Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add SLSA compliance #78

Merged
merged 3 commits into from
Jul 31, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@
"entity": "PackageRegistry",
"description": "Enforce Multi Factor Authentication for user access to the package registry.",
"remediation": "For each package registry in use, enforce Multi-Factor Authentication as the only way to authenticate.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"4.2.5": {
"title": "Ensure anonymous access to artifacts is revoked",
"type": "ARTIFACT",
"entity": "PackageRegistry",
"description": "Disable anonymous access to artifacts.",
"remediation": "Disable the anonymous access option on every artifact or package manager in use.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"entity": "PackageRegistry",
"description": "Use secured webhooks of the package registry.",
"remediation": "For each webhook in use, change it to secured (over HTTPS).",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,35 @@
"entity": "Pipeline",
"description": "Use Pipeline as Code for build pipelines and their defined steps.",
"remediation": "Convert pipeline instructions into code-based syntax, and upload them to the organization's version control platform.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [1,2,3,4]
},
"2.3.5": {
"title": "Ensure access to the build process's triggering is minimized",
"type": "BUILD",
"entity": "Pipeline",
"description": "Restrict access to the pipelines' triggers.",
"remediation": "For every pipeline in use, grant only the necessary members permission to trigger it.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"2.3.7": {
"title": "Ensure pipelines are automatically scanned for vulnerabilities",
"type": "BUILD",
"entity": "Pipeline",
"description": "Scan pipelines for vulnerabilities. It is recommended to do that automatically.",
"remediation": "For each pipeline, set automated vulnerabilities scanning.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"2.3.8": {
"title": "Ensure scanners are in place to identify and prevent sensitive data in pipeline files",
"type": "BUILD",
"entity": "Pipeline",
"description": "Detect and prevent sensitive data, such as confidential ID numbers, passwords, etc. in pipelines.",
"remediation": "For every pipeline that is in use, set scanners that will identify and prevent sensitive data in it.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@
"entity": "Pipeline",
"description": "External dependencies might be public packages needed in the pipeline or even the public image used for the build worker. Lock these external dependencies in every build pipeline.",
"remediation": "For every external dependency in use in pipelines, lock it.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"2.4.6": {
"title": "Ensure pipeline steps produce an SBOM",
"type": "BUILD",
"entity": "Pipeline",
"description": "SBOM (Software Bill Of Materials) is a file that specifies each component of software or a build process. Generate an SBOM after each run of a pipeline.",
"remediation": "For each pipeline, configure it to produce an SBOM on every run.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [1,2,3,4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"entity": "Dependencies",
"description": "Pin dependencies to a specific version. Avoid using the \"latest\" tag or broad version.",
"remediation": "For every dependency in use, pin to a specific version.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,17 @@
"entity": "Dependencies",
"description": "Automatically scan every package for vulnerabilities.",
"remediation": "Set automatic scanning of packages for vulnerabilities.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"3.2.3": {
"title": "Ensure packages are automatically scanned for license implications",
"type": "DEPENDENCIES",
"entity": "Dependencies",
"description": "A software license is a document that provides legal conditions and guidelines for the use and distribution of software, usually defined by the author. It is recommended to scan for any legal implications automatically.",
"remediation": "Set automatic package scanning for license implications.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
}
}
}
42 changes: 28 additions & 14 deletions internal/checks/source-code/code-changes/rules.metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,111 +9,125 @@
"entity": "Branch",
"description": "Ensure that every code change is reviewed and approved by two authorized contributors who are strongly authenticated.",
"remediation": "An organization can protect specific code branches — for example, the \"main\" branch which often is the version deployed to production — by setting protection rules. These rules secure your code repository from unwanted or unauthorized changes. You may set requirements for any code change to that branch, and thus specify a minimum number of reviewers required to approve a change.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.4": {
"title": "Ensure previous approvals are dismissed when updates are introduced to a code change proposal",
"type": "SCM",
"entity": "Branch",
"description": "Ensure updates to a proposed code change require re-approval of reviewers",
"remediation": "For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.1.5": {
"title": "Ensure that there are restrictions on who can dismiss code change reviews",
"type": "SCM",
"entity": "Branch",
"description": "Only trusted users should be allowed to dismiss code change reviews",
"remediation": "For each code repository in use, carefully select the individual collaborators or groups whom you trust with the ability to dismiss code change reviews.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.1.6": {
"title": "Ensure code owners are set for extra sensitive code or configuration",
"type": "SCM",
"entity": "Branch",
"description": "Code owners are trusted users that are responsible for reviewing and managing an important piece of code or configuration. Set code owners for every extremely sensitive code or configuration.",
"remediation": "For every code repository in use, identify particularly sensitive parts of code and configurations and set trusted users to be their code owners.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.8": {
"title": "Ensure inactive branches are reviewed and removed periodically",
"type": "SCM",
"entity": "Repository",
"description": "Keep track of code branches that are inactive for a period of time and remove them periodically.",
"remediation": "For each code repository in use, review existing Git branches and remove those which have not been active for a prescribed period of time.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.1.9": {
"title": "Ensure all checks have passed before the merge of new code",
"type": "SCM",
"entity": "Branch",
"description": "Before a code change request can be merged to the codebase, all pre-defined checks must successfully pass.",
"remediation": "Configure each code repository to require all status checks to pass before permitting a merge of new code.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.10": {
"title": "Ensure open git branches are up to date before they can be merged into codebase",
