BST-13841 BST-13663 Promotion to Prod (#165)

BST-13481: add new baseline scanner BST-13663 Move the rules from baseline to scanner
boostsecurityio · Dec 5, 2024 · 99e20fc · 99e20fc
2 parents e80b224 + 36c3f51
commit 99e20fc
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 62 deletions.
diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Scan Registry
-        uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5
+        uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6
         with:
           api_endpoint: ${{ vars.BOOST_API_ENDPOINT }}
           api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }}
diff --git a/scanners/boostsecurityio/baseline/module.yaml b/scanners/boostsecurityio/baseline/module.yaml
@@ -0,0 +1,24 @@
+api_version: 1.0
+
+
+id: boostsecurityio/baseline
+name: BoostSecurity Scanner
+namespace: boostsecurityio/baseline
+scan_types:
+  - sast
+  - cicd
+
+
+config:
+  support_diff_scan: true
+
+
+steps:
+    - scan:
+        command:
+          docker:
+            image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f
+            command: scanner scan
+            workdir: /src
+          name: scanner
+        format: sarif
diff --git a/scanners/boostsecurityio/baseline/rules.yaml b/scanners/boostsecurityio/baseline/rules.yaml
@@ -0,0 +1 @@
+rules: {}  # Rules are in boost-scanner, this scanner is not meant to be used alone
diff --git a/scanners/boostsecurityio/scanner/module.yaml b/scanners/boostsecurityio/scanner/module.yaml
@@ -1,24 +1,23 @@
 api_version: 1.0
 
 
+group: boostsecurityio/scanner
 id: boostsecurityio/scanner
 name: BoostSecurity Scanner
 namespace: boostsecurityio/scanner
-scan_types:
-  - sast
-  - cicd
-
 
 config:
   support_diff_scan: true
 
+scan_types:
+  - sast
+  - cicd
+  - metadata
+  - sca
+  - sci
+  - license
 
-steps:
-    - scan:
-        command:
-          docker:
-            image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f
-            command: scanner scan
-            workdir: /src
-          name: scanner
-        format: sarif
+includes:
+  - boostsecurityio/baseline
+  - boostsecurityio/composition
+  - boostsecurityio/supply-chain-inventory
diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml
@@ -1,17 +1,26 @@
+import:
+  - boostsecurityio/cicd
+  - boostsecurityio/composition
+  - boostsecurityio/oss-license
+  - boostsecurityio/sbom-sca
+  - boostsecurityio/sci
+  - boostsecurityio/sci-sca
+  - boostsecurityio/supply-chain-inventory
+
 rules:
   cert-expired:
     categories:
-    - ALL
-    - cloud-weak-configuration
+      - ALL
+      - cloud-weak-configuration
     description: Checks for expired X509 certificates.
     group: cloud-weak-configuration
     name: cert-expired
     pretty_name: Cert Expired
     ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html'
   cert-expires-soon:
     categories:
-    - ALL
-    - cloud-weak-configuration
+      - ALL
+      - cloud-weak-configuration
     description: Checks for X509 certificates that will expire in a configured number
       of days.
     group: cloud-weak-configuration
@@ -20,10 +29,10 @@ rules:
     ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html'
   cert-insecure-signing-algorithm:
     categories:
-    - ALL
-    - cloud-weak-configuration
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - cloud-weak-configuration
+      - boost-baseline
+      - boost-hardened
     description: Checks for X509 certificates with insecure signing algorithms.
     group: cloud-weak-configuration
     name: cert-insecure-signing-algorithm
@@ -32,10 +41,10 @@ rules:
     recommended: true
   cert-insufficient-key-length:
     categories:
-    - ALL
-    - cloud-weak-configuration
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - cloud-weak-configuration
+      - boost-baseline
+      - boost-hardened
     description: Checks for X509 certificates with insecure key lengths.
     group: cloud-weak-configuration
     name: cert-insufficient-key-length
@@ -44,11 +53,11 @@ rules:
     recommended: true
   cicd-binary-artifacts-stored-in-scm:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-missing-artifact-integrity-verification
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - supply-chain
+      - supply-chain-missing-artifact-integrity-verification
+      - boost-baseline
+      - boost-hardened
     description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so,
       etc.) stored in the Git repository.Generally, such binary artifacts should not
       be committed to Git and should be built with reproducible build system from
@@ -60,11 +69,11 @@ rules:
     recommended: true
   cicd-circleci-unversioned-orb:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - supply-chain
+      - supply-chain-cicd-weak-configuration
+      - boost-baseline
+      - boost-hardened
     description: Checks for CircleCI workflows using unversioned Orbs.
     group: supply-chain-cicd-weak-configuration
     name: cicd-circleci-unversioned-orb
@@ -73,11 +82,11 @@ rules:
     recommended: true
   cicd-circleci-shell-injection:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-vulnerable-pipeline
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - supply-chain
+      - supply-chain-cicd-vulnerable-pipeline
+      - boost-baseline
+      - boost-hardened
     description: Checks for CircleCI workflows where pipeline variables are used in shell commands.
     group: supply-chain-cicd-vulnerable-pipeline
     name: cicd-circleci-shell-injection
@@ -86,12 +95,12 @@ rules:
     recommended: true
   cicd-gha-unsecure-commands:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - supply-chain-cicd-severe-issues
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - supply-chain
+      - supply-chain-cicd-weak-configuration
+      - supply-chain-cicd-severe-issues
+      - boost-baseline
+      - boost-hardened
     description: Checks for GitHub Acton workflows that enables deprecated unsecure commands.
     group: supply-chain-cicd-weak-configuration
     name: cicd-gha-unsecure-commands
@@ -100,16 +109,16 @@ rules:
     recommended: true
   cicd-unpinned-dependencies:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-missing-artifact-integrity-verification
-    - boost-baseline
-    - boost-hardened
-    description: Verifies the presence of dependency management manifests (e.g., 
-      package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an 
-      accompanying lockfile that cryptographically pins dependencies (e.g., 
-      package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). 
-      The absence of a lockfile increases the risk of dependency drift, 
+      - ALL
+      - supply-chain
+      - supply-chain-missing-artifact-integrity-verification
+      - boost-baseline
+      - boost-hardened
+    description: Verifies the presence of dependency management manifests (e.g.,
+      package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an
+      accompanying lockfile that cryptographically pins dependencies (e.g.,
+      package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum).
+      The absence of a lockfile increases the risk of dependency drift,
       potentially introducing security vulnerabilities or compatibility issues into the project.
     group: supply-chain-missing-artifact-integrity-verification
     name: cicd-unpinned-dependencies
@@ -118,11 +127,11 @@ rules:
     recommended: true
   cicd-gha-workflow-dispatch-inputs:
     categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - boost-baseline
-    - boost-hardened
+      - ALL
+      - supply-chain
+      - supply-chain-cicd-weak-configuration
+      - boost-baseline
+      - boost-hardened
     description: Checks for GitHub Action workflows defines workflow_dispatch inputs.
     group: supply-chain-cicd-weak-configuration
     name: cicd-gha-workflow-dispatch-inputs
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		rules: {} # Rules are in boost-scanner, this scanner is not meant to be used alone