-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Baseline: Add dependency policy check
This commit adds a check to verify that the security insights file has a dependency policy entry. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
- Loading branch information
Showing
2 changed files
with
70 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| --- | ||
| version: v1 | ||
| type: rule-type | ||
| name: security_insights_dep_policy | ||
| severity: | ||
| value: low | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Parses the repository's `SECURITY_INSIGHTS.yaml` file and looks for a | ||
| pointer to a dependency policy. | ||
| [Security Insights](https://github.com/ossf/security-insights-spec/) is a | ||
| specification that lets projects publish data and pointers to resources about | ||
| the repository, maintainers, releases and other security aspects in a | ||
| machine-readable format to make it easy for automated tools to locate them. | ||
| This ruletype parses the security insights yaml and checks for a pointer to | ||
| the dependencies policy (`policy-url`). No attempt to retrieve it is done. | ||
| guidance: | | ||
| If you have a security insights file (defaults to `SECURITY-INSIGHTS.yml`), | ||
| ensure that the dependency policy field is defined | ||
| (`dependencies.env-dependencies-policy.policy-url`). | ||
| For more information on how to create one, refer to the SI specification at | ||
| https://github.com/ossf/security-insights-spec/ | ||
| def: | ||
| # Defines the section of the pipeline the rule will appear in. | ||
| # This will affect the template used to render multiple parts | ||
| # of the rule. | ||
| in_entity: repository | ||
| # Defines the schema for writing a rule with this rule being checked | ||
| # In this case there are no settings that need to be configured | ||
| rule_schema: | ||
| type: object | ||
| properties: | ||
| filename: | ||
| type: string | ||
| description: | | ||
| The path to the Security Insights file | ||
| default: SECURITY-INSIGHTS.yml | ||
| required: | ||
| - filename | ||
| # Defines the configuration for ingesting data relevant for the rule | ||
| ingest: | ||
| type: git | ||
| git: {} | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: deny-by-default | ||
| def: | | ||
| package minder | ||
| import rego.v1 | ||
| default allow := false | ||
| allow if { | ||
| file.exists(input.profile.filename) | ||
| sifile := file.read(input.profile.filename) | ||
| si := yaml.unmarshal(sifile) | ||
| si.dependencies["env-dependencies-policy"]["policy-url"] != "" | ||
| } | ||
| # Defines the configuration for alerting on the rule | ||
| alert: | ||
| type: security_advisory | ||
| security_advisory: {} |