"type": "SCM",
"entity": "Branch",
"description": "Organizations should make sure each suggested code change is in full sync with the existing state of its origin code repository, before allowing to merge it in.",
"remediation": "For each code repository in use, enforce a policy to only allow merging open branches if they are current with the latest change from their origin repository.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.1.11": {
"title": "Ensure all open comments are resolved before allowing to merge code changes",
"type": "SCM",
"entity": "Branch",
"description": "Organizations should enforce a \"no open comments\" policy before allowing to merge code changes.",
"remediation": "For each code repository in use, require open comments to be resolved before the relevant code change can be merged.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.1.12": {
"title": "Ensure verifying signed commits of new changes before merging",
"type": "SCM",
"entity": "Branch",
"description": "Ensure every commit in pull request is signed and verified before merge",
"remediation": "For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.13": {
"title": "Ensure linear history is required",
"type": "SCM",
"entity": "Repository",
"description": "Linear history is the name for Git history where all of the commits come one after another. Such history exists if a pull request is merged either by rebase merge (re-order the commits history) or squash merge (squashes all commits to one). Ensure that linear history is required by enforcing the use of rebase or squash merge when merging a pull request.",
"remediation": "For each repository in use, require linear history and/or allow only rebase merge and squash merge.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [3, 4]
},
"1.1.14": {
"title": "Ensure branch protection rules are enforced on administrators",
"type": "SCM",
"entity": "Repository",
"description": "Ensure administrators are subject to branch protection rules.",
"remediation": "For each repository in use, enforce branch protection rules on administrators, as well.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.15": {
"title": "Ensure pushing of new code is restricted to specific individuals or teams",
"type": "SCM",
"entity": "Repository",
"description": "Enforce that only trusted users can push to protected branches.",
"remediation": "For each repository in use, allow only trusted and responsible users to push or merge new code.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.16": {
"title": "Ensure force pushes code to branches is denied",
"type": "SCM",
"entity": "Repository",
"description": "The 'force push' option allows users with 'push' permissions to force their changes directly to the branch without PR and it should be disabled.",
"remediation": "For each repository in use, block the option to \"Force Push\" code.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.1.17": {
"title": "Ensure branch deletions are denied",
"type": "SCM",
"entity": "Repository",
"description": "Ensure that users with push access only can't delete a protected branch.",
"remediation": "For each repository that is being used, block the option to delete protected branches via branch protection rules.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [3, 4]
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,47 +9,53 @@
"entity": "Repository",
"description": "Track inactive user accounts and periodically remove them.",
"remediation": "For each repository in use, review inactive user accounts (members that left the organization, etc.) and remove them.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.3.3": {
"title": "Ensure minimum admins are set for the organization",
"type": "SCM",
"entity": "Organization",
"description": "Ensure the organization has a minimum number of admins.",
"remediation": "Set the minimum number of administrators in your organization.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.3.5": {
"title": "Ensure the organization is requiring members to use MFA",
"type": "SCM",
"entity": "Organization",
"description": "Require members of the organization to use Multi-Factor Authentication, in addition to using a standard user name and password, when authenticating to the source code management platform.",
"remediation": "Use the built-in setting to set the enforcement of Multi-Factor Authentication for each member of the organization.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [3, 4]
},
"1.3.7": {
"title": "Ensure 2 admins are set for each repository",
"type": "SCM",
"entity": "Repository",
"description": "Ensure every repository has 2 users with admin permissions to it.",
"remediation": "For every repository in use, set two administrators.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.3.8": {
"title": "Ensure strict base permissions are set for repositories",
"type": "SCM",
"entity": "Organization",
"description": "Base permissions define the permission level granted to all the organization members automatically. Define strict base access permissions for all of the repositories in the organization, which should apply to new ones as well.",
"remediation": "Set strict base permissions for the organization repositories — either \"None\" or \"Read.\"",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [4]
},
"1.3.9": {
"title": "Ensure an organization's identity is confirmed with a Verified badge",
"type": "SCM",
"entity": "Organization",
"description": "Verify the domains that the organization owns",
"remediation": "Verify the organization's domains and secure a \"Verified\" badge next to its name.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,35 @@
"entity": "Repository",
"description": "SECURITY.md file is a security policy file, which gives people instructions when they are reporting security vulnerabilities in a project. When someone creates an issue in that project, a link to the SECURITY.md file will be shown.",
"remediation": "For each repository in use, create a SECURITY.md file and save it in the documents or root directory of the repository.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.2.2": {
"title": "Ensure repository creation is limited to specific members",
"type": "SCM",
"entity": "Organization",
"description": "Limit the ability to create repositories to trusted users and teams.",
"remediation": "Restrict repository creation to trusted users and teams only.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": []
},
"1.2.3": {
"title": "Ensure repository deletion is limited to specific members",
"type": "SCM",
"entity": "Organization",
"description": "Ensure only a limited number of trusted members can delete repositories.",
"remediation": "Enforce repository deletion by a few trusted and responsible users only.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [3, 4]
},
"1.2.4": {
"title": "Ensure issue deletion is limited to specific members",
"type": "SCM",
"entity": "Organization",
"description": "Ensure only trusted an responsible members can delete issues.",
"remediation": "Restrict issue deletion to a few trusted and responsible users only.",
"scannerType": "Rego"
"scannerType": "Rego",
"slsa_level": [3, 4]
}
}
}