From b719cb7f46aef9e6147782cb878e40c451317c82 Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 12:30:31 -0500 Subject: [PATCH 1/6] Gitleaks action rule Checks to make sure Gitleaks GitHub action is enabled to prevent the leakage of passwords or keys. --- .../github/gitleaks_github_action.test.yaml | 0 .../github_action_with_gitleaks/gitleaks.yaml | 14 ++++++ .../not-gitleaks.yaml | 12 ++++++ rule-types/github/gitleaks_github_action.yaml | 43 +++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 rule-types/github/gitleaks_github_action.test.yaml create mode 100644 rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml create mode 100644 rule-types/github/gitleaks_github_action.testdata/github_action_without_gitleaks/not-gitleaks.yaml create mode 100644 rule-types/github/gitleaks_github_action.yaml diff --git a/rule-types/github/gitleaks_github_action.test.yaml b/rule-types/github/gitleaks_github_action.test.yaml new file mode 100644 index 0000000..e69de29 diff --git a/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml b/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml new file mode 100644 index 0000000..188793c --- /dev/null +++ b/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml @@ -0,0 +1,14 @@ +name: Renovate +on: + workflow_dispatch: + schedule: + # Run every 15 minutes + - cron: '0/15 * * * *' +jobs: + gitleaks: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Self-hosted Gitleaks + uses: gitleaks/gitleaks-action@v2 \ No newline at end of file diff --git a/rule-types/github/gitleaks_github_action.testdata/github_action_without_gitleaks/not-gitleaks.yaml b/rule-types/github/gitleaks_github_action.testdata/github_action_without_gitleaks/not-gitleaks.yaml new file mode 100644 index 0000000..1e929a7 --- /dev/null +++ b/rule-types/github/gitleaks_github_action.testdata/github_action_without_gitleaks/not-gitleaks.yaml @@ -0,0 +1,12 @@ +name: Just Checkout +on: + workflow_dispatch: + schedule: + # Run every 15 minutes + - cron: '0/15 * * * *' +jobs: + gitleaks: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 \ No newline at end of file diff --git a/rule-types/github/gitleaks_github_action.yaml b/rule-types/github/gitleaks_github_action.yaml new file mode 100644 index 0000000..3eab88e --- /dev/null +++ b/rule-types/github/gitleaks_github_action.yaml @@ -0,0 +1,43 @@ +--- +version: v1 +release_phase: alpha +type: rule-type +name: gitleaks_github_action +display_name: Enable Gitleak to prevent leakage of passwords or keys +short_failure_message: Gitleak is not configured via a GitHub action +severity: + value: medium +context: {} +description: | + Verifies that Gitleak is configured via a GitHub action for the repository. +guidance: | + Ensure that Gitleak is configured and enabled for the repository. + Gitleaks is an open-source secret scanner for git repositories, files, and directories. + For more information, see the [GitHub Action Gitleaks](https://github.com/gitleaks/gitleaks) documentation. +def: + in_entity: repository + rule_schema: + type: object + properties: {} + ingest: + type: git + git: {} + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + + import rego.v1 + + actions := github_workflow.ls_actions("./.github/workflows") + + default message := "Gitleaks GitHub action is not configured" + default allow := false + allow if {"gitleaks/gitleaks-action" in actions + } + # Defines the configuration for alerting on the rule + alert: + type: security_advisory + security_advisory: {} \ No newline at end of file From 27810eeeac88ed51ed0cd17fd6c599a0b0e3b300 Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 12:35:48 -0500 Subject: [PATCH 2/6] Update gitleaks_github_action.test.yaml --- rule-types/github/gitleaks_github_action.test.