minder-rules-and-profiles/rule-types/github/pr_bandit.yaml at de5e4da3f57485fed62ba653d5e09b666f9b720c · mindersec/minder-rules-and-profiles · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# NOTE: This rule leverages the `http.send` function and a Cloud Run service
# https://banditize-562949304223.us-central1.run.app, which is built from
# https://github.com/evankanderson/banditize

# This also requires https://github.com/mindersec/minder/pull/5181 to be merged,
# and the `pr_comment_alert` feature flag enabled.
---
version: v1
type: rule-type
name: pr_bandit
severity:
  value: medium
context:
  provider: github
release_phase: alpha
description: |
  Detects new python static analysis findings in a pull request.

  This rule uses https://github.com/PyCQA/bandit as a code scanner,
  running it against the base and head branches of a pull request to
  detect new security issues.
guidance: |
  This pull request introduces new issues detected by the Bandit static
  code scanner.  Generally, these indicate risky software patterns which
  should be addressed before merging the pull request.
def:
  in_entity: pull_request
  rule_schema:
    type: object
    properties: {}
  ingest:
    type: git
    git: {}
  # Defines the configuration for evaluating data ingested against the given profile
  eval:
    type: rego
    rego:
      type: constraints
      def: |
        package minder
        import rego.v1

        base_tar := base_file.archive(["."])
        head_tar := file.archive(["."])

        resp := http.send({
          "method": "POST",
          "url": "https://banditize-562949304223.us-central1.run.app/pull",
          "headers": {
            "Content-Type": "application/json",
          },
          "body": {
            "base": base64.encode(base_tar),
            "head": base64.encode(head_tar),
          },
        })

        violations contains {"msg": resp.body.simpleFindings} if resp.body.simpleFindings != ""
        # violations contains {"msg": "Always fail"}

        # violations contains {"msg": json.marshal(resp)}
  alert:
    type: pull_request_comment
    pull_request_comment:
      review_message: |
        [Bandit](https://bandit.readthedocs.io/) found new issues in this pull request.  Please review and address them before merging.

        You'll need to run `minder profile status list -n Test-Bandit --detailed -o json | jq -r '.ruleEvaluationStatus[0].details'` to get the actual errors.