diff --git a/docs/docs/tutorials/register_repo_create_profile.md b/docs/docs/tutorials/register_repo_create_profile.md index 4f3e31a625..8ad173e8af 100644 --- a/docs/docs/tutorials/register_repo_create_profile.md +++ b/docs/docs/tutorials/register_repo_create_profile.md @@ -93,14 +93,14 @@ minder profile create -f profile.yaml Check the status of the profile: ``` -./bin/minder profile_status list --profile github-profile +minder profile_status list --profile github-profile ``` If all registered repositories have secret scanning enabled, you will see the `OVERALL STATUS` is `Success`, otherwise the overall status is `Failure`. See a detailed view of which repositories satisfy the secret scanning rule: ``` -./bin/minder profile_status list --profile github-profile --detailed +minder profile_status list --profile github-profile --detailed ``` ## Viewing alerts diff --git a/docs/docs/tutorials/remediations.md b/docs/docs/tutorials/remediations.md new file mode 100644 index 0000000000..7005a678f1 --- /dev/null +++ b/docs/docs/tutorials/remediations.md @@ -0,0 +1,79 @@ +--- +title: Automatic Remediations +sidebar_position: 20 +--- + +## Goal + +The goal of this tutorial is to show how Minder can ensure +that enrolled repos have secret scanning enabled. Secret scanning is +one of several settings which can be managed by Minder. When you +apply a Minder profile to enrolled repositories, it will remediate (fix) +the setting if it is changed to violate the profile. + +## Prerequisites + +In order to follow the tutorial, ensure that you have completed the tutorial on +[registering repositories](register_repo_create_profile.md) first. + +## Creating a profile with `remediate: on` + +At the moment, Minder doesn't support editing profiles. In order to create the +same profile with `remediate: on`, you need to delete the existing profile and create +a new one. + +Get the currently installed profiles: +```shell +minder profile list --provider=github +``` + +Find the ID of the profile you want to remove and delete it: +```shell +minder profile delete -i $ID +``` + +Edit the YAML file of the profile you want to use and set the `remediate` attribute to +to `on`: +```yaml +--- +version: v1 +type: profile +name: github-profile +context: + provider: github +alert: "on" +remediate: "on" +repository: + - type: secret_scanning + def: + enabled: true +``` + +Create the profile in Minder: +``` +minder profile create -f profile.yaml +``` + +Check the status of the profile: +``` +minder profile_status list --profile github-profile +``` + +With remediation on, the profile status should be "Success" when the repository has been updated to match the profile. +If you navigate to your repository settings with your browser, you should see that secret scanning +feature is enabled. Toggling the feature off should trigger a new profile status check and the +secret scanning feature should be enabled again in github. + +## Current limitations +At the time of writing, not all `rule_type` objects support remediation. To find out which +do, you can run: +```shell +minder rule_type get -i $ID -oyaml +``` +and look for the `remediate` attribute. If it's not present, the rule type doesn't support +remediation. Alternatively, browse the [rule types directory](https://github.com/stacklok/minder-rules-and-profiles/tree/main/rule-types/github) +of the minder-rules-and-profiles repository. + +Furthermore, remediations that open a pull request such as the `dependabot` rule type only attempt +to replace the target file, overwriting its contents. This means that if you want to keep the current +changes, you need to merge the contents manually.