From bbcd0025c69ff9331d63b150992e4963380ae689 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Tue, 27 Feb 2024 12:01:56 +0200 Subject: [PATCH 1/6] Add profile for Stacklok health check This is a profile meant to verify the general overall health of an organization in an easy way. It does not alert nor remediate by default. Co-Authored-By: Radoslav Dimitrov Co-Authored-By: Teodor Yanev Co-Authored-By: Don Browne Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 profiles/github/stacklok-health-check.yaml diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml new file mode 100644 index 0000000..39a4a55 --- /dev/null +++ b/profiles/github/stacklok-health-check.yaml @@ -0,0 +1,47 @@ +--- +# Stacklok health check profile. +version: v1 +type: profile +name: stacklok-health-check +context: + provider: github +alert: "off" +remediate: "off" +repository: + - type: actions_check_pinned_tags + def: + exclude: + - slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + - type: branch_protection_allow_force_pushes + def: + allow_force_pushes: false + params: + branch: main # TODO: make this dynamic +# TODO: Should we add this? +# - type: branch_protection_require_pull_request_approving_review_count +# def: +# required_approving_review_count: 1 +# params: +# branch: main # TODO: make this dynamic + - type: branch_protection_require_pull_request_dismiss_stale_reviews + def: + dismiss_stale_reviews: true + params: + branch: main # TODO: make this dynamic + - type: branch_protection_require_pull_requests + def: + required_pull_request_reviews: true + params: + branch: main # TODO: make this dynamic + - type: default_workflow_permissions + def: + default_workflow_permissions: read + can_approve_pull_request_reviews: false +# TODO: Should we enable this? +# artifact: +# - type: artifact_signature +# params: +# sigstore: tuf-repo-cdn.sigstore.dev +# def: +# is_signed: true +# is_verified: true \ No newline at end of file From f311ffd36f135abe2b6dbf9eed0fad5873368294 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Wed, 28 Feb 2024 17:18:54 +0200 Subject: [PATCH 2/6] Add extra rules from Americas session Co-Authored-by: Adolfo Garcia Veytia (puerco) Co-Authored-by: Evan Anderson Co-Authored-by: Brian Dussault Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 31 +++++++++++++++++----- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 39a4a55..8054bd9 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -8,6 +8,9 @@ context: alert: "off" remediate: "off" repository: + # IMPORTANT: This needs to be paired with a rule + # that checks that dependabot or renovate (or any other update tool) + # is enabled. - type: actions_check_pinned_tags def: exclude: @@ -17,17 +20,18 @@ repository: allow_force_pushes: false params: branch: main # TODO: make this dynamic -# TODO: Should we add this? -# - type: branch_protection_require_pull_request_approving_review_count -# def: -# required_approving_review_count: 1 -# params: -# branch: main # TODO: make this dynamic - type: branch_protection_require_pull_request_dismiss_stale_reviews def: dismiss_stale_reviews: true params: branch: main # TODO: make this dynamic + # TODO: Let's add this to a multi-contributor health check profile + - type: branch_protection_require_pull_request_approving_review_count + def: + required_approving_review_count: 1 + params: + branch: main # TODO: make this dynamic + # TODO: Let's add this to a multi-contributor health check profile - type: branch_protection_require_pull_requests def: required_pull_request_reviews: true @@ -37,6 +41,21 @@ repository: def: default_workflow_permissions: read can_approve_pull_request_reviews: false + # TODO: Add rule to check for dependabot or renovate being enabled + - type: dockerfile_no_latest_tag + def: {} + - type: invisible_characters_check + def: {} + - type: mixed_scripts_check + def: {} + - type: secret_push_protection + def: + enabled: true + skip_private_repos: true + - type: "secret_scanning" + def: + enabled: true + skip_private_repos: true # TODO: Should we enable this? # artifact: # - type: artifact_signature From 163e8b963a565992fba363945adc259b18e711dd Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Tue, 5 Mar 2024 11:55:53 +0200 Subject: [PATCH 3/6] Add final changes Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 48 +++++++++------------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 8054bd9..eb1936d 