Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add how-to for pull request remediations #1470

Merged
merged 2 commits into from
Nov 5, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 103 additions & 0 deletions docs/docs/how-to/remediate-pullrequest.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
---
title: Auto-remediation via pull request
sidebar_position: 30
---
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

## Prerequisites

* The `minder` CLI application
* A Minder account
* An enrolled Provider (e.g., GitHub) and registered repositories

## Create a rule type that has support for pull request auto remediation

The pull request auto remediation feature provides the functionality to fix a failed rule type by creating a pull request.
This feature is only available for rule types that support it.

In this example, we will use a rule type that checks if a repository has Dependabot enabled. If it's not enabled, Minder
will create a pull request that enables Dependabot. The rule type is called `dependabot_configured.yaml` and is one of
the reference rule types provided by the Minder team.

Fetch all the reference rules by cloning the [minder-rules-and-profiles repository](https://github.com/stacklok/minder-rules-and-profiles).

```bash
git clone https://github.com/stacklok/minder-rules-and-profiles.git
```

In that directory you can find all the reference rules and profiles.
```bash
cd minder-rules-and-profiles
```

Create the `dependabot_configured` rule type in Minder:
```bash
minder rule_type create -f rule-types/github/dependabot_configured.yaml
```

## Create a profile
Next, create a profile that applies the rule to all registered repositories.

Create a new file called `profile.yaml`.
Based on your source code language, paste the following profile definition into the newly created file.

<Tabs>
<TabItem value="go" label="Go" default>

```yaml
---
version: v1
type: profile
name: dependabot-profile
context:
provider: github
alert: "on"
remediate: "on"
repository:
- type: dependabot_configured
def:
package_ecosystem: gomod
schedule_interval: weekly
apply_if_file: go.mod
```

</TabItem>
<TabItem value="npm" label="NPM">

```yaml
---
version: v1
type: profile
name: dependabot-profile
context:
provider: github
alert: "on"
remediate: "on"
repository:
- type: dependabot_configured
def:
package_ecosystem: npm
schedule_interval: weekly
apply_if_file: package.json
```
</TabItem>
</Tabs>

Create the profile in Minder:
```bash
minder profile create -f profile.yaml
```

Once the profile is created, Minder will monitor all of your registered repositories matching the expected ecosystem,
i.e., Go, NPM, etc.

If a repository does not have Dependabot enabled, Minder will create a pull request with the necessary configuration
to enable it. Alongside the PR, Minder will also create a Security Advisory alert that will be present until the issue
is resolved.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should say two things, in a section on limitations:

  1. currently the PR remediations can only set file contents, not merge
  2. if the failing rule is resolved by other means mediator won't close the PR at the moment

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I'll them later today


## Limitations

* The pull request auto remediation feature is only available for rule types that support it.
* There's no support for creating pull requests that modify the content of existing files yet.
* The created pull request should be closed manually if the issue is resolved through other means. The profile status and any related alerts will be updated/closed automatically though.