rule-types/gitlab/gitlab_require_merge_requests.yaml index b484e7c..7620d56 100644 --- a/rule-types/gitlab/gitlab_require_merge_requests.yaml +++ b/rule-types/gitlab/gitlab_require_merge_requests.yaml @@ -39,6 +39,7 @@ def: package minder default allow := false + default message := "Merge requests are not required" allow { # Check that there is at least one protected branch