Merge branch 'main' into enforce_file

mindersec · Jan 8, 2025 · e4e4086 · e4e4086
2 parents 512d01b + cbcd86c
commit e4e4086
Show file tree

Hide file tree

Showing 22 changed files with 1,586 additions and 499 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,3 +5,8 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -17,6 +17,7 @@ jobs:
           scanners: vuln,secret
           exit-code: 1
           ignore-unfixed: true
+          severity: 'CRITICAL'
         env:
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
           TRIVY_USERNAME: ${{ github.actor }}

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/rule-types/common/require_pre_commit_to_be_configured.test.yaml b/rule-types/common/require_pre_commit_to_be_configured.test.yaml
@@ -0,0 +1,19 @@
+tests:
+  - name: "Should have at least one pre-commit hook configured"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: correct
+  - name: "Should fail pre-commit is not configured with at least one hook"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: misconfigured
+  - name: "Should fail is pre-commit is not configured at all"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: empty
diff --git a/...types/common/require_pre_commit_to_be_configured.testdata/correct/.pre-commit-config.yaml b/...types/common/require_pre_commit_to_be_configured.testdata/correct/.pre-commit-config.yaml
@@ -0,0 +1,13 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+
+-   repo: https://github.com/tenable/terrascan
+    rev: 'v1.28.0'
+    hooks:
+      - id: terraform-pre-commit
diff --git a/...common/require_pre_commit_to_be_configured.testdata/misconfigured/.pre-commit-config.yaml b/...common/require_pre_commit_to_be_configured.testdata/misconfigured/.pre-commit-config.yaml
@@ -0,0 +1,4 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks: []
diff --git a/rule-types/common/require_pre_commit_to_be_configured.yaml b/rule-types/common/require_pre_commit_to_be_configured.yaml
@@ -0,0 +1,53 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: require_pre_commit_to_be_configured
+display_name: Require pre-commit to be installed
+short_failure_message: pre-commit configuration file missing
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that `pre-commit` is installed in the repository
+guidance: |
+  Ensure that (pre-commit)[https://pre-commit.com/] is configured in a repository.
+
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        import future.keywords.if
+        import future.keywords.every
+
+        default message := "pre-commit configuration file missing"
+        default allow := false
+
+        
+        # pre-commit hook
+        precommit := file.read(".pre-commit-config.yaml")
+        
+        parsed_data := parse_yaml(precommit)
+
+        allow if {
+          some repo_id, hook_id
+          repo_data := parsed_data.repos[repo_id]
+          hooks = repo_data["hooks"]
+
+          hooks[hook_id]
+        }
+
+        message := "" if allow
+  alert:
+    type: security_advisory
+    security_advisory: {}
diff --git a/rule-types/github/repo_visibility.test.yaml b/rule-types/github/repo_visibility.test.yaml
@@ -0,0 +1,47 @@
+tests:
+  - name: "Should be public"
+    def:
+      visibility: "public"
+    params: {}
+    expect: "pass"
+    entity: &test-repo
+      type: repository
+      entity:
+        owner: "coolhead"
+        name: "haze-wave"    
+    http:
+      body_file: public.json
+  - name: "Should be private"
+    def:
+      visibility: "private"
+    params: {}
+    expect: "pass"
+    entity: *test-repo    
+    http:
+      body_file: private.json
+  - name: "Should be public"
+    def:
+      visibility: "public"
+    params: {}
+    expect: "fail"
+    entity: *test-repo    
+    http:
+      body_file: private.json      
+  - name: "Not found should fail"
+    def: 
+      visibility: "public"
+    params: {}
+    expect: "fail"
+    entity: *test-repo    
+    http:
+      status: 404
+      body_file: notfound.json
+  - name: "Internal server error should fail"
+    def: {}
+    params: {}
+    expect: "fail"
+    entity: *test-repo    
+    http:
+      status: 500
+      body: |
+        { "message": "Internal server error" }
diff --git a/rule-types/github/repo_visibility.testdata/notfound.json b/rule-types/github/repo_visibility.testdata/notfound.json
@@ -0,0 +1,5 @@
+{
+  "message": "Not Found",
+  "documentation_url": "https://docs.github.com/rest/repos/repos#get-a-repository",
+  "status": "404"
+}