Setting up a profile for GitHub Security Advisories
Prerequisites
- The
minder
CLI application - A Minder account with
at least
editor
permission - An enrolled provider (e.g., GitHub) and registered repositories
Create a rule type for alerting
The alert
feature is available for all rule types that have the alert
section defined in their <alert-type>.yaml
file. Alerts are a core feature of
Minder providing you with notifications about the status of your registered
repositories using GitHub Security Advisories. These Security Advisories
automatically open and close based on the evaluation of the rules defined in
your profiles.
When a rule fails, Minder opens an alert to bring your attention to the non-compliance issue. Conversely, when the rule evaluation passes, Minder will automatically close any previously opened alerts related to that rule.
In this example, we will use a rule type that checks if a repository has a
LICENSE file present. If there's no file present, Minder will create an alert
notifying the owner of the repository. The rule type is called license.yaml
and is one of the reference rule types provided by the Minder team. Details,
such as the severity of the alert are defined in the alert
section of the rule
type definition.
Fetch all the reference rules by cloning the minder-rules-and-profiles repository.
git clone https://github.com/mindersec/minder-rules-and-profiles.git
In that directory, you can find all the reference rules and profiles.
cd minder-rules-and-profiles
Create the license
rule type in Minder:
minder ruletype create -f rule-types/github/license.yaml
Create a profile
Next, create a profile that applies the rule to all registered repositories.
Create a new file called profile.yaml
using the following profile definition
and enable alerting by setting alert
to on
(default). The other available
values are off
and dry_run
.
---
version: v1
type: profile
name: license-profile
context:
provider: github
alert: 'on'
repository:
- type: license
def:
license_filename: LICENSE
license_type: ''
Create the profile in Minder:
minder profile create -f profile.yaml
Once the profile is created, Minder will monitor all of your registered
repositories for the presence of the LICENSE
file.
If a repository does not have a LICENSE
file available, Minder will create an
alert of type Security Advisory providing additional details such as the profile
and rule that triggered the alert and guidelines on how to resolve the issue.
Once a LICENSE
file is added to the repository, Minder will automatically
close the alert.
Alerts are complementary to the remediation feature. If you have both alert
and remediation
enabled for a profile, Minder will attempt to remediate it
first. If the remediation fails, Minder will create an alert. If the remediation
succeeds, Minder will close any previously opened alerts related to that rule.
Limitations
- Currently, the only supported alert type is GitHub Security Advisory. More alert types will be added in the future.
- Alerts are only available for rules that have the
alert
section defined in their<alert-type>.yaml
file.