From 4077bb5d3d35ab162364cf3b66b9d5659455a0b6 Mon Sep 17 00:00:00 2001 From: Dan Barr Date: Fri, 6 Dec 2024 03:27:10 -0500 Subject: [PATCH] Docs updates for Trusty rebrand (#5149) * Update Trusty references to Stacklok Insight * Add client redirects plugin Also adds redirect for integrations/trusty --> integrations/stacklok-cloud to avoid a 404. * Pin the plugin-client-redirects version Co-authored-by: Eleftheria Stein-Kousathana --------- Co-authored-by: Eleftheria Stein-Kousathana --- README.md | 2 +- deployment/helm/README.md | 2 +- deployment/helm/values.yaml | 2 +- docs/docs/about/roadmap.md | 8 +++--- docs/docs/how-to/writing-rules-in-rego.md | 2 +- docs/docs/index.md | 2 +- docs/docs/integrations/overview.md | 11 ++++---- .../{trusty.md => stacklok-insight.md} | 28 +++++++++---------- docs/docs/ref/rules/pr_trusty_check.md | 27 +++++++++--------- .../run_minder_server/installing_minder.md | 3 +- docs/docusaurus.config.js | 17 +++++++++++ docs/package-lock.json | 25 +++++++++++++++++ docs/package.json | 1 + 13 files changed, 86 insertions(+), 44 deletions(-) rename docs/docs/integrations/{trusty.md => stacklok-insight.md} (55%) diff --git a/README.md b/README.md index 2c16ca2d49..83fb3e6c76 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ allowing users to integrate with their existing tooling and processes. * **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos. * **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate. * **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore. -* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Trusty](https://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies. +* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Stacklok Insight](https://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies. ## Public Instance diff --git a/deployment/helm/README.md b/deployment/helm/README.md index f2d6da49d4..8432b2361a 100644 --- a/deployment/helm/README.md +++ b/deployment/helm/README.md @@ -114,4 +114,4 @@ installed in the namespace specified by your current Kubernetes context. | sessionExpirationPurgeJobSettings.restartPolicy | string | `"OnFailure"` | | | sessionExpirationPurgeJobSettings.schedule | string | `"0 0 * * *"` | | | sessionExpirationPurgeJobSettings.sidecarContainers | list | `[]` | | -| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Trusty host to use | \ No newline at end of file +| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Stacklok Insight host to use | \ No newline at end of file diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml index 6cd6e38a04..944a9da234 100644 --- a/deployment/helm/values.yaml +++ b/deployment/helm/values.yaml @@ -23,7 +23,7 @@ db: # trusty settings trusty: - # -- (string) Trusty host to use + # -- (string) Stacklok Insight host to use endpoint: "https://api.trustypkg.dev" # AWS-specific configuration diff --git a/docs/docs/about/roadmap.md b/docs/docs/about/roadmap.md index 918306f4cd..4ab326cdd5 100644 --- a/docs/docs/about/roadmap.md +++ b/docs/docs/about/roadmap.md @@ -23,8 +23,8 @@ _Last updated: June 2024_ ## Next -* **Report CVEs, Trusty scores, and license info for ingested SBOMs:** Ingest SBOMS and identify dependencies; show CVEs, Trusty scores, and license information including any changes over time. -* **Block PRs based on Trusty scores:** In addition to adding comments to pull requests (as is currently available), add the option to block pull requests as a policy remediation. +* **Report CVEs, Stacklok Insight scores, and license info for ingested SBOMs:** Ingest SBOMS and identify dependencies; show CVEs, Stacklok Insight scores, and license information including any changes over time. +* **Block PRs based on Stacklok Insight scores:** In addition to adding comments to pull requests (as is currently available), add the option to block pull requests as a policy remediation. * **Policy events:** Provide information about rule evaluation as it changes, and historical rule evaluation. * **Generate SBOMs:** Enable users to automatically create and sign SBOMs. @@ -35,7 +35,7 @@ _Last updated: June 2024_ * **Register GitLab and Bitbucket repositories:** In addition to managing GitHub repositories, enable users to manage configuration and policy for other source control providers. * **Export a Minder 'badge/certification' that shows what practices a project followed:** Create a badge that OSS maintainers and enterprise developers can create and share with others that asserts the Minder practices and policies their projects follow. * **Temporary permissions to providers vs. long-running:** Policy remediation currently requires long-running permissions to providers such as GitHub; provide the option to enable temporary permissions. -* **Create PRs for dependency updates:** As a policy autoremediation option, enable Minder to automatically create pull requests to update dependencies based on vulnerabilities, Trusty scores, or license changes. +* **Create PRs for dependency updates:** As a policy autoremediation option, enable Minder to automatically create pull requests to update dependencies based on vulnerabilities, Stacklok Insight scores, or license changes. * **Drive policy through git (config management):** Enable users to dynamically create and maintain policies from other sources, e.g. Git, allowing for easier policy maintenance and the ability to manage policies through GitOps workflows. * **Integrations with additional OSS and commercial tools:** Integrate with tools that run code and secrets scanning (eg Snyk), and behavior analysis (eg [OSSF Package Analysis tool](https://github.com/ossf/package-analysis)). -* **Help package authors improve Trusty Scores:** Provide guidance and/or policy to improve key Trusty Store metrics (open issues, active contributors). +* **Help package authors improve Stacklok Insight Scores:** Provide guidance and/or policy to improve key Stacklok Insight Store metrics (open issues, active contributors). diff --git a/docs/docs/how-to/writing-rules-in-rego.md b/docs/docs/how-to/writing-rules-in-rego.md index fabdd8c8b3..adc91eb07e 100644 --- a/docs/docs/how-to/writing-rules-in-rego.md +++ b/docs/docs/how-to/writing-rules-in-rego.md @@ -12,7 +12,7 @@ Minder organizes policies into Rule Types, each with specific sections defining * Ingesting Data: Fetching relevant data, often from external sources like GitHub API. -* Evaluation: Applying policy logic to the ingested data. Minder offers a set of engines to evaluate data: jq and rego being general-purpose engines, while trusty and vulncheck are more use case-specific ones. +* Evaluation: Applying policy logic to the ingested data. Minder offers a set of engines to evaluate data: jq and rego being general-purpose engines, while Stacklok Insight and vulncheck are more use case-specific ones. * Remediation and Alerting: Taking actions or providing notifications based on evaluation results. E.g. creating a pull request or generating a GitHub security advisory. diff --git a/docs/docs/index.md b/docs/docs/index.md index b62a9600fc..5bfc5426d8 100644 --- a/docs/docs/index.md +++ b/docs/docs/index.md @@ -18,7 +18,7 @@ Minder can be deployed as a Helm chart and provides a CLI tool ‘minder’. Min * **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos. * **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate. * **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore. -* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Trusty](https://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies. +* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) and [Stacklok Insight](https://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies. ## Minder Public Instance diff --git a/docs/docs/integrations/overview.md b/docs/docs/integrations/overview.md index c5837a18ca..de93c35735 100644 --- a/docs/docs/integrations/overview.md +++ b/docs/docs/integrations/overview.md @@ -29,12 +29,11 @@ Examples of integrations include: For more information, see the [OSS Integrations](community_integrations.md) documentation. -## Trusty +## Stacklok Insight -Trusty is a tool that helps you make better decisions about your dependencies. It provides a set -of heuristics to help you decide if a dependency is trustworthy or not. It's also developed by -your friends at Stacklok! +Stacklok Insight is a tool that helps you make better decisions about your dependencies. It provides a set +of heuristics to help you decide if a dependency is trustworthy or not. -Trusty is integrated into Minder via a dedicated rule type. +Stacklok Insight is integrated into Minder via a dedicated rule type. -For more information, see the [Trusty](trusty.md) documentation. +For more information, see the [Stacklok Insight](stacklok-insight.md) documentation. diff --git a/docs/docs/integrations/trusty.md b/docs/docs/integrations/stacklok-insight.md similarity index 55% rename from docs/docs/integrations/trusty.md rename to docs/docs/integrations/stacklok-insight.md index 0fa9034743..4c6b95ae39 100644 --- a/docs/docs/integrations/trusty.md +++ b/docs/docs/integrations/stacklok-insight.md @@ -1,21 +1,21 @@ --- -title: Trusty +title: Stacklok Insight sidebar_position: 40 --- -# Trusty Integration +# Stacklok Insight Integration -Minder integrates directly with [Trusty by Stacklok](http://trustypkg.dev) to enable policy-driven dependency management based on the risk level of dependencies. +Minder integrates directly with [Stacklok Insight](http://insight.stacklok.com) to enable policy-driven dependency management based on the risk level of dependencies. -Minder provides a [Trusty rule type](../ref/rules/pr_trusty_check.md) which allows you to monitor new