Merge branch 'main' into add-metrics-to-reminder

.github/dependabot.yml

@@ -25,6 +25,10 @@ updates:
     directory: "docs"
     schedule:
       interval: "daily"
+    groups:
+      docusaurus:
+        patterns:
+          - "*docusaurus*"
     ignore:
       # facebook/docusaurus#4029 suggests MDX v2 will only be in the v3 release.
       # facebook/docusaurus#9053 has some more details on the migration.

.github/workflows/build.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Extract version of Go to use
         run: echo "GOVERSION=$(sed -n 's/^go \([0-9.]*\)/\1/p' go.mod)" >> $GITHUB_ENV
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - name: build

.github/workflows/chart-publish.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7

.github/workflows/codeql.yml

@@ -46,12 +46,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./go.mod
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
         with:
           languages: ${{ matrix.language }}
           build-mode: manual
@@ -69,6 +69,6 @@ jobs:
       #     echo "Run, Build Application using script"
       #     ./location_of_script_within_repo/buildscript.sh
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/compose-migrate.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - name: Install ko

.github/workflows/generation.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
       - name: Make bootstrap

.github/workflows/image-build.yml

@@ -11,7 +11,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
@@ -33,7 +33,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
@@ -54,10 +54,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Test build on x86
         id: docker_build
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           file: ./docker/minder/Dockerfile

.github/workflows/license-check.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
       - name: Install addlicense

.github/workflows/lint.yml

@@ -21,7 +21,7 @@ jobs:
       checks: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: false
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: false

.github/workflows/pr-check.yml

@@ -4,7 +4,7 @@
 name: Pull Request Validation
 on:
   pull_request:
-    types: [opened, edited, reopened]
+    types: [opened, edited, reopened, synchronize]
 jobs:
   check-pr-content:
     runs-on: ubuntu-latest

.github/workflows/releaser.yml

@@ -50,17 +50,17 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
           cache: true
       - name: Install Syft
-        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+        uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
       - name: Install Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Run GoReleaser
         id: run-goreleaser
-        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           distribution: goreleaser
           version: "~> v2"

.github/workflows/security.yml

@@ -12,7 +12,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Code Security Scan
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
         with:
           scan-type: 'fs'
           scanners: vuln,secret
@@ -25,7 +25,7 @@ jobs:
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Helm Security Scan
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         if: always()
         with:
           scan-type: 'config'

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       # Install Go on the VM running the action.
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - name: Set up helm (test dependency)
@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       # Install Go on the VM running the action.
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: 'go.mod'
       - name: Run `make bootstrap`

.github/workflows/update-docs-cli.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
       - name: Update documentation
@@ -34,7 +34,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           commit-message: Update documentation
           committer: GitHub <[email protected]>

.github/workflows/update-docs-dbschema.yml

@@ -30,7 +30,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           commit-message: Update DB schema
           committer: GitHub <[email protected]>

.github/workflows/update-docs-helm.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: "go.mod"
       - name: install helm-docs
@@ -42,7 +42,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           commit-message: Update helm documentation
           committer: GitHub <[email protected]>

.gitignore

@@ -44,7 +44,6 @@ Thumbs.db
 .tool-versions
 
 # Minder-specific files
-.ssh/
 cmd/server/__debug_bin
 .resolved-compose.yaml
 .github_client_id/

.goreleaser.yaml

@@ -47,14 +47,14 @@ archives:
 # This section defines how to release to winget.
 winget:
   - name: minder
-    publisher: stacklok
+    publisher: mindersec
     license: Apache-2.0
     license_url: "https://github.com/mindersec/minder/blob/main/LICENSE"
-    copyright: Stacklok, Inc.
-    homepage: https://stacklok.com
-    short_description: 'minder is the client CLI for interacting with Minder by Stacklok.'
+    copyright: Minder
+    homepage: https://mindersec.github.io/
+    short_description: 'minder is the client CLI for interacting with Minder'
     publisher_support_url: "https://github.com/mindersec/minder/issues/new/choose"
-    package_identifier: "stacklok.minder"
+    package_identifier: "mindersec.minder"
     url_template: "https://github.com/mindersec/minder/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
     skip_upload: auto
     release_notes: "{{.Changelog}}"
@@ -66,7 +66,7 @@ winget:
       email: [email protected]
     goamd64: v1
     repository:
-      owner: stacklok
+      owner: mindersec
       name: winget-pkgs
       branch: "minder-{{.Version}}"
       token: "{{ .Env.WINGET_GITHUB_TOKEN }}"

.mk/develop.mk

@@ -21,8 +21,8 @@ run-server: ## run the app
 .PHONY: run-docker-teardown
 run-docker-teardown: ## teardown the docker compose environment
 ifeq ($(RUN_DOCKER_NO_TEARDOWN),false)
-	@echo "Running docker compose down"
-	@$(COMPOSE) down
+	@echo "Running docker compose down $(services)..."
+	@$(COMPOSE) down $(services)
 else
 	@echo "Skipping docker compose down"
 endif
@@ -42,7 +42,7 @@ run-docker: run-docker-teardown ## run the app under docker compose
 .PHONY: stop-docker
 stop-docker: ## stop the app under docker compose
 	@echo "Running docker compose down $(services)..."
-	@$(COMPOSE) down
+	@$(COMPOSE) down $(services)
 
 .PHONY: pre-commit
 pre-commit:	## run pre-commit hooks

.mk/test.mk

@@ -4,8 +4,8 @@
 # exclude auto-generated DB code as well as mocks
 # in future, we may want to parse these from a file instead of hardcoding them
 # in the Makefile
-COVERAGE_EXCLUSIONS="internal/db\|/mock/\|internal/auth/keycloak/client\|internal/proto"
-COVERAGE_PACKAGES=./internal/...
+COVERAGE_EXCLUSIONS="internal/db\|/mock/\|internal/auth/keycloak/client\|internal/proto\|pkg/api\|pkg/testkit"
+COVERAGE_PACKAGES=./internal/...,./pkg/...
 
