-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a ruletype for enforcing a file being present in a repo #227
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few nits, but seems good overall.
Ensures that the repository contains a specific file and its content. | ||
|
||
This rule is useful for enforcing the presence of various files in the repository, such as LICENSE, README, CONTRIBUTING, | ||
CODE_OF_CONDUCT, Dependabot configuration files and many more. It can also be used to enforce the presence of specific |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suspect that Dependabot is trickier, because you probably want it to be adjusted based on the languages present. The others seem fairly likely to be consistent.
rule-types/common/enforce_file.yaml
Outdated
file: | ||
type: string | ||
description: | | ||
The file to enforce in the repository. | ||
For example, LICENSE, README, CONTRIBUTING, .github/dependabot.yml, etc. | ||
default: LICENSE | ||
content: | ||
type: string | ||
description: | | ||
The content to enforce in the file. | ||
For example, the content of the LICENSE file. | ||
|
||
Leave "" to only check for the presence of the license file. | ||
required: | ||
- file | ||
- content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: right now, it looks like you'd end up needing to specify N copies of the rule for N different files.
What would you think of having a schema like the following?
file: | |
type: string | |
description: | | |
The file to enforce in the repository. | |
For example, LICENSE, README, CONTRIBUTING, .github/dependabot.yml, etc. | |
default: LICENSE | |
content: | |
type: string | |
description: | | |
The content to enforce in the file. | |
For example, the content of the LICENSE file. | |
Leave "" to only check for the presence of the license file. | |
required: | |
- file | |
- content | |
files: | |
type: object | |
additionalProperties: | |
type: string | |
description: | | |
A mapping from file path to expected contents in the repository | |
Set expected contents to "" (empty string) to check for file existence without | |
checking file contents. | |
default: | |
required: | |
- files |
type: pull_request | ||
pull_request: | ||
title: "Ensure {{.Profile.file }} exists with the expected content" | ||
body: | | ||
This is a Minder automated pull request. | ||
|
||
This pull request ensures that this repository contains the file {{.Profile.file}} with the expected content set by your organization. | ||
contents: | ||
- path: "{{.Profile.file}}" | ||
action: replace | ||
content: | | ||
{{.Profile.content}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah! This is a (current) reason not to use the object
formulation -- we don't have a way to iterate over all the keys in the Profile.files
map, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly 👍 Of course, we can try to do that if we want. I was also thinking if I should try and make the path field optional for the pull request remediation type, but at the same time I like explicitly scoping it so you don't accidentally push another change. My concern for not looking at these is both will be considered breaking changes so I think it'll be out of scope for this one.
aa474b3
to
c247f61
Compare
|
||
default allow := false | ||
default skip := false | ||
fileStr := trim_space(file.read(input.profile.file)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
concern: I'm afraid this can't be used to implement OSPS-DO-02
since it requires checking the existence of CONTRIBUTING/
folder as well.
How complex would it be to support folders as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me see what I can do 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the main difficulty is that input.profile.file
is also used for the remediation, and in the case of a folder it's harder to figure out what's the right thing to do (i.e. one can't always default to creating a file).
On the other hand, OSSF is not currently interested in remediation.
I'd prefer to write an explicit rule for checking OSPS-DO-02 (with no
configuration needed) over making this rule more complex.
|
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Co-authored-by: Evan Anderson <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
…s missing Signed-off-by: Radoslav Dimitrov <[email protected]>
e4e4086
to
5adfbf7
Compare
The following PR creates a ruletype that lets you ensure you have a certain file in your repository, but also allows you to specify its expected content.
Depends on mindersec/minder#5216
This ruletype also implements OSPS-DO-02