Minder is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what they’ve built is secure. Minder helps project owners proactively manage their security posture by providing a set of checks and policies to minimize risk along the software supply chain, and attest their security practices to downstream consumers.
Minder allows users to enroll repositories and define policy to ensure repositories and artifacts are configured consistently and securely. Policies can be set to alert only or auto-remediate. Minder provides a predefined set of rules and can also be configured to apply custom rules.
Minder can be deployed as a Helm chart and provides a CLI tool minder
. Stacklok, a company supporting Minder, also
provides a free-to-use hosted version of Minder (for public repositories only). Minder is designed to be extensible,
allowing users to integrate with their existing tooling and processes.
- Repo configuration and security: Simplify configuration and management of security settings and policies across repos.
- Proactive security enforcement: Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
- Artifact attestation: Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
- Dependency management: Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with OSV and Trusty to enable policy-driven dependency management based on the risk level of dependencies.
Stacklok, a company supporting Minder, provides a free-to-use public instance of Minder. This is the default instance used when you use the minder
CLI. This instance is available for public repositories only.
Getting up and running with Minder takes under a minute and is as easy as:
- Installing Minder
- Logging in to Minder
- and running
minder quickstart
to create your first profile.
In just a few seconds, you will register your repositories and enable secret scanning protection for all of them! 🤯
Choose your preferred method to install minder
:
Make sure you have Homebrew installed.
brew install minder
Make sure you have Winget installed.
winget install stacklok.minder
Download the latest release from minder/releases.
Build minder
and minder-server
from source by following the build from source guide.
To use minder
with the public instance of Minder (api.stacklok.com
), log in by running:
minder auth login
Upon completion, you should see that the Minder Server is set to api.stacklok.com
.
The quickstart
command guides you through creating your first profile in Minder, register your repositories, and enabling secret scanning protection for your repositories in seconds.
To do so, run:
minder quickstart
This will prompt you to enroll your provider, select the repositories you'd like, create the secret_scanning
rule type and create a profile which enables secret scanning for the selected repositories.
To see the status of your profile, run:
minder profile status list --profile quickstart-profile --detailed
You should see the overall profile status and a detailed view of the rule evaluation statuses for each of your registered repositories.
Minder will continue to keep track of your repositories and will ensure to fix any drifts from the desired state by
using the remediate
feature or alert you, if needed, using the alert
feature.
Congratulations! 🎉 You've now successfully created your first profile!
You can now continue to explore Minder's features by adding or removing more repositories, create more profiles with various rules, and much more. There's a lot more to Minder than just secret scanning.
The secret_scanning
rule is just one of the many rule types that Minder supports.
You can see the full list of ready-to-use rules and profiles maintained by Minder's team here - mindersec/minder-rules-and-profiles.
In case there's something you don't find there yet, Minder is designed to be extensible. This allows for users to create their own custom rule types and profiles and ensure the specifics of their security posture are attested to.
Now that you have everything set up, you can continue to run minder
commands against the public instance of Minder
where you can manage your registered repositories, create profiles, rules and much more, so you can ensure your repositories are
configured consistently and securely.
For more information about minder
, see:
minder
CLI commands - Docs.minder
REST API Documentation - Docs.minder
rules and profiles maintained by Minder's team - GitHub.- Minder documentation - Docs.
The Minder community are actively working on new features and improvements for Minder.
You can find our roadmap here.
Should you wish to request or contribute a feature or improvement, please use the following issue template
This section describes how to build and run Minder from source.
You'd need the following tools available - Go, Docker and Docker Compose.
To build and run minder-server
, you will also need ko.
To run the test suite via make test
, you will need gotestfmt and helm.
To invoke the run-docker
make target, you will need yq.
git clone git@github.com:mindersec/minder.git
Run the following to build minder
and minder-server
(binaries will be present at ./bin/
)
make build
To use minder
with the public instance of Minder (api.stacklok.com
), run:
minder auth login
Upon completion, you should see that the Minder Server is set to api.stacklok.com
.
If you want to run minder
against a local minder-server
instance, proceed with the steps below.
Create the initial configuration file for minder
. You may do so by doing.
cp config/config.yaml.example config.yaml
Create the initial configuration file for minder-server
. You may do so by doing.
cp config/server-config.yaml.example server-config.yaml
You'd also have to set up an OAuth2 application for minder-server
to use.
Once completed, update the configuration file with the appropriate values.
See the documentation on how to do that - Docs.
Start minder-server
along with its dependant services (keycloak
and postgres
) by running:
make run-docker
minder-server
uses Keycloak as an IAM. To log in, you'll need to set up a GitHub OAuth2 application and configure
Keycloak to use it.
Create an OAuth2 application for GitHub here. Select
New OAuth App
and fill in the details. The callback URL should be http://localhost:8081/realms/stacklok/broker/github/endpoint
.
Create a new client secret for your OAuth2 client.
Using the client_id
and client_secret
you created above, enable GitHub login on Keycloak by running the following command:
make KC_GITHUB_CLIENT_ID=<client_id> KC_GITHUB_CLIENT_SECRET=<client_secret> github-login
Ensure the config.yaml
file is present in the current directory so minder
can use it.
Run minder
against your local instance of Minder (localhost:8090
):
minder auth login
Upon completion, you should see that the Minder Server is set to localhost:8090
.
By default, the minder
CLI will point to the production Stacklok environment if a config file is not present, but creating the config.yaml
for running the server will point the CLI at your local development environment. If you explicitly want to use a different instance, you can set the MINDER_CONFIG
environment variable to point to a particular configuration. We have configurations for local development, the Stacklok production environment, and Stacklok staging environment (updated frequently) checked in to the config
directory.
You can find more detailed information about the development process in the Developer Guide.
-
REST API documentation - Link.
-
Proto API documentation - Link.
-
Protobuf - Link.
-
OpenAPI/swagger spec (JSON) - Link.
We welcome contributions to Minder. Please see our Contributing guide for more information.
The Minder project follows the best practices for software supply chain security and transparency.
All released assets:
- Have a generated and verifiable SLSA Build Level 3 provenance. For more information, see the SLSA website.
- Have been signed and verified during release using the Sigstore project. This ensures that they are tamper-proof and can be verified by anyone.
- Have an SBOM archive generated and published along with the release. This allows users to understand the dependencies of the project and their security posture.
Minder is licensed under the Apache 2.0 License.