Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add minder OSPS minder profiles and first rules #107

Closed
wants to merge 12 commits into from
Closed

Add minder OSPS minder profiles and first rules #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
0b4bd38
Add OSPS Minder Profile Skeleton
puerco Dec 11, 2024
38efc8b
Add profiles README
puerco Dec 11, 2024
4898554
Add OSPS-QA-06 rule type
puerco Dec 11, 2024
23160ac
Add OSPS-AC-04 rule type
puerco Dec 11, 2024
b234ec7
Add OSPS-AC-03 rule type
puerco Dec 11, 2024
25b8a22
Add OSPS-DO-02 ruletype
puerco Dec 11, 2024
5073f3d
Add OSPS-BR-06 ruletype
puerco Dec 11, 2024
2fd1c06
Add OSPS-DO-03 ruletype
puerco Dec 11, 2024
4bed3f7
Add OSPS-DO-04 ruletype
puerco Dec 11, 2024
00e0351
Add OSPS-LE-02 and OSPS-LE-03.
blkt Dec 12, 2024
60392bb
Add security insights data source
puerco Dec 12, 2024
1e5745a
Profile updates
puerco Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions resources/minder/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# OSPS Minder Profiles

[Minder](https://github.com/mindersec/minder) is an Open Source Supply Chain
Security plaform part of the OpenSSF ecosystem. A Minder profile is a security
policy that groups together rules that are constantly evaluating against entities
in your software project.

This directory contains three [Minder](https://github.com/mindersec/minder)
profiles that any project can use to monitor its compliance with the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
profiles that any project can use to monitor its compliance with the
profiles that any project can use to experimentally monitor its compliance with the

Open Source Project Security Baseline.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Open Source Project Security Baseline.
Open Source Project Security Baseline.
Note that the baseline is still in development, as are these profiles.


Each file is designed to be applied incrementally: Projects at Level 1
(sandbox or similar) should only apply the Level 1 file, projects on Level 2
(incubating or similar) should apply Level 1 and Level 2 and at Level 3
you should apply all files.

## Installing

To install the profiles and monitor a project using the public Minder instance,
follow these steps:

1. Install the Minder CLI
1. Login using your GitHub account
1. Enroll the GitHub provider in your project
1. Apply the profile and all the OSPS rule types.

### Detailed instructions

These are installation steps in full detail. If you run into a problem, see
the section on getting help below. The following commands need to be run
in a computer with a web browser installed.

#### 1. Install the Minder CLI

Follow the
[instructions on the Minder README](https://github.com/mindersec/minder#installation)
to install the `minder` CLI in your computer.

#### 2. Log In With Your GitHub Account

Run the following commands to authenticate:

```
minder auth login
```

Follow the authentication flow to log in. This will create your first (empty)
project.

#### 3. Enroll the GitHub Provider in your Project.

```bash
minder provider enroll
```

Follow the GitHub authentication flow to connect minder to your GitHub organization

#### 4. Apply the OSPS Profile(s) and Rule Types

Finally, apply the appropiate profiles according to you project's maturity level
and the OSPS rule types.

Clone the OSPS Baseline repository and apply the minder resource files:

```bash
git clone [email protected]:ossf/security-baseline.git

cd security-baseline

minder ruletype apply -f resources/minder/rules/

minder profile apply -f resources/minder/osps-baseline-level1.yaml
```

Remember to install the profile for your level and all the previous ones.
For example, if your project is on maturity level 3 (graduated or similar),
apply the Level 3 profile, but also 1 & 2.

