diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml new file mode 100644 index 0000000..0831337 --- /dev/null +++ b/profiles/github/stacklok-health-check.yaml @@ -0,0 +1,66 @@ +--- +# Stacklok health check profile. +version: v1 +type: profile +name: stacklok-health-check +context: + provider: github +alert: "off" +remediate: "off" +repository: + - type: actions_check_pinned_tags + def: + exclude: + # generator_generic_slsa3 does not support pinning and will fail to retrieve the + # generator binary. We need to exclude it from pinning because of this. + # See https://github.com/slsa-framework/slsa-github-generator/issues/2993 + - slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + - type: branch_protection_allow_force_pushes + def: + allow_force_pushes: false + params: + branch: "" + - type: branch_protection_require_pull_request_dismiss_stale_reviews + def: + dismiss_stale_reviews: true + params: + branch: "" + - type: default_workflow_permissions + def: + default_workflow_permissions: read + can_approve_pull_request_reviews: false + - type: dependabot_configured + name: go_dependabot + def: + package_ecosystem: gomod + schedule_interval: "" + apply_if_file: go.mod + - type: dependabot_configured + name: npm_dependabot + def: + package_ecosystem: npm + schedule_interval: "" + apply_if_file: package.json + - type: dependabot_configured + name: pypi_dependabot + def: + package_ecosystem: pypi + schedule_interval: "" + apply_if_file: requirements.txt + - type: dockerfile_no_latest_tag + def: {} + - type: secret_push_protection + def: + enabled: true + skip_private_repos: true + - type: "secret_scanning" + def: + enabled: true + skip_private_repos: true +pull_request: + - type: invisible_characters_check + def: {} + params: {} + - type: mixed_scripts_check + def: {} + params: {}