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -8,9 +8,6 @@ context: alert: "off" remediate: "off" repository: - # IMPORTANT: This needs to be paired with a rule - # that checks that dependabot or renovate (or any other update tool) - # is enabled. - type: actions_check_pinned_tags def: exclude: @@ -25,29 +22,27 @@ repository: dismiss_stale_reviews: true params: branch: main # TODO: make this dynamic - # TODO: Let's add this to a multi-contributor health check profile - - type: branch_protection_require_pull_request_approving_review_count - def: - required_approving_review_count: 1 - params: - branch: main # TODO: make this dynamic - # TODO: Let's add this to a multi-contributor health check profile - - type: branch_protection_require_pull_requests - def: - required_pull_request_reviews: true - params: - branch: main # TODO: make this dynamic - type: default_workflow_permissions def: default_workflow_permissions: read can_approve_pull_request_reviews: false - # TODO: Add rule to check for dependabot or renovate being enabled + - type: dependabot_configured + name: go_dependabot + def: + package_ecosystem: gomod + apply_if_file: go.mod + - type: dependabot_configured + name: npm_dependabot + def: + package_ecosystem: npm + apply_if_file: package.json + - type: dependabot_configured + name: pypi_dependabot + def: + package_ecosystem: pypi + apply_if_file: requirements.txt - type: dockerfile_no_latest_tag def: {} - - type: invisible_characters_check - def: {} - - type: mixed_scripts_check - def: {} - type: secret_push_protection def: enabled: true @@ -56,11 +51,8 @@ repository: def: enabled: true skip_private_repos: true -# TODO: Should we enable this? -# artifact: -# - type: artifact_signature -# params: -# sigstore: tuf-repo-cdn.sigstore.dev -# def: -# is_signed: true -# is_verified: true \ No newline at end of file +pull_request: + - type: invisible_characters_check + def: {} + - type: mixed_scripts_check + def: {} From 43312fce257daa313fd3900c414be77f937bce46 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Thu, 7 Mar 2024 12:49:05 +0200 Subject: [PATCH 4/6] Remove `main` hardcoding Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index eb1936d..29e40ff 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -16,12 +16,12 @@ repository: def: allow_force_pushes: false params: - branch: main # TODO: make this dynamic + branch: "" - type: branch_protection_require_pull_request_dismiss_stale_reviews def: dismiss_stale_reviews: true params: - branch: main # TODO: make this dynamic + branch: "" - type: default_workflow_permissions def: default_workflow_permissions: read From 01bf827efff0ea494775626cc722da8334e96306 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Thu, 7 Mar 2024 12:53:49 +0200 Subject: [PATCH 5/6] Fix issues in profile Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 29e40ff..17f5803 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -30,16 +30,19 @@ repository: name: go_dependabot def: package_ecosystem: gomod + schedule_interval: "" apply_if_file: go.mod - type: dependabot_configured name: npm_dependabot def: package_ecosystem: npm + schedule_interval: "" apply_if_file: package.json - type: dependabot_configured name: pypi_dependabot def: package_ecosystem: pypi + schedule_interval: "" apply_if_file: requirements.txt - type: dockerfile_no_latest_tag def: {} @@ -54,5 +57,7 @@ repository: pull_request: - type: invisible_characters_check def: {} + params: {} - type: mixed_scripts_check def: {} + params: {} From 770989dc38ce83b52c6099ddf5f3dd710e0b742b Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Date: Thu, 7 Mar 2024 13:04:09 +0200 Subject: [PATCH 6/6] Add comment about exclusion Signed-off-by: Juan Antonio Osorio --- profiles/github/stacklok-health-check.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/github/stacklok-health-check.yaml b/profiles/github/stacklok-health-check.yaml index 17f5803..0831337 100644 --- a/profiles/github/stacklok-health-check.yaml +++ b/profiles/github/stacklok-health-check.yaml @@ -11,6 +11,9 @@ repository: - type: actions_check_pinned_tags def: exclude: + # generator_generic_slsa3 does not support pinning and will fail to retrieve the + # generator binary. We need to exclude it from pinning because of this. + # See https://github.com/slsa-framework/slsa-github-generator/issues/2993 - slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - type: branch_protection_allow_force_pushes def: