Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 35 additions & 35 deletions cmd/cli/app/profile/status/testdata/status_get.yaml.golden
Original file line number Diff line number Diff line change
@@ -1,39 +1,39 @@
profileStatus:
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
profileName: mock-profile
profileStatus: success
ruleEvaluationStatus:
- details: Mock rule evaluation succeeded.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable secret scanning to detect hardcoded secrets
ruleId: mock-rule-123
ruleName: secret_scanning
ruleTypeName: secret_scanning
status: success
- details: Mock rule evaluation failed.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable CodeQL for vulnerability scanning
ruleId: mock-rule-456
ruleName: codeql_enabled
ruleTypeName: codeql_enabled
status: failure
profileName: mock-profile
profileStatus: success
ruleEvaluationStatus:
- details: Mock rule evaluation succeeded.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable secret scanning to detect hardcoded secrets
ruleId: mock-rule-123
ruleName: secret_scanning
ruleTypeName: secret_scanning
status: success
- details: Mock rule evaluation failed.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable CodeQL for vulnerability scanning
ruleId: mock-rule-456
ruleName: codeql_enabled
ruleTypeName: codeql_enabled
status: failure

70 changes: 35 additions & 35 deletions cmd/cli/app/profile/status/testdata/status_list.yaml.golden
Original file line number Diff line number Diff line change
@@ -1,39 +1,39 @@
profileStatus:
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
profileName: mock-profile
profileStatus: success
ruleEvaluationStatus:
- details: Mock rule evaluation succeeded.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable secret scanning to detect hardcoded secrets
ruleId: mock-rule-123
ruleName: secret_scanning
ruleTypeName: secret_scanning
status: success
- details: Mock rule evaluation failed.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable CodeQL for vulnerability scanning
ruleId: mock-rule-456
ruleName: codeql_enabled
ruleTypeName: codeql_enabled
status: failure
profileName: mock-profile
profileStatus: success
ruleEvaluationStatus:
- details: Mock rule evaluation succeeded.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable secret scanning to detect hardcoded secrets
ruleId: mock-rule-123
ruleName: secret_scanning
ruleTypeName: secret_scanning
status: success
- details: Mock rule evaluation failed.
entity: repository
entityInfo:
entity_type: repository
name: acme-corp/mock-repo
provider: github-app-mock-provider
repo_name: mock-repo
repo_owner: acme-corp
repository_id: 22222222-2222-2222-2222-222222222222
lastUpdated: "2024-01-01T00:00:00Z"
profileId: 11111111-1111-1111-1111-111111111111
ruleDisplayName: Enable CodeQL for vulnerability scanning
ruleId: mock-rule-456
ruleName: codeql_enabled
ruleTypeName: codeql_enabled
status: failure

58 changes: 29 additions & 29 deletions cmd/cli/app/profile/testdata/list_profiles.yaml.golden
Original file line number Diff line number Diff line change
@@ -1,40 +1,40 @@
---
alert: "on"
artifact:
- def:
is_signed: true
is_verified: true
name: Mock ensure artifacts are signed
params:
name: mock-artifact
tags:
- latest
type: artifact_signature
name: mock-artifact-profile
context:
project: 00000000-0000-0000-0000-000000000000
displayName: Mock Artifact Signature Profile
project: 00000000-0000-0000-0000-000000000000
id: 11111111-1111-1111-1111-111111111111
name: mock-artifact-profile
displayName: Mock Artifact Signature Profile
remediate: "off"
alert: "on"
artifact:
- def:
is_signed: true
is_verified: true
name: Mock ensure artifacts are signed
params:
name: mock-artifact
tags:
- latest
type: artifact_signature

---
alert: "off"
name: mock-branch-protection
context:
project: 00000000-0000-0000-0000-000000000000
displayName: Mock Branch Protection Profile
project: 00000000-0000-0000-0000-000000000000
id: 22222222-2222-2222-2222-222222222222
name: mock-branch-protection
displayName: Mock Branch Protection Profile
remediate: "on"
alert: "off"
repository:
- def: {}
name: Mock enable branch protection
params:
branch: main
type: branch_protection_enabled
- def:
required_approving_review_count: 2
name: Mock require 2 reviews
params:
branch: main
type: branch_protection_require_pull_request_approving_review_count
- def: {}
name: Mock enable branch protection
params:
branch: main
type: branch_protection_enabled
- def:
required_approving_review_count: 2
name: Mock require 2 reviews
params:
branch: main
type: branch_protection_require_pull_request_approving_review_count

128 changes: 64 additions & 64 deletions cmd/cli/app/ruletype/testdata/get_by_name.yaml.golden
Original file line number Diff line number Diff line change
@@ -1,72 +1,72 @@
name: secret_push_protection
context:
project: 00000000-0000-0000-0000-000000000000
provider: ""
def:
alert:
securityAdvisory: {}
type: security_advisory
eval:
rego:
def: |
package minder
project: 00000000-0000-0000-0000-000000000000
provider: ""
id: 00000000-0000-0000-0000-000000000001
displayName: Enable secret push protection to avoid pushing hardcoded secrets
shortFailureMessage: Secret push protection is not enabled
description: |
Verifies that secret push protection is enabled for a given repository.
Note that this will will not work as expected for private repositories
unless you have GitHub Advanced Security enabled. If you still want to use
this rule because you have a mixture of private and public repositories,
enable the `skip_private_repos` flag.
guidance: |
Ensure that secret scanning push protection is enabled for the
repository.

import future.keywords.if
You can use secret scanning to prevent supported secrets from being
pushed into your repository by enabling secret scanning push
protection.

default allow := false
default skip := false
default message := "Secret push protection is disabled"
For more information, see [GitHub's
documentation](https://docs.github.com/en/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository).
severity:
value: VALUE_HIGH
releasePhase: RULE_TYPE_RELEASE_PHASE_BETA
def:
alert:
securityAdvisory: {}
type: security_advisory
eval:
rego:
def: |
package minder

allow if {
input.ingested.security_and_analysis.secret_scanning_push_protection.status == "enabled"
}
import future.keywords.if

skip if {
input.profile.skip_private_repos == true
input.ingested.private == true
}
type: deny-by-default
type: rego
inEntity: repository
ingest:
rest:
endpoint: /repos/{{.Entity.Owner}}/{{.Entity.Name}}
parse: json
type: rest
remediate:
rest:
body: |
{ "security_and_analysis": {"secret_scanning_push_protection": { "status": "enabled" } } }
endpoint: /repos/{{.Entity.Owner}}/{{.Entity.Name}}
method: PATCH
type: rest
ruleSchema:
properties:
skip_private_repos:
default: true
description: |
If true, this rule will be marked as skipped for private repositories
type: boolean
description: |
Verifies that secret push protection is enabled for a given repository.
Note that this will will not work as expected for private repositories
unless you have GitHub Advanced Security enabled. If you still want to use
this rule because you have a mixture of private and public repositories,
enable the `skip_private_repos` flag.
displayName: Enable secret push protection to avoid pushing hardcoded secrets
guidance: |
Ensure that secret scanning push protection is enabled for the
repository.
default allow := false
default skip := false
default message := "Secret push protection is disabled"

You can use secret scanning to prevent supported secrets from being
pushed into your repository by enabling secret scanning push
protection.
allow if {
input.ingested.security_and_analysis.secret_scanning_push_protection.status == "enabled"
}

For more information, see [GitHub's
documentation](https://docs.github.com/en/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-secret-scanning-as-a-push-protection-for-a-repository).
id: 00000000-0000-0000-0000-000000000001
name: secret_push_protection
releasePhase: RULE_TYPE_RELEASE_PHASE_BETA
severity:
value: VALUE_HIGH
shortFailureMessage: Secret push protection is not enabled
skip if {
input.profile.skip_private_repos == true
input.ingested.private == true
}
type: deny-by-default
type: rego
inEntity: repository
ingest:
rest:
endpoint: /repos/{{.Entity.Owner}}/{{.Entity.Name}}
parse: json
type: rest
remediate:
rest:
body: |
{ "security_and_analysis": {"secret_scanning_push_protection": { "status": "enabled" } } }
endpoint: /repos/{{.Entity.Owner}}/{{.Entity.Name}}
method: PATCH
type: rest
ruleSchema:
properties:
skip_private_repos:
default: true
description: |
If true, this rule will be marked as skipped for private repositories
type: boolean

Loading
Loading