pull requests for newly added dependencies with low [Trusty](https://www.trustypkg.dev/) scores. +Minder provides a [Stacklok Insight rule type](../ref/rules/pr_trusty_check.md) which allows you to monitor new pull requests for newly added dependencies with risk indicators from [Stacklok Insight](https://insight.stacklok.com/). For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with -a Trusty score below a threshold that you define. If a dependency with a low score is added, Minder will notify you and +risk indicators from Stacklok Insight that exceed thresholds that you define. If a risky dependency is added, Minder will notify you and suggest an alternative package, if one is available. -Here we see Minder in action, commenting on a pull request that adds a package with a low Trusty score: +Here we see Minder in action, commenting on a pull request that adds a package with risk indicators from Stacklok Insight: -![Minder commenting on PR with low Trusty score](./low-trusty-score-pr.png) +![Minder commenting on PR with Stacklok Insight risk signals](./low-trusty-score-pr.png) ## Create the rule type @@ -45,15 +45,15 @@ minder ruletype create -f rule-types/github/pr_trusty_check.yaml Next, create a profile that applies the rule to all registered repositories. -Create a new file called `low-trusty-score-profile.yaml`. In this profile the following options are configured: -- `action` is set to `summary` allowing Minder to comment on pull requests with a low Trusty score, providing an explanation of the issue and possible alternatives. -- `ecosystem_config` is set to check the `pypi` ecosystem for new dependencies whose Trusty score is below the threshold of 5. +Create a new file called `stacklok-insight-risk-profile.yaml`. In this profile the following options are configured: +- `action` is set to `summary` allowing Minder to comment on pull requests with risk indicators from Stacklok Insight, providing an explanation of the issue and possible alternatives. +- `ecosystem_config` is set to check the `pypi` ecosystem for new dependencies whose Stacklok Insight activity score is below the threshold of 5.the threshold of 5. ```yaml --- version: v1 type: profile -name: low-trusty-score-profile +name: stacklok-insight-risk-profile context: provider: github remediate: "on" @@ -63,13 +63,13 @@ pull_request: action: summary ecosystem_config: - name: pypi - score: 5 + activity: 5 ``` Create the profile in Minder: ```bash -minder profile create -f low-trusty-score-profile.yaml +minder profile create -f stacklok-insight-risk-profile.yaml ``` -That's it! Any registered repos will now be monitored for new dependencies with low Trusty scores. +That's it! Any registered repos will now be monitored for new dependencies with risk indicators from Stacklok Insight. diff --git a/docs/docs/ref/rules/pr_trusty_check.md b/docs/docs/ref/rules/pr_trusty_check.md index 7b28c4196d..e09afe05f1 100644 --- a/docs/docs/ref/rules/pr_trusty_check.md +++ b/docs/docs/ref/rules/pr_trusty_check.md @@ -1,18 +1,19 @@ --- -title: Trusty Score +title: Stacklok Insight check sidebar_position: 20 --- -# Trusty Score Threshold Rule +# Stacklok Insight Rule -The following rule type is available for [Trusty](https://www.trustypkg.dev/) score threshold. +The following rule type is available to check dependency risk with [Stacklok Insight](https://insight.stacklok.com/). -## `pr_trusty_check` - Verifies that pull requests do not add any dependencies with Trusty scores below a certain threshold +## `pr_trusty_check` - Verifies that pull requests do not add any dependencies with risk indicators from Stacklok Insight -This rule allows you to monitor new pull requests for newly added dependencies with low -[Trusty](https://www.trustypkg.dev/) scores. -For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with -a Trusty score below a threshold that you define. If a dependency with a low score is added, the PR will be commented on. +This rule allows you to monitor new pull requests for newly added dependencies with risk indicators from +[Stacklok Insight](https://insight.stacklok.com/). +For every pull request submitted to a repository, this rule will check any software +dependencies for the supported ecosystems and flag any problems found with them. +Based on the Stacklok Insight data, Minder can block the PR or mark the policy as failed. ## Entity - `pull_request` @@ -25,15 +26,15 @@ a Trusty score below a threshold that you define. If a dependency with a low sco ## Rule Definition Options -The `pr_trusty_check` rule has the following options: +The `pr_trusty_check` rule supports the following options: -- `action` (string): The action to take if a package with a low score is found. Valid values are: - - `summary`: The evaluator engine will add a single summary comment with a table listing the packages