|
| 1 | +--- |
| 2 | +version: v1 |
| 3 | +type: rule-type |
| 4 | +name: pr_vulnerability_check |
| 5 | +severity: |
| 6 | + value: medium |
| 7 | +context: |
| 8 | + provider: github |
| 9 | +description: | |
| 10 | + Verifies that pull requests do not add any vulnerable dependencies |
| 11 | +
|
| 12 | + For every pull request submitted to a repository, this rule will check if the pull request |
| 13 | + adds a new dependency with known vulnerabilities. If it does, the rule will fail and the |
| 14 | + pull request will be rejected or commented on. |
| 15 | +guidance: | |
| 16 | + Ensure that the pull request does not add any vulnerable dependencies. Vulnerable dependencies can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and do not contain any known vulnerabilities. |
| 17 | +def: |
| 18 | + in_entity: pull_request |
| 19 | + rule_schema: |
| 20 | + type: object |
| 21 | + properties: |
| 22 | + action: |
| 23 | + type: string |
| 24 | + description: "The action to take if a vulnerability is found." |
| 25 | + enum: |
| 26 | + # minder will review the PR, suggest changes and mark the PR as changes requested if a vulnerability is found |
| 27 | + - review |
| 28 | + # minder will comment and suggest changes on the PR if a vulnerability is found. Additionally, minder |
| 29 | + # will set the commit_status of the PR HEAD to failed to prevent the commit from being merged |
| 30 | + - commit_status |
| 31 | + # minder will comment and suggest changes on the PR if a vulnerability is found, but not request changes |
| 32 | + - comment |
| 33 | + # the evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found |
| 34 | + - profile_only |
| 35 | + # the evaluator engine will add a single summary comment with a table listing the vulnerabilities found |
| 36 | + - summary |
| 37 | + default: review |
| 38 | + ecosystem_config: |
| 39 | + type: array |
| 40 | + description: "The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used." |
| 41 | + items: |
| 42 | + type: object |
| 43 | + properties: |
| 44 | + name: |
| 45 | + type: string |
| 46 | + description: "The name of the ecosystem to check. Currently `npm`, `go` and `pypi` are supported." |
| 47 | + vulnerability_database_type: |
| 48 | + type: string |
| 49 | + "description": "The kind of vulnerability database to use. Currently only `osv` is supported." |
| 50 | + vulnerability_database_endpoint: |
| 51 | + type: string |
| 52 | + "description": "The endpoint of the vulnerability database to use." |
| 53 | + package_repository: |
| 54 | + type: object |
| 55 | + properties: |
| 56 | + url: |
| 57 | + type: string |
| 58 | + description: "The URL of the package repository to use." |
| 59 | + "description": "The package repository to use." |
| 60 | + sum_repository: |
| 61 | + type: object |
| 62 | + properties: |
| 63 | + url: |
| 64 | + type: string |
| 65 | + description: "The URL of the Go sum repository to use. Only used if the ecosystem is `go`." |
| 66 | + "description": "The Go sum repository to use." |
| 67 | + ingest: |
| 68 | + type: diff |
| 69 | + diff: |
| 70 | + type: new-dep |
| 71 | + ecosystems: |
| 72 | + - name: npm |
| 73 | + depfile: package-lock.json |
| 74 | + - name: go |
| 75 | + depfile: go.mod |
| 76 | + - name: pypi |
| 77 | + depfile: requirements.txt |
| 78 | + # Defines the configuration for evaluating data ingested against the given profile |
| 79 | + eval: |
| 80 | + type: rego |
| 81 | + rego: |
| 82 | + type: deny-by-default |
| 83 | + def: | |
| 84 | + package minder |
| 85 | + import rego.v1 |
| 86 | + default allow := false |
| 87 | + allow if { |
| 88 | + print("Input:", input) |
| 89 | + dep := input.ingested.deps[_] |
| 90 | + dep.dep.name == "dompurify" |
| 91 | + } |
| 92 | + # Defines the configuration for alerting on the rule |
| 93 | + alert: |
| 94 | + type: security_advisory |
| 95 | + security_advisory: {} |
0 commit comments