-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add osps-qa-02 rule #275
Add osps-qa-02 rule #275
Conversation
This change adds all currently implemented rule types for OSPS Baseline Level 1. Some rules were copy-pasted from rules like e.g. `branch_protection_allow_deletions` in order to (a) be able to change them independently and (b) change the name to something descriptive in the scope of Security Baseline. We generally do not foster this, but in this case we deemed simplicity was preferable to avoiding duplication. Along the rules themselves, tests were added to new, existing ones, and their copies. Fixes stacklok/minder-stories#198
in_entity: repository | ||
rule_schema: {} | ||
ingest: | ||
type: git |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are you using the git
ingest if you're not accessing the git repo itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We arleady have a branch protection rule to check that force pushing is not allowed https://github.com/mindersec/minder-rules-and-profiles/blob/main/rule-types/github/branch_protection_allow_force_pushes.yaml
Why are we introducing a new one and why are we doing it differently?
data-sources/ghapi.yaml
Outdated
@@ -24,3 +24,15 @@ rest: | |||
type: string | |||
repo: | |||
type: string | |||
branch_protection: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this needed? You could just use the REST ingest instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I also forgot that we do not have authentication for data sources and this call would've failed anyway 🙃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I forgot to submit my changes, which generally agree with Ozz's comments.
in_entity: repository | ||
rule_schema: {} | ||
ingest: | ||
type: git |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably ingest the branch_protection endpoint here, not the repo contents.
Some rules in the directory were copy-pasted from rules like e.g. branch_protection_allow_deletions in order to We generally do not foster this, but in this case we deemed simplicity was preferable to avoiding duplication. |
note: squashing was removed as per https://openssf.slack.com/archives/C07DC6TT2QY/p1737165055721979?thread_ts=1737159831.490839&cid=C07DC6TT2QY |
Fixes https://github.com/stacklok/minder-stories/issues/200
We haven't received a confirmation on the OpenSSF channel yet so I made the assumptions based on the official rule definition here https://baseline.openssf.org/#osps-qa-02
They are described in the rule definition's
description
andguidance
parts.