-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #843 from lukehinds/dependabot
Implements Dependabot Checks
- Loading branch information
Showing
2 changed files
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
--- | ||
version: v1 | ||
type: rule-type | ||
name: dependabot_enabled | ||
context: | ||
provider: github | ||
group: Root Group | ||
description: Verifies that Dependabot is enabled for the repository | ||
guidance: | | ||
Dependabot enables Automated dependency updates for repositories. | ||
It is recommended that repositories have some form of automated dependency updates enabled | ||
to ensure that vulnerabilities are not introduced into the codebase. | ||
To configure Dependabot, follow the instructions at https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file | ||
def: | ||
# Defines the section of the pipeline the rule will appear in. | ||
# This will affect the template that is used to render multiple parts | ||
# of the rule. | ||
in_entity: repository | ||
# Defines the schema for writing a rule with this rule being checked | ||
# In this case there is no settings that need to be configured | ||
rule_schema: {} | ||
# Defines the configuration for ingesting data relevant for the rule | ||
ingest: | ||
type: git | ||
git: | ||
branch: main | ||
# Defines the configuration for evaluating data ingested against the given policy | ||
# This example uses the checks for a dependabot configuration in the dependabot.yml file | ||
# configured to run weekly for the gomod (GoLang) package ecosystem | ||
# Another example, for NPM could be: | ||
# update["package-ecosystem"] == "npm" | ||
# update.schedule.interval == "daily" | ||
eval: | ||
type: rego | ||
rego: | ||
type: deny-by-default | ||
def: | | ||
package mediator | ||
default allow := false | ||
allow { | ||
# Read the dependabot configuration | ||
fileStr := file.read("./.github/dependabot.yml") | ||
# Parse the YAML content | ||
config := yaml.unmarshal(fileStr) | ||
# Ensure a configuration contains the npgom daily update schedule | ||
update := config.updates[_] | ||
update["package-ecosystem"] == "gomod" | ||
update.schedule.interval == "weekly" | ||
} |