-
Notifications
You must be signed in to change notification settings - Fork 8
/
pr_trusty_check.yaml
77 lines (75 loc) · 2.87 KB
/
pr_trusty_check.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
---
version: v1
type: rule-type
name: pr_trusty_check
severity:
value: medium
context:
provider: github
description: |
Verifies that pull requests do not add any dependencies with low Trusty scores
For every pull request submitted to a repository, this rule will check if the pull request
adds a new dependency with a low Trusty score. If a dependency with a low
score is added, the PR will be commented on.
guidance: |
Ensure that the pull request does not add any dependencies with low Trusty scores.
def:
in_entity: pull_request
rule_schema:
type: object
properties:
action:
type: string
description: "The action to take if a package with a low score is found."
enum:
# the evaluator engine will merely pass on an error, marking the profile as failed if packages with low scores are found
- profile_only
# minder will post a review to any offending PR when malicious deps are
# found. If blocking is disabled with block[malicious]=true or with
# block[deprecated]=true, minder will still post its review but merely
# commenting instead of reuqesting changes.
- review
# the evaluator engine will add a single summary comment with a table listing the packages with low scores found
- summary
default: review
ecosystem_config:
type: array
description: "The configuration for the ecosystems to check. Leave empty to use the default configuration."
items:
type: object
properties:
name:
type: string
description: "The name of the ecosystem to check. Currently only `go`, `npm` and `pypi` are supported."
score:
type: number
description: "The minimum Trusty score for a dependency to be considered safe."
default: 5
provenance:
type: number
description: "Minimum provenance score to consider. Values are 0-10 where 10 represents the highest confidence in the computed origin of the package."
default: 0
activity:
type: number
description: "Minimum level of activity to consider as healthy. Values are 0-10 where 10 represents the most active."
default: 0
allow_malicious:
type: boolean
description: "Don't block PRs when malicious packages are found (not recommended)"
default: false
ingest:
type: diff
diff:
ecosystems:
- name: npm
depfile: package-lock.json
- name: pypi
depfile: requirements.txt
- name: go
depfile: go.mod
# Defines the configuration for evaluating data ingested against the given profile
eval:
type: trusty
alert:
type: security_advisory
security_advisory: {}