Merge remote-tracking branch 'origin/main' into matt/action

phylum-dev · Jul 12, 2024 · b7e9b52 · b7e9b52
2 parents 96e9ff5 + 7cdce5e
commit b7e9b52
Show file tree

Hide file tree

Showing 17 changed files with 179 additions and 117 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -21,7 +21,7 @@ jobs:
 
       - name: OPA Check
         if: ${{ !cancelled() }}
-        run: opa check --strict --max-errors 0 .
+        run: find . -maxdepth 1 -type f -name '*.rego' -print0 | xargs -0L1 opa check --strict --max-errors 0
 
       - name: Regal Lint
         if: ${{ !cancelled() }}

diff --git a/block_all.rego b/block_all.rego
@@ -0,0 +1,13 @@
+# METADATA
+# title: Block All Issues
+# description: |
+#    Blocks all identified issues
+package policy.v1
+
+import rego.v1
+
+# METADATA
+# title: Policy Violation
+deny contains issue if {
+	some issue in data.issues
+}
diff --git a/confirmed_malicious.rego b/confirmed_malicious.rego
@@ -1,27 +1,35 @@
-package policy
+# METADATA
+# title: Confirmed Malicious
+# description: |
+#   Blocks if the package or author is tied to known malicious behavior
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the author is known malicious
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Author has published malicious packages" if {
-	data.issue.tag == "CA0001"
+# title: Author is known malicious
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "CA0001"
 }
 
-# Returns a violation if the package contains verified malware
-issue contains "This package contains malware" if {
-	data.issue.tag == "CM0038"
+# METADATA
+# title: Verified malware
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "CM0037"
 }
 
-# Returns a violation if the package contains a known-bad compiled binary
-issue contains "Contains known-bad compiled binary" if {
-	data.issue.tag == "CM0037"
+# METADATA
+# title: Known-bad compiled binary
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "CM0038"
 }
 
-# Returns a violation if the package depends on a known malicious package
-issue contains "This package depends on malware" if {
-	data.issue.tag == "CM0039"
+# METADATA
+# title: Depends on a known malicious package
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "CM0039"
 }
diff --git a/data_exfiltration.rego b/data_exfiltration.rego
@@ -1,16 +1,21 @@
-package policy
+# METADATA
+# title: Data Exfiltration
+# description: |
+#    Blocks common data exfiltration techniques
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the package contains common data exfiltration techniques
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package contains environment variable enumeration" if {
-	data.issue.tag == "HM0025"
+# title: Environment variable enumeration
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "HM0025"
 }
 
-issue contains "Package contains webhook exfiltration" if {
-	data.issue.tag == "HM0036"
+# METADATA
+# title: Webhook exfiltration
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "HM0036"
 }
diff --git a/dependency_confusion.rego b/dependency_confusion.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: Dependency Confusion
+# description: |
+#    Blocks dependency confusion
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the package appears to be a dependency confusion
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package appears to be a dependency confusion" if {
-	data.issue.tag == "HM0018"
+# title: Dependency confusion
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "HM0018"
 }
diff --git a/install_code.rego b/install_code.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: Install Code Execution
+# description: |
+#    Blocks code execution on package install
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if there is code execution on package install
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package contains code execution on install" if {
-	data.issue.tag in {"IM0042", "IM0043", "IM0044"}
+# title: Code execution on install
+deny contains issue if {
+	some issue in data.issues
+	issue.tag in {"IM0042", "IM0043", "IM0044"}
 }
diff --git a/install_code_suspicious.rego b/install_code_suspicious.rego
@@ -1,16 +1,20 @@
-package policy
+# METADATA
+# title: Install Code Execution (Suspicious)
+# description: |
+#    Blocks suspicious code execution on pacakge install
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if there is suspicious code execution on package install
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package contains suspicious code execution on install" if {
-	data.issue.tag == "CM0007"
+# title: Suspicious code execution on install
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "CM0007"
 }
 
-issue contains "Package contains suspicious code execution on install" if {
-	endswith(data.issue.tag, "M0031")
+# title: Suspicious code execution on install
+deny contains issue if {
+	some issue in data.issues
+	endswith(issue.tag, "M0031")
 }
diff --git a/license_mismatch.rego b/license_mismatch.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: License Mismatch
+# description: |
+#    Blocks a license mismatch between metadata and files
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if there is a license mismatch between metadata and files
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "License mismatch" if {
-	data.issue.tag == "IL0022"
+# title: License mismatch
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "IL0022"
 }
diff --git a/minimal_code.rego b/minimal_code.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: Minimal Code
+# description: |
+#    Blocks packages containing minimal code
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the package contains minimal code and is unlikley worth the security risk
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package contains minimal code" if {
-	data.issue.tag == "IE0027"
+# title: Minimal code
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "IE0027"
 }
diff --git a/obfuscated_code.rego b/obfuscated_code.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: Obfuscated Code
+# description: |
+#    Blocks obfuscated code
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the package contains obfuscated code
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Package contains obfuscated code" if {
-	data.issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
+# title: Obfuscated code
+deny contains issue if {
+	some issue in data.issues
+	issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
 }
diff --git a/runs_remote_code.rego b/runs_remote_code.rego
@@ -0,0 +1,14 @@
+# METADATA
+# title: Runs Remote Code
+# description: |
+#    Blocks packages that run remote code
+package policy.v1
+
+import rego.v1
+
+# METADATA
+# title: Runs remote code
+deny contains issue if {
+	some issue in data.issues
+	issue.tag in {"CM0024", "MM0024", "HM0032"}
+}
diff --git a/secret_non_test.rego b/secret_non_test.rego
@@ -1,12 +1,14 @@
-package policy
+# METADATA
+# title: Secrets in non-test files
+# description: |
+#    Blocks packages containing secrets/tokens in non-test files
+package policy.v1
 
 import rego.v1
 
-# Returns a violation if the package contains secrets/tokens excluding test/example files
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Secrets in non-test file" if {
-	data.issue.tag == "ME0016"
+# title: Secrets in non-test file
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "ME0016"
 }
diff --git a/show_all.rego b/show_all.rego
diff --git a/suspicious_url.rego b/suspicious_url.rego
@@ -0,0 +1,14 @@
+# METADATA
+# title: Suspicious URL References
+# description: |
+#    Block packages referencing sites uncommon to legitimate software
+package policy.v1
+
+import rego.v1
+
+# METADATA
+# title: Suspicious URL reference
+deny contains issue if {
+	some issue in data.issues
+	issue.tag == "MM0028"
+}
diff --git a/typosquat.rego b/typosquat.rego
@@ -1,26 +1,19 @@
-package policy
+# METADATA
+# title: Typosquat
+# description: |
+#    Blocks potential typosquat with malicious characteristics
+package policy.v1
 
 import data.phylum.domain
-
 import rego.v1
 
-# Returns `true` if the given dependency has a typosquat issue
-has_typosquat if {
-	some issue in data.dependency.issues
-	issue.tag == "HM0008"
-}
+# METADATA
+# title: Potential typosquat with malicious characteristics
+deny contains typosquat_issue if {
+	some dependency in data.dependencies
 
-# Returns `true` if the dependency has more than one malware issue
-has_more_than_one_malware_issue if {
-	some issue in data.dependency.issues
-	count([dom | issue.domain == domain.MALICIOUS; dom := issue.domain]) > 1
-}
+	some typosquat_issue in dependency.issues
+	typosquat_issue.tag == "HM0008"
 
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Potential typosquat with malicious characteristics" if {
-	has_typosquat
-	has_more_than_one_malware_issue
+	count([d | d := dependency.issues[_].domain; d == domain.MALICIOUS]) > 1
 }
diff --git a/vuln_crit.rego b/vuln_crit.rego
@@ -1,15 +1,17 @@
-package policy
+# METADATA
+# title: Software Vulnerability - Critical
+# description: |
+#    Blocks Critical software vulnerabilities
+package policy.v1
 
 import data.phylum.domain
 import data.phylum.level
 import rego.v1
 
-# Returns a violation if the package has a Critical software vulnerability
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Critical software vulnerability" if {
-	data.issue.domain == domain.VULNERABILITY
-	data.issue.severity > level.HIGH
+# title: Critical software vulnerability
+deny contains issue if {
+	some issue in data.issues
+	issue.domain == domain.VULNERABILITY
+	issue.severity == level.CRITICAL
 }
diff --git a/vuln_crit_high.rego b/vuln_crit_high.rego
@@ -1,15 +1,17 @@
-package policy
+# METADATA
+# title: Software Vulnerability - Critical/High
+# description: |
+#    Blocks Critical and High software vulnerabilities
+package policy.v1
 
 import data.phylum.domain
 import data.phylum.level
 import rego.v1
 
-# Returns a violation if the package has a Critical or High software vulnerability
 # METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-issue contains "Critical or High software vulnerability" if {
-	data.issue.domain == domain.VULNERABILITY
-	data.issue.severity > level.MEDIUM
+# title: Critical or High software vulnerability
+deny contains issue if {
+	some issue in data.issues
+	issue.domain == domain.VULNERABILITY
+	issue.severity > level.MEDIUM
 }