Docs updates for Trusty rebrand (#5149)

* Update Trusty references to Stacklok Insight * Add client redirects plugin Also adds redirect for integrations/trusty --> integrations/stacklok-cloud to avoid a 404. * Pin the plugin-client-redirects version Co-authored-by: Eleftheria Stein-Kousathana <[email protected]> --------- Co-authored-by: Eleftheria Stein-Kousathana <[email protected]>
mindersec · Dec 6, 2024 · 4077bb5 · 4077bb5
1 parent d6b346f
commit 4077bb5
Show file tree

Hide file tree

Showing 13 changed files with 86 additions and 44 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ allowing users to integrate with their existing tooling and processes.
 * **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos.
 * **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
 * **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
-* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Trusty](https://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies.
+* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Stacklok Insight](https://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies.
 
 ## Public Instance
 

diff --git a/deployment/helm/README.md b/deployment/helm/README.md
@@ -114,4 +114,4 @@ installed in the namespace specified by your current Kubernetes context.
 | sessionExpirationPurgeJobSettings.restartPolicy | string | `"OnFailure"` |  |
 | sessionExpirationPurgeJobSettings.schedule | string | `"0 0 * * *"` |  |
 | sessionExpirationPurgeJobSettings.sidecarContainers | list | `[]` |  |
-| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Trusty host to use |
+| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Stacklok Insight host to use |
diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
@@ -23,7 +23,7 @@ db:
 
 # trusty settings
 trusty:
-  # -- (string) Trusty host to use
+  # -- (string) Stacklok Insight host to use
   endpoint: "https://api.trustypkg.dev"
 
 # AWS-specific configuration

diff --git a/docs/docs/about/roadmap.md b/docs/docs/about/roadmap.md
@@ -23,8 +23,8 @@ _Last updated: June 2024_
 
 ## Next
 
-* **Report CVEs, Trusty scores, and license info for ingested SBOMs:** Ingest SBOMS and identify dependencies; show CVEs, Trusty scores, and license information including any changes over time.
-* **Block PRs based on Trusty scores:** In addition to adding comments to pull requests (as is currently available), add the option to block pull requests as a policy remediation.
+* **Report CVEs, Stacklok Insight scores, and license info for ingested SBOMs:** Ingest SBOMS and identify dependencies; show CVEs, Stacklok Insight scores, and license information including any changes over time.
+* **Block PRs based on Stacklok Insight scores:** In addition to adding comments to pull requests (as is currently available), add the option to block pull requests as a policy remediation.
 * **Policy events:** Provide information about rule evaluation as it changes, and historical rule evaluation.
 * **Generate SBOMs:** Enable users to automatically create and sign SBOMs.
 
@@ -35,7 +35,7 @@ _Last updated: June 2024_
 * **Register GitLab and Bitbucket repositories:** In addition to managing GitHub repositories, enable users to manage configuration and policy for other source control providers.
 * **Export a Minder 'badge/certification' that shows what practices a project followed:** Create a badge that OSS maintainers and enterprise developers can create and share with others that asserts the Minder practices and policies their projects follow.
 * **Temporary permissions to providers vs. long-running:** Policy remediation currently requires long-running permissions to providers such as GitHub; provide the option to enable temporary permissions.
-* **Create PRs for dependency updates:** As a policy autoremediation option, enable Minder to automatically create pull requests to update dependencies based on vulnerabilities, Trusty scores, or license changes.
+* **Create PRs for dependency updates:** As a policy autoremediation option, enable Minder to automatically create pull requests to update dependencies based on vulnerabilities, Stacklok Insight scores, or license changes.
 * **Drive policy through git (config management):** Enable users to dynamically create and maintain policies from other sources, e.g. Git, allowing for easier policy maintenance and the ability to manage policies through GitOps workflows.
 * **Integrations with additional OSS and commercial tools:** Integrate with tools that run code and secrets scanning (eg Snyk), and behavior analysis (eg [OSSF Package Analysis tool](https://github.com/ossf/package-analysis)).
-* **Help package authors improve Trusty Scores:** Provide guidance and/or policy to improve key Trusty Store metrics (open issues, active contributors).
+* **Help package authors improve Stacklok Insight Scores:** Provide guidance and/or policy to improve key Stacklok Insight Store metrics (open issues, active contributors).
diff --git a/docs/docs/how-to/writing-rules-in-rego.md b/docs/docs/how-to/writing-rules-in-rego.md
@@ -12,7 +12,7 @@ Minder organizes policies into Rule Types, each with specific sections defining
 
 * Ingesting Data: Fetching relevant data, often from external sources like GitHub API.
 
-* Evaluation: Applying policy logic to the ingested data. Minder offers a set of engines to evaluate data: jq and rego being general-purpose engines, while trusty and vulncheck are more use case-specific ones.
+* Evaluation: Applying policy logic to the ingested data. Minder offers a set of engines to evaluate data: jq and rego being general-purpose engines, while Stacklok Insight and vulncheck are more use case-specific ones.
 
