Add an optional violation_format to rego rules #1728
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds an optional parameter for the rego evaluator that allows specifying
that if the constraints mode is used, then the constraints message
should be a valid JSON object with a key and a value so that it decodes
into `map[string]any`.
This is done by passing an outputFormat into the rule, the usage can be
seen in unit tests.
The default is still "text" to keep backwards compatibility.
If the evaluator asks for JSON, but back comes just a string, we can
assume that the policy doesn't support JSON output, so we marshall the
string ourvelves into `{ "msg": $response }`.
The main use-case is rules that print a list of items violating a
policy, those can then be summarized using jq like this:
```
./bin/minder profile_status list --provider=github -i actions-github-profile -d -ojson 2>/dev/null | jq '.ruleEvaluationStatus | map(select(.ruleName == "repo_acti
on_list" and .status == "failure")) | map({repo_name: .entityInfo.repo_name, details: .details | fromjson})'
[
{
"repo_name": "testrepo",
"details": [
{
"actions_not_allowed": [
"docker/build-push-action",
"docker/login-action",
"docker/metadata-action",
"docker/setup-buildx-action"
]
}
]
},
{
"repo_name": "bad-go",
"details": [
{
"actions_not_allowed": [
"docker/build-push-action",
"docker/login-action",
"docker/metadata-action",
"docker/setup-buildx-action"
]
}
]
}
]
```
jhrozek
added a commit
to jhrozek/minder-rules-and-profiles
that referenced
this pull request
Nov 24, 2023
…t a set of allowed actions
Adds a new rule_type that allows specifying an allow list of actions
used in repositories. The evaluation uses rego and is able to print a
JSON representation of the actions that are not allowed.
Example profile:
```
version: v1
type: profile
name: actions-github-profile
context:
provider: github
alert: "off"
remediate: "off"
repository:
- type: repo_action_list
def:
actions:
- actions/checkout
- docker/build-push-action
- docker/login-action
- docker/metadata-action
- docker/setup-buildx-action
- sigstore/cosign-installer
```
Specifying an empty list allows you to list the actions used in the repo:
```
version: v1
type: profile
name: actions-github-profile
context:
provider: github
alert: "off"
remediate: "off"
repository:
- type: repo_action_list
def:
actions: []
```
Note that this PR depends on mindersec/minder#1728
|
to test, feel free to use mindersec/minder-rules-and-profiles#20 |
JAORMX
approved these changes
Nov 25, 2023
rdimitrov
approved these changes
Nov 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds an optional parameter for the rego evaluator that allows specifying
that if the constraints mode is used, then the constraints message
should be a valid JSON object with a key and a value so that it decodes
into
map[string]any.This is done by passing an outputFormat into the rule, the usage can be
seen in unit tests.
The default is still "text" to keep backwards compatibility.
If the evaluator asks for JSON, but back comes just a string, we can
assume that the policy doesn't support JSON output, so we marshall the
string ourvelves into
{ "msg": $response }.The main use-case is rules that print a list of items violating a
policy, those can then be summarized using jq like this: