Initial OpenSSF baseline profile #131
Conversation
This commit checks in the skeleton of a profile to comply with the OpenSSF's Security Baseline with comments to track completeness. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
| --- | ||
| version: v1 | ||
| type: rule-type | ||
| name: security_insights |
There was a problem hiding this comment.
This is a new rule and our CI will keep failing if we don't have either a test or an explicit skip placeholder. I recently added the placeholders for new rules in https://github.com/stacklok/minder-smoke-tests/commit/b69aadacb35dfd34221ae9d38cb71504cb8236a6 and https://github.com/stacklok/minder-smoke-tests/commit/4d89d22575a19575bf781ca27a9b7ab6539e38b4
There was a problem hiding this comment.
OK, I opened this but ill write the tests as well
https://github.com/stacklok/minder-smoke-tests/pull/189
| params: | ||
| branch: "main" | ||
| def: | ||
| required_approving_review_count: 2 |
There was a problem hiding this comment.
Yes , there is an exception clause when projects have few maintainers ;/
| # (TODO) Pinned dependencies | ||
|
|
||
| # Pinned dependencies | ||
| # This rule tells Minder to run Grizbee (https://github.com/stacklok/frizbee/) |
There was a problem hiding this comment.
Grizbee sounds like some energy drink with so much caffeine it's only sold on the black market :-)
There was a problem hiding this comment.
Fixed, but you have to admit it sounded cool :)
|
thanks for the work @puerco ! I left some comment inline - it's mostly that we developed some conventions over the months and they are not really visible for someone who's not been following the development. But overall this looks great! |
This commit adds a rule type to check for a security insights file and adds it to the baseline profile. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
This commit adds a check to verify that the security insights file has a dependency policy entry. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
|
Comments are addressed here, I'm closing this PR and reopening in #136 which is not from my fork |
This commit introduces the first draft of the security baseline profile. It introduces three simple ruletypes: Check for a security policy file, check for a security insights file and check for a dependency policy in the Si file.