 * Remediation and Alerting: Taking actions or providing notifications based on evaluation results. E.g. creating a pull request or generating a GitHub security advisory.
 

diff --git a/docs/docs/index.md b/docs/docs/index.md
@@ -18,7 +18,7 @@ Minder can be deployed as a Helm chart and provides a CLI tool ‘minder’. Min
 * **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos.
 * **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
 * **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
-* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Trusty](https://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies.
+* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Stacklok Insight](https://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies.
 
 ## Minder Public Instance
 

diff --git a/docs/docs/integrations/overview.md b/docs/docs/integrations/overview.md
@@ -29,12 +29,11 @@ Examples of integrations include:
 
 For more information, see the [OSS Integrations](community_integrations.md) documentation.
 
-## Trusty
+## Stacklok Insight
 
-Trusty is a tool that helps you make better decisions about your dependencies. It provides a set
-of heuristics to help you decide if a dependency is trustworthy or not. It's also developed by
-your friends at Stacklok!
+Stacklok Insight is a tool that helps you make better decisions about your dependencies. It provides a set
+of heuristics to help you decide if a dependency is trustworthy or not.
 
-Trusty is integrated into Minder via a dedicated rule type.
+Stacklok Insight is integrated into Minder via a dedicated rule type.
 
-For more information, see the [Trusty](trusty.md) documentation.
+For more information, see the [Stacklok Insight](stacklok-insight.md) documentation.
diff --git a/docs/docs/integrations/trusty.md → docs/docs/integrations/stacklok-insight.md b/docs/docs/integrations/trusty.md → docs/docs/integrations/stacklok-insight.md
@@ -1,21 +1,21 @@
 ---
-title: Trusty
+title: Stacklok Insight
 sidebar_position: 40
 ---
 
-# Trusty Integration
+# Stacklok Insight Integration
 
-Minder integrates directly with [Trusty by Stacklok](http://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies.
+Minder integrates directly with [Stacklok Insight](http://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies.
 
-Minder provides a [Trusty rule type](../ref/rules/pr_trusty_check.md) which allows you to monitor new pull requests for newly added dependencies with low [Trusty](https://www.trustypkg.dev/) scores.
+Minder provides a [Stacklok Insight rule type](../ref/rules/pr_trusty_check.md) which allows you to monitor new pull requests for newly added dependencies with risk indicators from [Stacklok Insight](https://insight.stacklok.com/).
 
 For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with
-a Trusty score below a threshold that you define. If a dependency with a low score is added, Minder will notify you and 
+risk indicators from Stacklok Insight that exceed thresholds that you define. If a risky dependency is added, Minder will notify you and 
 suggest an alternative package, if one is available.
 
-Here we see Minder in action, commenting on a pull request that adds a package with a low Trusty score:
+Here we see Minder in action, commenting on a pull request that adds a package with risk indicators from Stacklok Insight:
 
-![Minder commenting on PR with low Trusty score](./low-trusty-score-pr.png)
+![Minder commenting on PR with Stacklok Insight risk signals](./low-trusty-score-pr.png)
 
 ## Create the rule type
 
@@ -45,15 +45,15 @@ minder ruletype create -f rule-types/github/pr_trusty_check.yaml
 
 Next, create a profile that applies the rule to all registered repositories.
 
-Create a new file called `low-trusty-score-profile.yaml`. In this profile the following options are configured: 
-- `action` is set to `summary` allowing Minder to comment on pull requests with a low Trusty score, providing an explanation of the issue and possible alternatives.
-- `ecosystem_config` is set to check the `pypi` ecosystem for new dependencies whose Trusty score is below the threshold of 5.
+Create a new file called `stacklok-insight-risk-profile.yaml`. In this profile the following options are configured: 
+- `action` is set to `summary` allowing Minder to comment on pull requests with risk indicators from Stacklok Insight, providing an explanation of the issue and possible alternatives.
+- `ecosystem_config` is set to check the `pypi` ecosystem for new dependencies whose Stacklok Insight activity score is below the threshold of 5.the threshold of 5.
 
 ```yaml
 ---
 version: v1
 type: profile
-name: low-trusty-score-profile
+name: stacklok-insight-risk-profile
 context:
   provider: github
 remediate: "on"
@@ -63,13 +63,13 @@ pull_request:
       action: summary
       ecosystem_config:
         - name: pypi
-          score: 5
+          activity: 5
 ```
 
 Create the profile in Minder:
 
 ```bash
-minder profile create -f low-trusty-score-profile.yaml
+minder profile create -f stacklok-insight-risk-profile.yaml
 ```
 
-That's it! Any registered repos will now be monitored for new dependencies with low Trusty scores.
+That's it! Any registered repos will now be monitored for new dependencies with risk indicators from Stacklok Insight.
diff --git a/docs/docs/ref/rules/pr_trusty_check.md b/docs/docs/ref/rules/pr_trusty_check.md
@@ -1,18 +1,19 @@
 ---
-title: Trusty Score
+title: Stacklok Insight check
 sidebar_position: 20
 ---
 
-# Trusty Score Threshold Rule
+# Stacklok Insight Rule
 
-The following rule type is available for [Trusty](https://www.trustypkg.dev/) score threshold.
+The following rule type is available to check dependency risk with [Stacklok Insight](https://insight.stacklok.com/).
 
-## `pr_trusty_check` - Verifies that pull requests do not add any dependencies with Trusty scores below a certain threshold 
+## `pr_trusty_check` - Verifies that pull requests do not add any dependencies with risk indicators from Stacklok Insight
 
-This rule allows you to monitor new pull requests for newly added dependencies with low
-[Trusty](https://www.trustypkg.dev/) scores.
-For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with
-a Trusty score below a threshold that you define. If a dependency with a low score is added, the PR will be commented on.
+This rule allows you to monitor new pull requests for newly added dependencies with risk indicators from
+[Stacklok Insight](https://insight.stacklok.com/).
+For every pull request submitted to a repository, this rule will check any software
+dependencies for the supported ecosystems and flag any problems found with them.
+Based on the Stacklok Insight data, Minder can block the PR or mark the policy as failed.
 
 ## Entity
 - `pull_request`
@@ -25,15 +26,15 @@ a Trusty score below a threshold that you define. If a dependency with a low sco
 
 ## Rule Definition Options
 
-The `pr_trusty_check` rule has the following options:
+The `pr_trusty_check` rule supports the following options:
 
-- `action` (string): The action to take if a package with a low score is found. Valid values are:
-  - `summary`: The evaluator engine will add a single summary comment with a table listing the packages with low scores found
-  - `profile_only`: The evaluator engine will merely pass on an error, marking the profile as failed if a packages with low scores is found
+- `action` (string): The action to take if a risky package is found. Valid values are:
+  - `summary`: The evaluator engine will add a single summary comment with a table listing risky packages found
+  - `profile_only`: The evaluator engine will merely pass on an error, marking the profile as failed if a risky package is found
   - `review`: The trusty evaluator will add a review asking for changes when problematic dependencies are found. Use the review action to block any pull requests introducing dependencies that break the policy established defined by the rule.
 - `ecosystem_config`: An array of ecosystem configurations to check. Each ecosystem configuration has the following options:
   - `name` (string): The name of the ecosystem to check. Currently `npm` and `pypi` are supported.
-  - `score` (number): The minimum Trusty score for a dependency to be considered safe.
+  - `score (integer)`: DEPRECATED - this score is deprecated and only remains for backward compatibility. It always returns a value of `0`. We recommend setting this option to `0` and using the other options to control this rule's behavior.
   - `provenance` (number): Minimum provenance score to consider a package's proof of origin satisfactory.
   - `activity` (number): Minimum activity score to consider a package as active.
   - `allow_malicious` (boolean): Don't raise an error when a PR introduces dependencies known to be malicious (not recommended)

diff --git a/docs/docs/run_minder_server/installing_minder.md b/docs/docs/run_minder_server/installing_minder.md
@@ -87,5 +87,4 @@ Deploy Minder on Kubernetes
 | service.metricPort | int | `9090` | Metrics port for the service to expose metrics on |
 | serviceAccounts.migrate | string | `""` | ServiceAccount to be used for migration. If set, Minder will use this named ServiceAccount. |
 | serviceAccounts.server | string | `""` | ServiceAccount to be used by the server. If set, Minder will use this named ServiceAccount. |
-| trusty.endpoint | string | `"http://pi.pi:8000"` | Endpoint for the trusty service which Minder communicates with |
-
+| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Endpoint for the Stacklok Insight service which Minder communicates with |
diff --git a/docs/docusaurus.config.js b/docs/docusaurus.config.js
@@ -61,6 +61,7 @@ const config = {
   presets: [
     [
       'classic',
+      /** @type {import('@docusaurus/preset-classic').Options} */
       {
         docs: {
           routeBasePath: '/',
@@ -74,6 +75,22 @@ const config = {
     ],
     redocusaurus,
   ],
+
+  plugins: [
+    [
+      '@docusaurus/plugin-client-redirects',
+      {
+        redirects: [
+          {
+            /* Trusty rebrand */
+            to: '/integrations/stacklok-insight',
+            from: '/integrations/trusty',
+          },
+        ],
+      },
+    ],
+  ],
+
   themeConfig:
     /** @type {import('@docusaurus/preset-classic').ThemeConfig} */
     (

diff --git a/docs/package-lock.json b/docs/package-lock.json
diff --git a/docs/package.json b/docs/package.json
@@ -15,6 +15,7 @@
   },
   "dependencies": {
     "@docusaurus/core": "3.6.3",
+    "@docusaurus/plugin-client-redirects": "3.6.3",
     "@docusaurus/preset-classic": "3.6.3",
     "@docusaurus/theme-mermaid": "3.6.3",
     "@mdx-js/react": "3.1.0",