Setting up a profile for GitHub Security Advisories
Prerequisites
- The
minder
CLI application - A Minder account with
at least
editor
permission - An enrolled Provider (e.g., GitHub) and registered repositories
Create a rule type that you want to be alerted on
The alert
feature is available for all rule types that have the alert
section defined in their <alert-type>.yaml
file. Alerts are a core feature of Minder providing you with notifications about the status of your registered
repositories using GitHub Security Advisories. These Security Advisories automatically open and close based on the evaluation of the rules
defined in your profiles.
When a rule fails, Minder opens an alert to bring your attention to the non-compliance issue. Conversely, when the rule evaluation passes, Minder will automatically close any previously opened alerts related to that rule.
In this example, we will use a rule type that checks if a repository has a LICENSE file present. If there's no file
present, Minder will create an alert notifying the owner of the repository. The rule type is called license.yaml
and
is one of the reference rule types provided by the Minder team. Details, such as the severity of the alert are defined
in the alert
section of the rule type definition.
Fetch all the reference rules by cloning the minder-rules-and-profiles repository.
git clone https://github.com/stacklok/minder-rules-and-profiles.git
In that directory, you can find all the reference rules and profiles.
cd minder-rules-and-profiles
Create the license
rule type in Minder:
minder ruletype create -f rule-types/github/license.yaml
Create a profile
Next, create a profile that applies the rule to all registered repositories.
Create a new file called profile.yaml
using the following profile definition and enable alerting by setting alert
to on
(default). The other available values are off
and dry_run
.
---
version: v1
type: profile
name: license-profile
context:
provider: github
alert: "on"
repository:
- type: license
def:
license_filename: LICENSE
license_type: ""
Create the profile in Minder:
minder profile create -f profile.yaml
Once the profile is created, Minder will monitor all of your registered repositories for the presence of the LICENSE
file.
If a repository does not have a LICENSE
file available, Minder will create an alert of type Security Advisory providing
additional details such as the profile and rule that triggered the alert and guidelines on how to resolve the issue.
Once a LICENSE
file is added to the repository, Minder will automatically close the alert.
Alerts are complementary to the remediation feature. If you have both alert
and remediation
enabled for a profile,
Minder will attempt to remediate it first. If the remediation fails, Minder will create an alert. If the remediation
succeeds, Minder will close any previously opened alerts related to that rule.
Limitations
- Currently, the only supported alert type is GitHub Security Advisory. More alert types will be added in the future.
- Alerts are only available for rules that have the
alert
section defined in their<alert-type>.yaml
file.