Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule to invoke Bandit from webservice running on Cloud Run #225

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Rule to invoke Bandit from webservice running on Cloud Run #225

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions rule-types/github/pr_bandit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# NOTE: This rule leverages the `http.send` function and a Cloud Run service
# https://banditize-562949304223.us-central1.run.app, which is built from
# https://github.com/evankanderson/banditize

# This also requires https://github.com/mindersec/minder/pull/5181 to be merged,
# and the `pr_comment_alert` feature flag enabled.
---
version: v1
type: rule-type
name: pr_bandit
severity:
value: medium
context:
provider: github
release_phase: alpha
description: |
Detects new python static analysis findings in a pull request.

This rule uses https://github.com/PyCQA/bandit as a code scanner,
running it against the base and head branches of a pull request to
detect new security issues.
guidance: |
This pull request introduces new issues detected by the Bandit static
code scanner. Generally, these indicate risky software patterns which
should be addressed before merging the pull request.
def:
in_entity: pull_request
rule_schema:
type: object
properties: {}
ingest:
type: git
git: {}
# Defines the configuration for evaluating data ingested against the given profile
eval:
type: rego
rego:
type: constraints
def: |
package minder
import rego.v1

base_tar := base_file.archive(["."])
head_tar := file.archive(["."])

resp := http.send({
"method": "POST",
"url": "https://banditize-562949304223.us-central1.run.app/pull",
"headers": {
"Content-Type": "application/json",
},
"body": {
"base": base64.encode(base_tar),
"head": base64.encode(head_tar),
},
})

violations contains {"msg": resp.body.simpleFindings} if resp.body.simpleFindings != ""
# violations contains {"msg": "Always fail"}

# violations contains {"msg": json.marshal(resp)}
alert:
type: pull_request_comment
pull_request_comment:
review_message: |
[Bandit](https://bandit.readthedocs.io/) found new issues in this pull request. Please review and address them before merging.

You'll need to run `minder profile status list -n Test-Bandit --detailed -o json | jq -r '.ruleEvaluationStatus[0].details'` to get the actual errors.
Loading