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/rule-types/github/gitleaks_github_action.test.yaml b/rule-types/github/gitleaks_github_action.test.yaml index e69de29..e061cc8 100644 --- a/rule-types/github/gitleaks_github_action.test.yaml +++ b/rule-types/github/gitleaks_github_action.test.yaml @@ -0,0 +1,13 @@ +tests: + - name: "Should have Gitleaks enabled" + def: {} + params: {} + expect: "pass" + git: + repo_base: github_action_with_gitleaks + - name: "Should not have Gitleaks enabled" + def: {} + params: {} + expect: "fail" + git: + repo_base: github_action_without_gitleaks From 5626ef20075adc2d203905bd971995e85be96021 Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 12:36:24 -0500 Subject: [PATCH 3/6] Update gitleaks.yaml --- .../github_action_with_gitleaks/gitleaks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml b/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml index 188793c..cea4081 100644 --- a/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml +++ b/rule-types/github/gitleaks_github_action.testdata/github_action_with_gitleaks/gitleaks.yaml @@ -1,4 +1,4 @@ -name: Renovate +name: gitleaks on: workflow_dispatch: schedule: @@ -11,4 +11,4 @@ jobs: - name: Checkout uses: actions/checkout@v4.2.2 - name: Self-hosted Gitleaks - uses: gitleaks/gitleaks-action@v2 \ No newline at end of file + uses: gitleaks/gitleaks-action@v2 From a432c20f5817b4b6cbaf8e92bb0abbd359f088b8 Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 14:46:04 -0500 Subject: [PATCH 4/6] Update gitleaks_github_action.yaml --- rule-types/github/gitleaks_github_action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rule-types/github/gitleaks_github_action.yaml b/rule-types/github/gitleaks_github_action.yaml index 3eab88e..e53777e 100644 --- a/rule-types/github/gitleaks_github_action.yaml +++ b/rule-types/github/gitleaks_github_action.yaml @@ -13,7 +13,7 @@ description: | guidance: | Ensure that Gitleak is configured and enabled for the repository. Gitleaks is an open-source secret scanner for git repositories, files, and directories. - For more information, see the [GitHub Action Gitleaks](https://github.com/gitleaks/gitleaks) documentation. + For more information, see the [GitHub Action Gitleaks](https://github.com/gitleaks/gitleaks-action) documentation. def: in_entity: repository rule_schema: @@ -40,4 +40,4 @@ def: # Defines the configuration for alerting on the rule alert: type: security_advisory - security_advisory: {} \ No newline at end of file + security_advisory: {} From 9fc3bd8a103dea2499ab4f2fdf0d266079270020 Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 15:08:18 -0500 Subject: [PATCH 5/6] Update gitleaks_github_action.yaml --- rule-types/github/gitleaks_github_action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rule-types/github/gitleaks_github_action.yaml b/rule-types/github/gitleaks_github_action.yaml index e53777e..8b7fbb5 100644 --- a/rule-types/github/gitleaks_github_action.yaml +++ b/rule-types/github/gitleaks_github_action.yaml @@ -35,8 +35,8 @@ def: default message := "Gitleaks GitHub action is not configured" default allow := false - allow if {"gitleaks/gitleaks-action" in actions - } + allow if contains(actions[_], "gitleaks/gitleaks-action") + # Defines the configuration for alerting on the rule alert: type: security_advisory From a35be44d256f2995b67224c1a09957891479cbca Mon Sep 17 00:00:00 2001 From: Brian Dussault Date: Thu, 19 Dec 2024 15:18:47 -0500 Subject: [PATCH 6/6] Update gitleaks_github_action.yaml --- rule-types/github/gitleaks_github_action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rule-types/github/gitleaks_github_action.yaml b/rule-types/github/gitleaks_github_action.yaml index 8b7fbb5..1fd6f24 100644 --- a/rule-types/github/gitleaks_github_action.yaml +++ b/rule-types/github/gitleaks_github_action.yaml @@ -3,15 +3,15 @@ version: v1 release_phase: alpha type: rule-type name: gitleaks_github_action -display_name: Enable Gitleak to prevent leakage of passwords or keys -short_failure_message: Gitleak is not configured via a GitHub action +display_name: Enable Gitleaks to prevent leakage of passwords or keys +short_failure_message: Gitleaks is not configured via a GitHub action severity: value: medium context: {} description: | - Verifies that Gitleak is configured via a GitHub action for the repository. + Verifies that Gitleaks is configured via a GitHub action for the repository. guidance: | - Ensure that Gitleak is configured and enabled for the repository. + Ensure that Gitleaks is configured and enabled for the repository. Gitleaks is an open-source secret scanner for git repositories, files, and directories. For more information, see the [GitHub Action Gitleaks](https://github.com/gitleaks/gitleaks-action) documentation. def: