Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add osps-qa-02 rule #275

Merged
merged 4 commits into from
Jan 21, 2025
Merged

Add osps-qa-02 rule #275

merged 4 commits into from
Jan 21, 2025

Conversation

teodor-yanev
Copy link
Contributor

Fixes https://github.com/stacklok/minder-stories/issues/200

We haven't received a confirmation on the OpenSSF channel yet so I made the assumptions based on the official rule definition here https://baseline.openssf.org/#osps-qa-02

They are described in the rule definition's description and guidance parts.

blkt and others added 2 commits January 14, 2025 10:33
@blkt
Add OSPS Baseline Level 1 rules.
ef919c5 
This change adds all currently implemented rule types for OSPS
Baseline Level 1.

Some rules were copy-pasted from rules like
e.g. `branch_protection_allow_deletions` in order to (a) be able to
change them independently and (b) change the name to something
descriptive in the scope of Security Baseline. We generally do not
foster this, but in this case we deemed simplicity was preferable to
avoiding duplication.

Along the rules themselves, tests were added to new, existing ones,
and their copies.

Fixes stacklok/minder-stories#198
@teodor-yanev
add: osps-qa-02 rule
88ebbaf
@teodor-yanev teodor-yanev self-assigned this Jan 17, 2025
@teodor-yanev teodor-yanev requested a review from a team as a code owner January 17, 2025 13:55
JAORMX
JAORMX reviewed Jan 17, 2025
View reviewed changes
security-baseline/rule-types/github/osps-qa-02.yaml Outdated
in_entity: repository
rule_schema: {}
ingest:
type: git
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are you using the git ingest if you're not accessing the git repo itself?

JAORMX
JAORMX requested changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We arleady have a branch protection rule to check that force pushing is not allowed https://github.com/mindersec/minder-rules-and-profiles/blob/main/rule-types/github/branch_protection_allow_force_pushes.yaml

Why are we introducing a new one and why are we doing it differently?

data-sources/ghapi.yaml Outdated
@@ -24,3 +24,15 @@ rest:
type: string
repo:
type: string
branch_protection:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this needed? You could just use the REST ingest instead.

Copy link
Contributor Author

@teodor-yanev teodor-yanev Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I also forgot that we do not have authentication for data sources and this call would've failed anyway 🙃

evankanderson
evankanderson reviewed Jan 17, 2025
View reviewed changes
Copy link
Member

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I forgot to submit my changes, which generally agree with Ozz's comments.

security-baseline/rule-types/github/osps-qa-02.yaml Outdated
in_entity: repository
rule_schema: {}
ingest:
type: git
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably ingest the branch_protection endpoint here, not the repo contents.

Base automatically changed from feat/add-baseline-profile-and-rules to main January 20, 2025 10:07
@teodor-yanev
Copy link
Contributor Author

We arleady have a branch protection rule to check that force pushing is not allowed https://github.com/mindersec/minder-rules-and-profiles/blob/main/rule-types/github/branch_protection_allow_force_pushes.yaml

Why are we introducing a new one and why are we doing it differently?

Some rules in the directory were copy-pasted from rules like e.g. branch_protection_allow_deletions in order to
(a) be able to change them independently and
(b) change the name to something descriptive in the scope of Security Baseline.

We generally do not foster this, but in this case we deemed simplicity was preferable to avoiding duplication.

@teodor-yanev
Copy link
Contributor Author

note: squashing was removed as per https://openssf.slack.com/archives/C07DC6TT2QY/p1737165055721979?thread_ts=1737159831.490839&cid=C07DC6TT2QY

@teodor-yanev teodor-yanev merged commit 98d1363 into main Jan 21, 2025
6 checks passed
@teodor-yanev teodor-yanev deleted the add-OSPS-QA-02-rule branch January 21, 2025 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evankanderson evankanderson evankanderson left review comments

@JAORMX JAORMX JAORMX approved these changes

Assignees

@teodor-yanev teodor-yanev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@teodor-yanev @JAORMX @evankanderson @blkt