## Help and Support

If you have questions or need help, please talk to the Minder maintainers in
[#minder in OpenSSF Slack](https://openssf.slack.com/archives/C07SP9RSM2L)
([get an invite here](https://openssf.org/getinvolved/) if you are not on it
yet). We would love to hear your experience as the project evolves to help you
monitor and remediate the OSPS Baseline checks.
16 changes: 16 additions & 0 deletions resources/minder/data-sources/ghapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: v1
type: data-source
name: ghapi
context: {}
rest:
def:
license:
endpoint: https://api.github.com/repos/{owner}/{repo}/license
parse: json
input_schema:
type: object
properties:
owner:
type: string
repo:
type: string
23 changes: 23 additions & 0 deletions resources/minder/data-sources/security-insights.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
# NOTICE: THIS DATA SOURCE IS EXPERIMENTAL
#
# This is an experimental data source that loads the contents of
# a repo's Security Insights file (https://github.com/ossf/security-insights-spec)
# and exposes it to the rule evaluation engine.
version: v1
type: data-source
name: securityinsights
context: {
project_id: "29e9eb67-b8dd-49aa-966a-8d691d36799b"
}
structured:
def:
"parse":
path:
file_name: SECURITY-INSIGHTS.yaml
alternatives:
- "SECURITY-INSIGHTS.yml"
- "security-insights.yaml"
- "security-insights.yml"
- "SECURITY_INSIGHTS.yaml"
- "SECURITY_INSIGHTS.yml"
10 changes: 10 additions & 0 deletions resources/minder/data-sources/spdx-license-list.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: v1
type: data-source
name: spdx-license-list
context: {}
rest:
def:
licenses:
endpoint: https://raw.githubusercontent.com/spdx/license-list-data/refs/heads/main/json/licenses.json
parse: json
input_schema: {}
139 changes: 139 additions & 0 deletions resources/minder/osps-baseline-level1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
# SPDX-FileCopyrightText: Copyright 2024 The OSPS Baseline Authors
# SPDX-License-Identifier: Apache-2.0
---
# This file is part of a set of Minder security profiles to check a project's
# compliance with the OSPS Baseline controls.
#
# This profiles, as the Baseline itself, are under active development
# feel free to try them out but expect constant changes as the baseline
# an support in Minder evolves.
#
# For more information about Minder to use this profie, check out the
# project's documentation at https://github.com/mindersec/minder


version: v1
type: profile
name: osps_baseline_l1
display_name: OSPS Baseline - Level 1
context:
provider: github
alert: "on"
remediate: "off"


# Checks that require data from the repo
repository:
# - name: OSPS-AC-01
# The project’s version control system MUST require multi-factor authentication
#
# [] Check th github organization setting to esure 2fa is enabled
#
# type: # TODO
# def: # TODO

# - name: OSPS-AC-02
# Version control system MUST restrict collaborator permissions to the lowest
#
# TBD
#
# available privileges by default.
# type: # TODO
# def: # TODO

- name: OSPS-AC-03
# Branch protecton (push)
#
# [x] Check GitHub's branch protection setting to require pull requests
#
type: OSPS-AC-03
displayName: "(OSPS-AC-03) Prevent commits to main without a pull request"
def:
- required_pull_request_reviews: true

- name: OSPS-AC-04
# Branch Prevent deletion of main branch
#
# [x] Check GitHub's branch protection config blocks deletin main branch
#
type: OSPS-AC-04
displayName: "(OSPS-AC-04) Prevent deletion of main branch"
def: {}

# - name: OSPS-BR-01
# Build and release pipelines MUST NOT execute arbitrary code
#
# TBD
#
# type: # TODO
# def: # TODO

# - name: OSPS-BR-02
# All releases MUST be assigned a unique version identifier
#
# [] Check the release entity for an associtated version label
#
# type: # TODO
# def: # TODO

# - name: OSPS-BR-03
# Any services involved in the project development and release
# MUST be delivered using encrypted channels.
#
# TBD
#
# type: # TODO
# def: # TODO

# - name: OSPS-DO-01
# Project MUST have one or more mechanisms for public discussions about proposed changes
#
# TBD
#
# type: # TODO
# def: # TODO

- name: OSPS-DO-02
# Project documentation MUST include an explanation of the contribution process.
#
# [x] Check SI for contribution-policy block
# [] Check repo for CONTRIBUTING.md
#
type: OSPS-DO-02
def: {}

- name: OSPS-LE-02
# The license for the source code MUST meet the OSI Open Source
# Definition or the FSF Free Software Definition.
#
# [X] Check repo detected license against OSI and FSF approved ones
#
type: OSPS-LE-02
def: {}

- name: OSPS-LE-03
# The license for the source code MUST be maintained in a standard
# location within the project’s repository.
#
# [X] Check repo for LICENSE file
# [X] Check repo for COPYING file
# [X] Check repo for LICENSE/ folder
#
type: OSPS-LE-03
def: {}

# - name: OSPS-QA-01
# Source code MUST be publicly readable and have a static URL
#
# [] Check GitHub repository is public
#
# type: # TODO
# def: # TODO

# - name: OSPS-QA-02
# VCS MUST contain a public record of all changes (commits)
#
# [] Check code lives in a git repository
#
# type: # TODO
# def: # TODO
Loading
Loading