diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fe25178..2b0b670 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,7 +21,7 @@ jobs: - name: OPA Check if: ${{ !cancelled() }} - run: opa check --strict --max-errors 0 . + run: find . -maxdepth 1 -type f -name '*.rego' -print0 | xargs -0L1 opa check --strict --max-errors 0 - name: Regal Lint if: ${{ !cancelled() }} diff --git a/block_all.rego b/block_all.rego new file mode 100644 index 0000000..ad0e369 --- /dev/null +++ b/block_all.rego @@ -0,0 +1,13 @@ +# METADATA +# title: Block All Issues +# description: | +# Blocks all identified issues +package policy.v1 + +import rego.v1 + +# METADATA +# title: Policy Violation +deny contains issue if { + some issue in data.issues +} diff --git a/confirmed_malicious.rego b/confirmed_malicious.rego index b61b12a..a72eb52 100644 --- a/confirmed_malicious.rego +++ b/confirmed_malicious.rego @@ -1,27 +1,35 @@ -package policy +# METADATA +# title: Confirmed Malicious +# description: | +# Blocks if the package or author is tied to known malicious behavior +package policy.v1 import rego.v1 -# Returns a violation if the author is known malicious # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Author has published malicious packages" if { - data.issue.tag == "CA0001" +# title: Author is known malicious +deny contains issue if { + some issue in data.issues + issue.tag == "CA0001" } -# Returns a violation if the package contains verified malware -issue contains "This package contains malware" if { - data.issue.tag == "CM0038" +# METADATA +# title: Verified malware +deny contains issue if { + some issue in data.issues + issue.tag == "CM0037" } -# Returns a violation if the package contains a known-bad compiled binary -issue contains "Contains known-bad compiled binary" if { - data.issue.tag == "CM0037" +# METADATA +# title: Known-bad compiled binary +deny contains issue if { + some issue in data.issues + issue.tag == "CM0038" } -# Returns a violation if the package depends on a known malicious package -issue contains "This package depends on malware" if { - data.issue.tag == "CM0039" +# METADATA +# title: Depends on a known malicious package +deny contains issue if { + some issue in data.issues + issue.tag == "CM0039" } diff --git a/data_exfiltration.rego b/data_exfiltration.rego index cd06551..efd6b9b 100644 --- a/data_exfiltration.rego +++ b/data_exfiltration.rego @@ -1,16 +1,21 @@ -package policy +# METADATA +# title: Data Exfiltration +# description: | +# Blocks common data exfiltration techniques +package policy.v1 import rego.v1 -# Returns a violation if the package contains common data exfiltration techniques # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package contains environment variable enumeration" if { - data.issue.tag == "HM0025" +# title: Environment variable enumeration +deny contains issue if { + some issue in data.issues + issue.tag == "HM0025" } -issue contains "Package contains webhook exfiltration" if { - data.issue.tag == "HM0036" +# METADATA +# title: Webhook exfiltration +deny contains issue if { + some issue in data.issues + issue.tag == "HM0036" } diff --git a/dependency_confusion.rego b/dependency_confusion.rego index 9395058..afca4bc 100644 --- a/dependency_confusion.rego +++ b/dependency_confusion.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: Dependency Confusion +# description: | +# Blocks dependency confusion +package policy.v1 import rego.v1 -# Returns a violation if the package appears to be a dependency confusion # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package appears to be a dependency confusion" if { - data.issue.tag == "HM0018" +# title: Dependency confusion +deny contains issue if { + some issue in data.issues + issue.tag == "HM0018" } diff --git a/install_code.rego b/install_code.rego index 7bf766d..0a6ea63 100644 --- a/install_code.rego +++ b/install_code.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: Install Code Execution +# description: | +# Blocks code execution on package install +package policy.v1 import rego.v1 -# Returns a violation if there is code execution on package install # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package contains code execution on install" if { - data.issue.tag in {"IM0042", "IM0043", "IM0044"} +# title: Code execution on install +deny contains issue if { + some issue in data.issues + issue.tag in {"IM0042", "IM0043", "IM0044"} } diff --git a/install_code_suspicious.rego b/install_code_suspicious.rego index 43b39cf..03f15b6 100644 --- a/install_code_suspicious.rego +++ b/install_code_suspicious.rego @@ -1,16 +1,20 @@ -package policy +# METADATA +# title: Install Code Execution (Suspicious) +# description: | +# Blocks suspicious code execution on pacakge install +package policy.v1 import rego.v1 -# Returns a violation if there is suspicious code execution on package install # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package contains suspicious code execution on install" if { - data.issue.tag == "CM0007" +# title: Suspicious code execution on install +deny contains issue if { + some issue in data.issues + issue.tag == "CM0007" } -issue contains "Package contains suspicious code execution on install" if { - endswith(data.issue.tag, "M0031") +# title: Suspicious code execution on install +deny contains issue if { + some issue in data.issues + endswith(issue.tag, "M0031") } diff --git a/license_mismatch.rego b/license_mismatch.rego index 37db533..b303157 100644 --- a/license_mismatch.rego +++ b/license_mismatch.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: License Mismatch +# description: | +# Blocks a license mismatch between metadata and files +package policy.v1 import rego.v1 -# Returns a violation if there is a license mismatch between metadata and files # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "License mismatch" if { - data.issue.tag == "IL0022" +# title: License mismatch +deny contains issue if { + some issue in data.issues + issue.tag == "IL0022" } diff --git a/minimal_code.rego b/minimal_code.rego index acb6696..23ed3d8 100644 --- a/minimal_code.rego +++ b/minimal_code.