with low scores found - - `profile_only`: The evaluator engine will merely pass on an error, marking the profile as failed if a packages with low scores is found +- `action` (string): The action to take if a risky package is found. Valid values are: + - `summary`: The evaluator engine will add a single summary comment with a table listing risky packages found + - `profile_only`: The evaluator engine will merely pass on an error, marking the profile as failed if a risky package is found - `review`: The trusty evaluator will add a review asking for changes when problematic dependencies are found. Use the review action to block any pull requests introducing dependencies that break the policy established defined by the rule. - `ecosystem_config`: An array of ecosystem configurations to check. Each ecosystem configuration has the following options: - `name` (string): The name of the ecosystem to check. Currently `npm` and `pypi` are supported. - - `score` (number): The minimum Trusty score for a dependency to be considered safe. + - `score (integer)`: DEPRECATED - this score is deprecated and only remains for backward compatibility. It always returns a value of `0`. We recommend setting this option to `0` and using the other options to control this rule's behavior. - `provenance` (number): Minimum provenance score to consider a package's proof of origin satisfactory. - `activity` (number): Minimum activity score to consider a package as active. - `allow_malicious` (boolean): Don't raise an error when a PR introduces dependencies known to be malicious (not recommended) diff --git a/docs/docs/run_minder_server/installing_minder.md b/docs/docs/run_minder_server/installing_minder.md index 8a4edf414c..a30b312cf7 100644 --- a/docs/docs/run_minder_server/installing_minder.md +++ b/docs/docs/run_minder_server/installing_minder.md @@ -87,5 +87,4 @@ Deploy Minder on Kubernetes | service.metricPort | int | `9090` | Metrics port for the service to expose metrics on | | serviceAccounts.migrate | string | `""` | ServiceAccount to be used for migration. If set, Minder will use this named ServiceAccount. | | serviceAccounts.server | string | `""` | ServiceAccount to be used by the server. If set, Minder will use this named ServiceAccount. | -| trusty.endpoint | string | `"http://pi.pi:8000"` | Endpoint for the trusty service which Minder communicates with | - +| trusty.endpoint | string | `"https://api.trustypkg.dev"` | Endpoint for the Stacklok Insight service which Minder communicates with | diff --git a/docs/docusaurus.config.js b/docs/docusaurus.config.js index a60dd7e797..a472557d09 100644 --- a/docs/docusaurus.config.js +++ b/docs/docusaurus.config.js @@ -61,6 +61,7 @@ const config = { presets: [ [ 'classic', + /** @type {import('@docusaurus/preset-classic').Options} */ { docs: { routeBasePath: '/', @@ -74,6 +75,22 @@ const config = { ], redocusaurus, ], + + plugins: [ + [ + '@docusaurus/plugin-client-redirects', + { + redirects: [ + { + /* Trusty rebrand */ + to: '/integrations/stacklok-insight', + from: '/integrations/trusty', + }, + ], + }, + ], + ], + themeConfig: /** @type {import('@docusaurus/preset-classic').ThemeConfig} */ ( diff --git a/docs/package-lock.json b/docs/package-lock.json index e679cece83..717f6b29fc 100644 --- a/docs/package-lock.json +++ b/docs/package-lock.json @@ -9,6 +9,7 @@ "version": "0.0.0", "dependencies": { "@docusaurus/core": "3.6.3", + "@docusaurus/plugin-client-redirects": "^3.6.3", "@docusaurus/preset-classic": "3.6.3", "@docusaurus/theme-mermaid": "3.6.3", "@mdx-js/react": "3.1.0", @@ -3511,6 +3512,30 @@ "react-dom": "*" } }, + "node_modules/@docusaurus/plugin-client-redirects": { + "version": "3.6.3", + "resolved": "https://registry.npmjs.org/@docusaurus/plugin-client-redirects/-/plugin-client-redirects-3.6.3.tgz", + "integrity": "sha512-fQDCxoJCO1jXNQGQmhgYoX3Yx+Z2xSbrLf3PBET6pHnsRk6gGW/VuCHcfQuZlJzbTxN0giQ5u3XcQQ/LzXftJA==", + "license": "MIT", + "dependencies": { + "@docusaurus/core": "3.6.3", + "@docusaurus/logger": "3.6.3", + "@docusaurus/utils": "3.6.3", + "@docusaurus/utils-common": "3.6.3", + "@docusaurus/utils-validation": "3.6.3", + "eta": "^2.2.0", + "fs-extra": "^11.1.1", + "lodash": "^4.17.21", + "tslib": "^2.6.0" + }, + "engines": { + "node": ">=18.0" + }, + "peerDependencies": { + "react": "^18.0.0", + "react-dom": "^18.0.0" + } + }, "node_modules/@docusaurus/plugin-content-blog": { "version": "3.6.3", "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.6.3.tgz", diff --git a/docs/package.json b/docs/package.json index 158bee9fe0..d462d73555 100644 --- a/docs/package.json +++ b/docs/package.json @@ -15,6 +15,7 @@ }, "dependencies": { "@docusaurus/core": "3.6.3", + "@docusaurus/plugin-client-redirects": "3.6.3", "@docusaurus/preset-classic": "3.6.3", "@docusaurus/theme-mermaid": "3.6.3", "@mdx-js/react": "3.1.0",