 .PHONY: clean
 clean:: ## clean up environment

.trivy.yml

@@ -13,3 +13,5 @@ scan:
   # Default is empty
   skip-dirs:
     - docs/
+    - ".cache/trivy/"
+    - internal/engine/ingester/deps/testdata/

.trivyignore.yaml

@@ -0,0 +1,5 @@
+vulnerabilities:
+  - id: CVE-2024-42473
+  # We actually use go-tuf v2. v0.7.0 (which is vulnerable) is merely
+  # a transitive dependency and we're not affected by the CVE.
+  - id: CVE-2024-47534

README.md

@@ -3,7 +3,7 @@
 [![Continuous integration](https://github.com/mindersec/minder/actions/workflows/main.yml/badge.svg)](https://github.com/mindersec/minder/actions/workflows/main.yml) | [![Coverage Status](https://coveralls.io/repos/github/mindersec/minder/badge.svg?branch=main)](https://coveralls.io/github/mindersec/minder?branch=main) | [![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0) | [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) | [![](https://dcbadge.vercel.app/api/server/RkzVuTp3WK?logo=discord&label=Discord&color=5865&style=flat)](https://discord.gg/RkzVuTp3WK)
 ---
 
-[Installation](https://minder-docs.stacklok.dev/getting_started/install_cli) | [Documentation](https://minder-docs.stacklok.dev) | [Releases](https://github.com/mindersec/minder/releases)
+[Installation](https://minder-docs.stacklok.dev/getting_started/install_cli) | [Documentation](https://mindersec.github.io/) | [Releases](https://github.com/mindersec/minder/releases)
 ---
 
 # What is Minder?
@@ -26,7 +26,7 @@ allowing users to integrate with their existing tooling and processes.
 * **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos.
 * **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
 * **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
-* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Trusty](https://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies.
+* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Stacklok Insight](https://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies.
 
 ## Public Instance
 
@@ -62,7 +62,7 @@ brew install minder
 Make sure you have [Winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/) installed.
 
 ```bash
-winget install stacklok.minder
+winget install mindersec.minder
 ```
 
 ### Download a release
@@ -129,16 +129,16 @@ where you can manage your registered repositories, create profiles, rules and mu
 configured consistently and securely.
 
 For more information about `minder`, see:
-* `minder` CLI commands - [Docs](https://minder-docs.stacklok.dev/ref/cli/minder).
-* `minder` REST API Documentation - [Docs](https://minder-docs.stacklok.dev/ref/api).
+* `minder` CLI commands - [Docs](https://mindersec.github.io/ref/cli/minder).
+* `minder` REST API Documentation - [Docs](https://mindersec.github.io/ref/api).
 * `minder` rules and profiles maintained by Minder's team - [GitHub](https://github.com/mindersec/minder-rules-and-profiles).
-* Minder documentation - [Docs](https://minder-docs.stacklok.dev).
+* Minder documentation - [Docs](https://mindersec.github.io/).
 
 # Roadmap
 
 The Minder community are actively working on new features and improvements for Minder.
 
-You can find our roadmap [here](https://minder-docs.stacklok.dev/about/roadmap).
+You can find our roadmap [here](https://mindersec.github.io/about/roadmap).
 
 Should you wish to request or contribute a feature or improvement, please use the following
 [issue template](https://github.com/mindersec/minder/issues/new?template=enhancement.yml)
@@ -199,7 +199,7 @@ cp config/server-config.yaml.example server-config.yaml
 
 You'd also have to set up an OAuth2 application for `minder-server` to use.
 Once completed, update the configuration file with the appropriate values.
-See the documentation on how to do that - [Docs](https://minder-docs.stacklok.dev/run_minder_server/config_oauth).
+See the documentation on how to do that - [Docs](https://mindersec.github.io/run_minder_server/config_oauth).
 
 #### Run `minder-server`
 
@@ -240,13 +240,13 @@ By default, the `minder` CLI will point to the production Stacklok environment i
 
 ### Development guidelines
 
-You can find more detailed information about the development process in the [Developer Guide](https://minder-docs.stacklok.dev/developer_guide/get-hacking).
+You can find more detailed information about the development process in the [Developer Guide](https://mindersec.github.io/developer_guide/get-hacking).
 
 ## Minder API
 
-* REST API documentation - [Link](https://minder-docs.stacklok.dev/ref/api).
+* REST API documentation - [Link](https://mindersec.github.io/ref/api).
 
-* Proto API documentation - [Link](https://minder-docs.stacklok.dev/ref/proto).
+* Proto API documentation - [Link](https://mindersec.github.io/ref/proto).
 
 * Protobuf - [Link](https://github.com/mindersec/minder/blob/main/proto/minder/v1/minder.proto).