/
stacklok-profile-remediate.yaml
126 lines (126 loc) · 3.38 KB
/
stacklok-profile-remediate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
---
# Stacklok profile
version: v1
type: profile
name: stacklok-remediate-profile
display_name: Stacklok example remedation profile
context:
provider: github
alert: "off"
remediate: "on"
repository:
- type: actions_check_pinned_tags
def:
exclude:
- slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
- type: automatic_branch_deletion
def:
enabled: true
- type: secret_scanning
def:
enabled: true
skip_private_repos: true
- type: secret_push_protection
def:
enabled: true
skip_private_repos: true
- type: default_workflow_permissions
def:
default_workflow_permissions: read
can_approve_pull_request_reviews: false
- type: dockerfile_no_latest_tag
def: {}
- type: branch_protection_enabled
params:
branch: main
def: {}
- type: branch_protection_allow_deletions
params:
branch: main
def:
allow_deletions: false
- type: branch_protection_allow_force_pushes
params:
branch: main
def:
allow_force_pushes: false
- type: branch_protection_enforce_admins
params:
branch: main
def:
enforce_admins: true
- type: branch_protection_lock_branch
params:
branch: main
def:
lock_branch: false
- type: branch_protection_require_conversation_resolution
params:
branch: main
def:
required_conversation_resolution: false
- type: branch_protection_require_pull_request_approving_review_count
params:
branch: main
def:
required_approving_review_count: 1
- type: branch_protection_require_pull_request_code_owners_review
params:
branch: main
def:
require_code_owner_reviews: false
- type: branch_protection_require_pull_request_dismiss_stale_reviews
params:
branch: main
def:
dismiss_stale_reviews: true
- type: branch_protection_require_pull_request_last_push_approval
params:
branch: main
def:
require_last_push_approval: true
- type: branch_protection_require_pull_requests
params:
branch: main
def:
required_pull_request_reviews: true
- type: branch_protection_require_signatures
params:
branch: main
def:
required_signatures: false
artifact:
- type: artifact_signature
params:
tags: [latest]
name: minder/server
def:
is_signed: true
is_verified: true
repository: https://github.com/stacklok/minder
branch: main
runner_environment: github-hosted
signer_identity: chart-publish.yml
cert_issuer: https://token.actions.githubusercontent.com
pull_request:
- type: pr_vulnerability_check
def:
action: review
ecosystem_config:
- name: npm
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://registry.npmjs.org
- name: go
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://proxy.golang.org
sum_repository:
url: https://sum.golang.org
- name: pypi
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://pypi.org/pypi