mindersec · teodor-yanev · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 19, 2024
@@ -0,0 +1,46 @@
+---
+version: v1
+tests:
+  - name: should pass when all requirements are met
+    def: {}
+    params: {}
+    entity:
+      type: repository
+      entity:
+        name: test-repo
+    git:
+      repo_base: valid-config
+    expect: pass
+
+  - name: should fail when baseline file is missing
+    def: {}
+    params: {}
+    entity:
+      type: repository
+      entity:
+        name: test-repo
+    git:
+      repo_base: missing-baseline
+    expect: fail
+
+  - name: should fail when exclusion patterns are missing
+    def: {}
+    params: {}
+    entity:
+      type: repository
+      entity:
+        name: test-repo
+    git:
+      repo_base: missing-patterns
+    expect: fail
+
+  - name: should fail when workflow is missing secret scanner
+    def: {}
+    params: {}
+    entity:
+      type: repository
+      entity:
+        name: test-repo
+    git:
+      repo_base: missing-scanner
+    expect: fail 
@@ -0,0 +1,8 @@
+name: Other Workflow
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
@@ -0,0 +1,13 @@
+name: Secret Scanner
+on: [push]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Secret Scanner
+        uses: secret-scanner/[email protected]
+        with:
+          baseline_file: ../.secrets.baseline
+          python_version: "3.10.4" 
@@ -0,0 +1,10 @@
+{
+  "version": "1.2.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    }
+  ],
+  "filters": [],
+  "results": {}
+} 
@@ -0,0 +1,112 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: yelp_secret_scanner
+display_name: Ensure Secret Scanner is enabled for secret detection
+short_failure_message: Secret Scanner action is not enabled
+severity:
+  value: high
+context: {}
+description: |
+  Verifies that the Secret Scanner action is enabled for the repository. This action
+  uses Yelp/detect-secrets to scan for newly committed secrets and provides enterprise-friendly
+  secret detection capabilities.
+
+  For more information, see the [Secret Scanner Action documentation](https://github.com/secret-scanner/action).
+guidance: |
+  Ensure that Secret Scanner action is enabled for your repository to detect
+  hardcoded secrets and credentials in your codebase.
+
+  First, create a baseline file:
+  ```bash:rule-types/github/gitleaks_action_action.yaml
+  pip install detect-secrets[gibberish]==1.2.0
+  detect-secrets scan > .secrets.baseline
+  detect-secrets audit .secrets.baseline
+  ```
+
+  Then set up the action in your workflow:
+  ```yaml
+  - name: Secret Scanner
+    uses: secret-scanner/[email protected]
+    with:
+      baseline_file: .secrets.baseline
+      python_version: "3.10.4"
+  ```
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import rego.v1
+
+        default allow := false
+        default message := "Secret Scanner action is not enabled or not properly configured"
+
+        has_baseline_file if {
+            file.exists(".secrets.baseline")
+        }
+
+        has_exclusion_patterns if {
+            file.exists(".github/actions/secret-scanner/excluded_files.patterns")
+            file.exists(".github/actions/secret-scanner/excluded_secrets.patterns")
+            file.exists(".github/actions/secret-scanner/excluded_lines.patterns")
+        }
+
+        has_secret_scanner(workflow) if {
+            some jobname
+            job := workflow.jobs[jobname]
+
+            some i
+            step := job.steps[i]
+            startswith(step.uses, "secret-scanner/action@")
+        }
+
+        allow if {
+            has_baseline_file
+
+            has_exclusion_patterns
+
+            workflows := file.ls("./.github/workflows")
+            count(workflows) > 0
+
+            some w
+            workflowstr := file.read(workflows[w])
+            workflow := yaml.unmarshal(workflowstr)
+            has_secret_scanner(workflow)
+        }
+
+        message = msg if {
+            not has_baseline_file
+            msg := "Missing .secrets.baseline file. Run 'detect-secrets scan > .secrets.baseline' to create one"
+        }
+
+        message = msg if {
+            not has_exclusion_patterns
+            msg := "Missing exclusion pattern files in .github/actions/secret-scanner/. These are recommended for proper configuration."
+        }
+
+        message = msg if {
+            workflows := file.ls("./.github/workflows")
+            count(workflows) == 0
+            msg := "No workflow files found"
+        }
+
+        message = msg if {
+            workflows := file.ls("./.github/workflows")
+            count(workflows) > 0
+
+            count([w | w := workflows[_]; has_secret_scanner(yaml.unmarshal(file.read(w)))]) == 0
+            msg := "No workflows contain the secret-scanner action"
+        }
+  alert:
+    type: security_advisory
+    security_advisory: {}