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: Minimal Code +# description: | +# Blocks packages containing minimal code +package policy.v1 import rego.v1 -# Returns a violation if the package contains minimal code and is unlikley worth the security risk # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package contains minimal code" if { - data.issue.tag == "IE0027" +# title: Minimal code +deny contains issue if { + some issue in data.issues + issue.tag == "IE0027" } diff --git a/obfuscated_code.rego b/obfuscated_code.rego index f663e46..fe66c68 100644 --- a/obfuscated_code.rego +++ b/obfuscated_code.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: Obfuscated Code +# description: | +# Blocks obfuscated code +package policy.v1 import rego.v1 -# Returns a violation if the package contains obfuscated code # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Package contains obfuscated code" if { - data.issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"} +# title: Obfuscated code +deny contains issue if { + some issue in data.issues + issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"} } diff --git a/runs_remote_code.rego b/runs_remote_code.rego new file mode 100644 index 0000000..59f7346 --- /dev/null +++ b/runs_remote_code.rego @@ -0,0 +1,14 @@ +# METADATA +# title: Runs Remote Code +# description: | +# Blocks packages that run remote code +package policy.v1 + +import rego.v1 + +# METADATA +# title: Runs remote code +deny contains issue if { + some issue in data.issues + issue.tag in {"CM0024", "MM0024", "HM0032"} +} diff --git a/secret_non_test.rego b/secret_non_test.rego index dddd294..dbaa8a8 100644 --- a/secret_non_test.rego +++ b/secret_non_test.rego @@ -1,12 +1,14 @@ -package policy +# METADATA +# title: Secrets in non-test files +# description: | +# Blocks packages containing secrets/tokens in non-test files +package policy.v1 import rego.v1 -# Returns a violation if the package contains secrets/tokens excluding test/example files # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Secrets in non-test file" if { - data.issue.tag == "ME0016" +# title: Secrets in non-test file +deny contains issue if { + some issue in data.issues + issue.tag == "ME0016" } diff --git a/show_all.rego b/show_all.rego deleted file mode 100644 index a1484de..0000000 --- a/show_all.rego +++ /dev/null @@ -1,5 +0,0 @@ -package policy - -import rego.v1 - -issue contains "Policy Violation" diff --git a/suspicious_url.rego b/suspicious_url.rego new file mode 100644 index 0000000..79cbd11 --- /dev/null +++ b/suspicious_url.rego @@ -0,0 +1,14 @@ +# METADATA +# title: Suspicious URL References +# description: | +# Block packages referencing sites uncommon to legitimate software +package policy.v1 + +import rego.v1 + +# METADATA +# title: Suspicious URL reference +deny contains issue if { + some issue in data.issues + issue.tag == "MM0028" +} diff --git a/typosquat.rego b/typosquat.rego index b580e39..bfd4bae 100644 --- a/typosquat.rego +++ b/typosquat.rego @@ -1,26 +1,19 @@ -package policy +# METADATA +# title: Typosquat +# description: | +# Blocks potential typosquat with malicious characteristics +package policy.v1 import data.phylum.domain - import rego.v1 -# Returns `true` if the given dependency has a typosquat issue -has_typosquat if { - some issue in data.dependency.issues - issue.tag == "HM0008" -} +# METADATA +# title: Potential typosquat with malicious characteristics +deny contains typosquat_issue if { + some dependency in data.dependencies -# Returns `true` if the dependency has more than one malware issue -has_more_than_one_malware_issue if { - some issue in data.dependency.issues - count([dom | issue.domain == domain.MALICIOUS; dom := issue.domain]) > 1 -} + some typosquat_issue in dependency.issues + typosquat_issue.tag == "HM0008" -# METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Potential typosquat with malicious characteristics" if { - has_typosquat - has_more_than_one_malware_issue + count([d | d := dependency.issues[_].domain; d == domain.MALICIOUS]) > 1 } diff --git a/vuln_crit.rego b/vuln_crit.rego index 56afbb8..99b78f2 100644 --- a/vuln_crit.rego +++ b/vuln_crit.rego @@ -1,15 +1,17 @@ -package policy +# METADATA +# title: Software Vulnerability - Critical +# description: | +# Blocks Critical software vulnerabilities +package policy.v1 import data.phylum.domain import data.phylum.level import rego.v1 -# Returns a violation if the package has a Critical software vulnerability # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Critical software vulnerability" if { - data.issue.domain == domain.VULNERABILITY - data.issue.severity > level.HIGH +# title: Critical software vulnerability +deny contains issue if { + some issue in data.issues + issue.domain == domain.VULNERABILITY + issue.severity == level.CRITICAL } diff --git a/vuln_crit_high.rego b/vuln_crit_high.rego index fc57dfe..714700c 100644 --- a/vuln_crit_high.rego +++ b/vuln_crit_high.rego @@ -1,15 +1,17 @@ -package policy +# METADATA +# title: Software Vulnerability - Critical/High +# description: | +# Blocks Critical and High software vulnerabilities +package policy.v1 import data.phylum.domain import data.phylum.level import rego.v1 -# Returns a violation if the package has a Critical or High software vulnerability # METADATA -# scope: rule -# schemas: -# - data.issue: schema.issue -issue contains "Critical or High software vulnerability" if { - data.issue.domain == domain.VULNERABILITY - data.issue.severity > level.MEDIUM +# title: Critical or High software vulnerability +deny contains issue if { + some issue in data.issues + issue.domain == domain.VULNERABILITY + issue.severity > level.MEDIUM }