diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml index 37b6116..222550d 100644 --- a/.github/workflows/registry-scanner.yaml +++ b/.github/workflows/registry-scanner.yaml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Scan Registry - uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5 + uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6 with: api_endpoint: ${{ vars.BOOST_API_ENDPOINT }} api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }} diff --git a/scanners/boostsecurityio/baseline/module.yaml b/scanners/boostsecurityio/baseline/module.yaml new file mode 100644 index 0000000..18a60fa --- /dev/null +++ b/scanners/boostsecurityio/baseline/module.yaml @@ -0,0 +1,24 @@ +api_version: 1.0 + + +id: boostsecurityio/baseline +name: BoostSecurity Scanner +namespace: boostsecurityio/baseline +scan_types: + - sast + - cicd + + +config: + support_diff_scan: true + + +steps: + - scan: + command: + docker: + image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f + command: scanner scan + workdir: /src + name: scanner + format: sarif diff --git a/scanners/boostsecurityio/baseline/rules.yaml b/scanners/boostsecurityio/baseline/rules.yaml new file mode 100644 index 0000000..acd2a42 --- /dev/null +++ b/scanners/boostsecurityio/baseline/rules.yaml @@ -0,0 +1 @@ +rules: {} # Rules are in boost-scanner, this scanner is not meant to be used alone diff --git a/scanners/boostsecurityio/scanner/module.yaml b/scanners/boostsecurityio/scanner/module.yaml index 7d6961f..f029d3a 100644 --- a/scanners/boostsecurityio/scanner/module.yaml +++ b/scanners/boostsecurityio/scanner/module.yaml @@ -1,24 +1,23 @@ api_version: 1.0 +group: boostsecurityio/scanner id: boostsecurityio/scanner name: BoostSecurity Scanner namespace: boostsecurityio/scanner -scan_types: - - sast - - cicd - config: support_diff_scan: true +scan_types: + - sast + - cicd + - metadata + - sca + - sci + - license -steps: - - scan: - command: - docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f - command: scanner scan - workdir: /src - name: scanner - format: sarif +includes: + - boostsecurityio/baseline + - boostsecurityio/composition + - boostsecurityio/supply-chain-inventory diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml index a11c0ee..afb193c 100644 --- a/scanners/boostsecurityio/scanner/rules.yaml +++ b/scanners/boostsecurityio/scanner/rules.yaml @@ -1,8 +1,17 @@ +import: + - boostsecurityio/cicd + - boostsecurityio/composition + - boostsecurityio/oss-license + - boostsecurityio/sbom-sca + - boostsecurityio/sci + - boostsecurityio/sci-sca + - boostsecurityio/supply-chain-inventory + rules: cert-expired: categories: - - ALL - - cloud-weak-configuration + - ALL + - cloud-weak-configuration description: Checks for expired X509 certificates. group: cloud-weak-configuration name: cert-expired @@ -10,8 +19,8 @@ rules: ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' cert-expires-soon: categories: - - ALL - - cloud-weak-configuration + - ALL + - cloud-weak-configuration description: Checks for X509 certificates that will expire in a configured number of days. group: cloud-weak-configuration @@ -20,10 +29,10 @@ rules: ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' cert-insecure-signing-algorithm: categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened description: Checks for X509 certificates with insecure signing algorithms. group: cloud-weak-configuration name: cert-insecure-signing-algorithm @@ -32,10 +41,10 @@ rules: recommended: true cert-insufficient-key-length: categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened description: Checks for X509 certificates with insecure key lengths. group: cloud-weak-configuration name: cert-insufficient-key-length @@ -44,11 +53,11 @@ rules: recommended: true cicd-binary-artifacts-stored-in-scm: categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, etc.) stored in the Git repository.Generally, such binary artifacts should not be committed to Git and should be built with reproducible build system from @@ -60,11 +69,11 @@ rules: recommended: true cicd-circleci-unversioned-orb: categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened description: Checks for CircleCI workflows using unversioned Orbs. group: supply-chain-cicd-weak-configuration name: cicd-circleci-unversioned-orb @@ -73,11 +82,11 @@ rules: recommended: true cicd-circleci-shell-injection: categories: - - ALL - - supply-chain - - supply-chain-cicd-vulnerable-pipeline - - boost-baseline - - boost-hardened + - ALL + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - boost-baseline + - boost-hardened description: Checks for CircleCI workflows where pipeline variables are used in shell commands. group: supply-chain-cicd-vulnerable-pipeline name: cicd-circleci-shell-injection @@ -86,12 +95,12 @@ rules: recommended: true cicd-gha-unsecure-commands: categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - supply-chain-cicd-severe-issues - - boost-baseline - - boost-hardened + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - supply-chain-cicd-severe-issues + - boost-baseline + - boost-hardened description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. group: supply-chain-cicd-weak-configuration name: cicd-gha-unsecure-commands @@ -100,16 +109,16 @@ rules: recommended: true cicd-unpinned-dependencies: categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Verifies the presence of dependency management manifests (e.g., - package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an - accompanying lockfile that cryptographically pins dependencies (e.g., - package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). - The absence of a lockfile increases the risk of dependency drift, + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Verifies the presence of dependency management manifests (e.g., + package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an + accompanying lockfile that cryptographically pins dependencies (e.g., + package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). + The absence of a lockfile increases the risk of dependency drift, potentially introducing security vulnerabilities or compatibility issues into the project. group: supply-chain-missing-artifact-integrity-verification name: cicd-unpinned-dependencies @@ -118,11 +127,11 @@ rules: recommended: true cicd-gha-workflow-dispatch-inputs: categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened description: Checks for GitHub Action workflows defines workflow_dispatch inputs. group: supply-chain-cicd-weak-configuration name: cicd-gha-workflow-dispatch-inputs