From 17fc9d7bd610183242a8aa5ee0fc6d064bdfb7c1 Mon Sep 17 00:00:00 2001 From: abhisek Date: Thu, 21 Nov 2024 20:56:02 +0530 Subject: [PATCH] ci: Integrate vet for scanning OSS components during PR --- .github/vet/policy.yml | 25 +++++++++++++++++++++++++ .github/workflows/vet-ci.yml | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 .github/vet/policy.yml create mode 100644 .github/workflows/vet-ci.yml diff --git a/.github/vet/policy.yml b/.github/vet/policy.yml new file mode 100644 index 00000000..19e8c2ec --- /dev/null +++ b/.github/vet/policy.yml @@ -0,0 +1,25 @@ +name: Minimal OSS Security Policy +description: | + This filter suite contains rules for implementing minimum + security guardrails against risky OSS components. +tags: + - general + - vet + - oss-maintainers +filters: + - name: critical-or-high-vulns + check_type: CheckTypeVulnerability + summary: Critical or high risk vulnerabilities were found + value: | + vulns.critical.exists(p, true) || vulns.high.exists(p, true) + - name: low-popularity + check_type: CheckTypePopularity + summary: Component popularity is low by Github stars count + value: | + projects.exists(p, (p.type == "GITHUB") && (p.stars < 10)) + - name: osv-malware + check_type: CheckTypeMalware + summary: Malicious (malware) component detected + value: | + vulns.all.exists(v, v.id.startsWith("MAL-")) + diff --git a/.github/workflows/vet-ci.yml b/.github/workflows/vet-ci.yml new file mode 100644 index 00000000..dc9042ac --- /dev/null +++ b/.github/workflows/vet-ci.yml @@ -0,0 +1,36 @@ +name: vet OSS Components + +on: + pull_request: + push: + branches: + - main + - master + +permissions: + # Required for actions/checkout@v4 + contents: read + + # Required for writing pull request comment + issues: write + pull-requests: write + +jobs: + vet: + name: vet + runs-on: ubuntu-latest + + steps: + - name: Checkout + id: checkout + uses: actions/checkout@v4 + + - name: Run vet + id: vet + uses: safedep/vet-action@v1 + with: + policy: .github/vet/policy.yml + env: + # Required for writing pull request comment + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +