Skip to content

Commit 8682ca5

Browse files
rdimitrovrdimitrov
committed
Add a ruletype that checks if snyk scanning is enabled
Signed-off-by: Radoslav Dimitrov <[email protected]>
1 parent 0b1a76d commit 8682ca5

File tree

1 file changed

+233
-0
lines changed

1 file changed

+233
-0
lines changed

rule-types/github/snyk_github_action.yaml

+233
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,233 @@
1+
---
2+
version: v1
3+
release_phase: alpha
4+
type: rule-type
5+
name: snyk_github_action
6+
display_name: Enable Snyk scanning via GitHub Actions
7+
short_failure_message: Snyk scanning is not properly configured via GitHub Actions
8+
severity:
9+
value: medium
10+
context: {}
11+
description: |
12+
Verifies that Snyk is properly configured via GitHub Actions for the repository
13+
based on the project's ecosystem (Node.js, Go, Python, etc). This ensures
14+
appropriate security scanning is in place for dependencies and code.
15+
guidance: |
16+
Ensure that Snyk is configured and enabled for your repository with
17+
appropriate settings for your project's ecosystem.
18+
19+
Snyk provides different types of security scanning:
20+
- Dependency vulnerability scanning
21+
- Code analysis for security issues
22+
- Container scanning
23+
- Infrastructure as Code scanning
24+
25+
For each ecosystem, you need appropriate configuration:
26+
- Node.js: Ensure package.json and package-lock.json are scanned
27+
- Go: Configure for go.mod and go.sum scanning
28+
- Python: Set up for requirements.txt or Pipfile scanning
29+
- Container: Enable for Dockerfile scanning
30+
31+
For more information, see:
32+
- [Snyk GitHub Actions](https://github.com/snyk/actions)
33+
- [Snyk CLI documentation](https://docs.snyk.io/snyk-cli)
34+
def:
35+
in_entity: repository
36+
rule_schema:
37+
type: object
38+
properties:
39+
ecosystems:
40+
type: array
41+
description: |
42+
List of ecosystems that should be scanned by Snyk.
43+
Each ecosystem requires specific Snyk configuration.
44+
items:
45+
type: string
46+
enum:
47+
- nodejs
48+
- go
49+
- python
50+
- docker
51+
- iac
52+
command_args:
53+
type: object
54+
description: |
55+
Optional custom arguments for the Snyk CLI command for each ecosystem.
56+
If not specified, default arguments will be used.
57+
properties:
58+
nodejs:
59+
type: string
60+
default: "--all-projects"
61+
go:
62+
type: string
63+
default: "--all-projects"
64+
python:
65+
type: string
66+
default: "--all-projects"
67+
docker:
68+
type: string
69+
default: "--file=Dockerfile"
70+
iac:
71+
type: string
72+
default: "--all-projects"
73+
required:
74+
- ecosystems
75+
ingest:
76+
type: git
77+
git: {}
78+
eval:
79+
type: rego
80+
rego:
81+
type: deny-by-default
82+
def: |
83+
package minder
84+
85+
import rego.v1
86+
87+
# List all workflows
88+
workflows := file.ls("./.github/workflows")
89+
90+
# Get all actions used in workflows
91+
actions := github_workflow.ls_actions("./.github/workflows")
92+
93+
# Map ecosystem names to their indicator files
94+
ecosystem_files := {
95+
"nodejs": ["package.json"],
96+
"go": ["go.mod"],
97+
"python": ["requirements.txt", "Pipfile"],
98+
"docker": ["Dockerfile"],
99+
"iac": ["terraform", ".tf", ".yaml", ".yml"]
100+
}
101+
102+
default message := "Snyk GitHub action is not properly configured"
103+
default allow := false
104+
105+
# Read all workflow files and check for proper Snyk configuration
106+
allow if {
107+
# First verify Snyk action is present
108+
some action in actions
109+
startswith(action, "snyk/actions")
110+
111+
# Then verify each required ecosystem is properly configured
112+
ecosystem_check_results := {res |
113+
ecosystem := input.profile.ecosystems[_]
114+
res := check_ecosystem(ecosystem)
115+
}
116+
117+
# All ecosystem checks must pass
118+
all(ecosystem_check_results)
119+
}
120+
121+
# Helper function to check ecosystem configuration
122+
check_ecosystem(ecosystem) if {
123+
# Check if ecosystem files exist
124+
some file in ecosystem_files[ecosystem]
125+
file_exists_check(file)
126+
127+
# Check workflow configuration for this ecosystem
128+
some workflow_file in workflows
129+
workflowstr := file.read(workflow_file)
130+
workflow := yaml.unmarshal(workflowstr)
131+
132+
# Look for a job that uses Snyk with specific args
133+
some job_name, job in workflow.jobs
134+
some step in job.steps
135+
startswith(step.uses, "snyk/actions")
136+
args := object.get(step, "args", "")
137+
138+
# When no specific command args are required
139+
not input.profile.command_args[ecosystem]
140+
}
141+
142+
check_ecosystem(ecosystem) if {
143+
# Check if ecosystem files exist
144+
some file in ecosystem_files[ecosystem]
145+
file_exists_check(file)
146+
147+
# Check workflow configuration for this ecosystem
148+
some workflow_file in workflows
149+
workflowstr := file.read(workflow_file)
150+
workflow := yaml.unmarshal(workflowstr)
151+
152+
# Look for a job that uses Snyk with specific args
153+
some job_name, job in workflow.jobs
154+
some step in job.steps
155+
startswith(step.uses, "snyk/actions")
156+
args := object.get(step, "args", "")
157+
args == input.profile.command_args[ecosystem]
158+
}
159+
160+
# Helper function to check file existence with glob support
161+
file_exists_check(pattern) if {
162+
# Direct file check
163+
file.exists(pattern)
164+
}
165+
166+
file_exists_check(pattern) if {
167+
# Glob pattern check
168+
files := file.glob(sprintf("**/%s*", [pattern]))
169+
count(files) > 0
170+
}
171+
remediate:
172+
type: pull_request
173+
pull_request:
174+
title: "Add Snyk security scanning workflow"
175+
body: |
176+
This is a Minder automated pull request.
177+
178+
This pull request adds a GitHub Actions workflow that runs Snyk security scanning
179+
configured for your project's ecosystems: {{.Profile.ecosystems}}.
180+
181+
This will help identify:
182+
- Known vulnerabilities in dependencies
183+
- Security issues in code
184+
- Container security issues
185+
- Infrastructure as Code misconfigurations
186+
contents:
187+
- path: .github/workflows/snyk.yml
188+
action: replace
189+
content: |
190+
name: Snyk Security Scan
191+
192+
on:
193+
push:
194+
branches: [ main ]
195+
pull_request:
196+
branches: [ main ]
197+
198+
jobs:
199+
security:
200+
runs-on: ubuntu-latest
201+
steps:
202+
- uses: actions/checkout@v4
203+
204+
{{- range .Profile.ecosystems }}
205+
{{- if eq . "nodejs" }}
206+
- name: Set up Node.js
207+
uses: actions/setup-node@v4
208+
with:
209+
node-version: 'lts/*'
210+
{{- else if eq . "go" }}
211+
- name: Set up Go
212+
uses: actions/setup-go@v5
213+
with:
214+
go-version: '>=1.21.0'
215+
{{- else if eq . "python" }}
216+
- name: Set up Python
217+
uses: actions/setup-python@v5
218+
with:
219+
python-version: '3.x'
220+
{{- end }}
221+
{{- end }}
222+
223+
{{- range .Profile.ecosystems }}
224+
- name: Run Snyk to check for vulnerabilities ({{ . }})
225+
uses: snyk/actions/{{ . }}@master
226+
env:
227+
SNYK_TOKEN: ${{ "{{" }} secrets.SNYK_TOKEN {{ "}}" }}
228+
with:
229+
args: {{ index $.Profile.command_args . | default "--all-projects" }}
230+
{{- end }}
231+
alert:
232+
type: security_advisory
233+
security_advisory: {}

0 commit comments

Comments
 (0)