Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new rule: Add rule that verifies that the trivy action is used in a github workflow #900

Merged
merged 1 commit into from
Sep 8, 2023
Merged

new rule: Add rule that verifies that the trivy action is used in a github workflow #900

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions examples/github/policies/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ repository:
def: {}
- type: dockerfile_no_latest_tag
def: {}
- type: trivy_action_enabled
def: {}
artifact:
- context: github
rules:
Expand Down
57 changes: 57 additions & 0 deletions examples/github/rule-types/trivy_action_enabled.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
version: v1
type: rule-type
name: trivy_action_enabled
context:
provider: github
group: Root Group
description: Verifies that the Trivy action is enabled for the repository and scanning
guidance: |
Trivy is an open source vulnerability scanner for repositories, containers and other
artifacts provided by Aqua Security. It is used to scan for vulnerabilities in the
codebase and dependencies. This rule ensures that the Trivy action is enabled for
the repository and scanning is performed.

For more information on the Trivy action, see https://github.com/marketplace/actions/aqua-security-trivy
def:
# Defines the section of the pipeline the rule will appear in.
# This will affect the template that is used to render multiple parts
# of the rule.
in_entity: repository
# Defines the schema for writing a rule with this rule being checked
# In this case there is no settings that need to be configured
rule_schema: {}
# Defines the configuration for ingesting data relevant for the rule
ingest:
type: git
git:
branch: main
# Defines the configuration for evaluating data ingested against the given policy
eval:
type: rego
rego:
type: deny-by-default
def: |
package mediator

default allow := false

allow {
# List all workflows
workflows := file.ls("./.github/workflows")

# Read all workflows
some w
workflowstr := file.read(workflows[w])

workflow := yaml.unmarshal(workflowstr)

# Iterate jobs
job := workflow.jobs[_]

# Iterate steps
step := job.steps[_]

# Check if the step is a trivy action
startswith(step.uses, "aquasecurity/trivy-action@")
}