-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
- Loading branch information
Showing
1 changed file
with
135 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| --- | ||
| version: v1 | ||
| type: rule-type | ||
| name: artifact_signature | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Verifies a provenance attestation with a GitHub build definition matches the | ||
| expected values. | ||
| guidance: | | ||
| Provenance attestation capture the build environment and parameters where a | ||
| software artifact was created. By controlling the build environment, developers | ||
| can make sure no malicious artifacts where injected into the build process. | ||
| def: | ||
| # Defines the section of the pipeline the rule will appear in. | ||
| # This will affect the template used to render multiple parts | ||
| # of the rule. | ||
| in_entity: artifact | ||
| # Defines the schema for parameters that will be passed to the rule | ||
| param_schema: | ||
| type: object | ||
| properties: | ||
| name: | ||
| type: string | ||
| description: "The name of the artifact to check." | ||
| tags: | ||
| "type": array | ||
| "items": { | ||
| "type": "string" | ||
| } | ||
| description: "The tags of the artifact to check. Must be a subset of the tags the artifact has" | ||
| tag_regex: | ||
| type: string | ||
| description: "The regex to match the tags of the artifact to check. Conflicts with tags." | ||
| type: | ||
| "type": string | ||
| "default": "container" | ||
| "enum": ["container"] | ||
| description: "The type of artifact to check. Currently only container is supported." | ||
| sigstore: | ||
| type: string | ||
| description: "URL of the sigstore TUF root to use for verification." | ||
| default: "tuf-repo-cdn.sigstore.dev" | ||
| required: | ||
| - tags | ||
| # Defines the schema for writing a rule with this rule being checked | ||
| rule_schema: | ||
| type: "object" | ||
| properties: | ||
| event: | ||
| type: array | ||
| description: "Events allowed to trigger a build" | ||
| enum: | ||
| - worflow_dispatch | ||
| - push | ||
| default: ["worflow_dispatch", "push"] | ||
| workflow_repository: | ||
| type: string | ||
| description: "Tepository expected to produce the artifact, i.e. https://github.com/stacklok/minder" | ||
| workflow_ref: | ||
| type: string | ||
| description: "The git reference of the executed workflow" | ||
| is_verified: | ||
| type: boolean | ||
| description: "Set to true to enforce artifact signature being verified." | ||
| signer_identity: | ||
| type: string | ||
| description: "Set the signer identity that is expected to produce the artifact, i.e. docker-image-build-push.yml or an email address" | ||
| runner_environment: | ||
| type: string | ||
| description: "Set the runner environment that is expected to produce the artifact, i.e. github-hosted" | ||
| allowed_workflow: | ||
| type: boolean | ||
| description: "Set to true to enforce checking if the workflow that build this artifact is part of the allowed workflows" | ||
| cert_issuer: | ||
| type: string | ||
| description: "Set the certificate issuer that is expected to produce the artifact provenance, i.e. https://token.actions.githubusercontent.com" | ||
| # Defines the configuration for ingesting data relevant for the rule | ||
| ingest: | ||
| type: artifact | ||
| # Currently no configuration | ||
| artifact: {} | ||
| # Defines the configuration for evaluating data ingested against the given profile | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: deny-by-default | ||
| def: | | ||
| package minder | ||
| import rego.v1 | ||
| default allow := false | ||
| allow if { | ||
| some artifact in input.ingested | ||
| artifact.Verification.attestation.predicate_type == "https://slsa.dev/provenance/v1" | ||
| # These parameters only apply when the slsa attestation has a | ||
| # buildDefinition.buildType of https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1 | ||
| # Check the external parameters | ||
| artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.path == ".github/workflows/build-image-signed-ghat.yml" | ||
| artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.ref == "refs/heads/main" | ||
| artifact.Verification.attestation.predicate.buildDefinition.externalParameters.workflow.repository == "https://github.com/jakubtestorg/good-repo-go" | ||
| # Internal parameters | ||
| # Event is anm arrau | ||
| artifact.Verification.attestation.predicate.buildDefinition.internalParameters.github.event_name == "workflow_dispatch" | ||
| } | ||
| #every artifactVersion in input.ingested { | ||
| # some x in artifactVersion.Verification.attestation.predicateType | ||
| # x == "https://slsa.dev/provenance/v1" | ||
| ##artifactVersion.Verification.attestation.predicateType == "https://slsa.dev/provenance/v1" { | ||
| # artifactVersion.Verification["is_signed"] | ||
| #} | ||
| #} | ||
| #allow if { | ||
| # every artifactVersion in input.ingested { | ||
| # if artifactVersion.Verification.attestation.predicateType == "https://slsa.dev/provenance/v1" { | ||
| # artifactVersion.Verification["is_signed"] | ||
| # } | ||
| ## #every key, value in input.profile { | ||
| # # # artifactVersion.Verification[key] == value | ||
| # #} | ||
| # } | ||
| #} | ||
| # Defines the configuration for alerting on the rule | ||
| alert: | ||
| type: security_advisory | ||
| security_advisory: | ||
| severity: "medium" |