Using Mindev to develop and debug rule types
Mindev is a tool that helps you develop and debug rule types for Minder. It provides a way to run rule types locally and test them against your codebase.
While it contains more utilities, this guide focuses on using Mindev to develop and debug rule types.
Prerequisites
- Go installed on your machine
- The gh CLI installed on your machine
Build Mindev
make build-mindev
Run Mindev
mindev help
To see the available options for rule types, run:
mindev ruletype help
Linting
ruletype lint
will evaluate the rule, without running it against any
external resources. This will allow you to identify syntax errors
quickly. To lint your rule type, run:
mindev ruletype lint -r path/to/rule-type.yaml
This will give you basic validations on the rule type file.
Running a rule type
ruletype test
will execute a rule against an external resource. This
will allow you to test a single rule. You must provide a rule type to
evaluate, the profile to evaluate it in the context of, and the information
about the entity to evaluate.
The entity type must match the rule's def.in_entity
type; the entity
is defined as a set of YAML properties in the entity file; for example,
if you're testing a rule type that's targetted towards a repository,
the YAML must match the repository schema.
To run a rule type, use the following command:
mindev ruletype test -e mindev ruletype test -e /path/to/entity -p /path/to/profile -r /path/to/rule
Where the flags are:
-e
or--entity
: The path to the entity file-p
or--profile
: The path to the profile file-r
or--rule
: The path to the rule file
The entity could be the repository or the codebase you want to test the rule type against.
The rule is the rule type definition you want to verify
And the profile is needed so we can specify the parameters and definitions for the rule type.
Entity
An entity in minder is the target in the supply chain that minder is evaluating. In some cases, it may be the repository. Minder the minimal information needed to evaluate the rule type.
The values needed must match an entity's protobuf definition. for instance, for a repository entity, the following fields are required:
---
github/repo_name: <name of the repo>
github/repo_owner: <owner of the repo>
github/repo_id: <upstream ID>
github/clone_url: <clone URL>
github/default_branch: <default branch>
is_private: <true/false>
is_fork: <true/false>
Minder is able to use these values to check the current state of the repository and evaluate the rule type.
You can see examples of the schema for each entity in the entity examples folder.
Authentication
If the rule type requires authentication, you can use the following environment variable:
export TEST_AUTH_TOKEN=your_token
You can use gh
(the GitHub CLI) to
produce a GitHub auth token. For example:
TEST_AUTH_TOKEN=$(gh auth token) mindev ruletype test -e /path/to/entity -p /path/to/profile -r /path/to/rule
Example
Let's evaluate if the minder
repository has set up dependabot for golang dependencies correctly.
We can get the necessary rule type from the minder rules and profiles repo.
We'll create a file called entity.yaml
with the following content:
---
github/repo_name: minder
github/repo_owner: stacklok
github/repo_id: 624056558
github/clone_url: https://github.com/mindersec/minder.git
github/default_branch: main
is_private: false
is_fork: false
We'll use the readily available profile for dependabot for golang dependencies:
---
# Simple profile showing off the dependabot_configured rule
version: v1
type: profile
name: dependabot-go-github-profile
display_name: Dependabot for Go projects
context:
provider: github
alert: "on"
remediate: "off"
repository:
- type: dependabot_configured
def:
package_ecosystem: gomod
schedule_interval: daily
apply_if_file: go.mod
This is already available in the minder rules and profiles repo.
Let's set up authentication:
export AUTH_TOKEN=$(gh auth token)
Let's give it a try!
$ mindev ruletype test -e repo.yaml -p profiles/github/dependabot_go.yaml -r rule-types/github/dependabot_configured.yaml
Profile valid according to the JSON schema!
The rule type is valid and the entity conforms to it
The output shows that the rule type is valid and the entity conforms to it. Meaning the minder
repository has set up dependabot for golang dependencies correctly.
Rego print
Mindev also has the necessary pieces set up so you can debug your rego rules. e.g. print
statements
in rego will be printed to the console.
For more information on the rego print statement, the following blog post is a good resource: Introducing the OPA print function
Conclusion
Mindev is a powerful tool that helps you develop and debug rule types for Minder. It provides a way to run rule types locally and test them against your codebase.