diff --git a/.github/workflows/conftest-unittests.yaml b/.github/workflows/conftest-unittests.yaml index fea6c0be..459fb377 100644 --- a/.github/workflows/conftest-unittests.yaml +++ b/.github/workflows/conftest-unittests.yaml @@ -2,6 +2,9 @@ name: Run conftest-unittests.sh on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + jobs: conftest: runs-on: ubuntu-latest @@ -14,3 +17,52 @@ jobs: with: tests: _test/conftest-unittests.sh policies: '[]' # An empty array is provided as the policies are already cloned via source. + + - name: Tar and Generate hashes + shell: bash + id: hash + run: | + tar cvf policy.tar policy/ + + echo "hashes=$(sha256sum policy.tar | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Upload policy.tar + uses: actions/upload-artifact@v3 + with: + name: policy.tar + path: policy.tar + if-no-files-found: error + retention-days: 5 + + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + + provenance: + needs: [validate] + if: startsWith(github.ref, 'refs/tags/') + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.validate.outputs.hashes }}" + upload-assets: true + + release: + needs: [validate, provenance] + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + steps: + - name: Download policy.tar + uses: actions/download-artifact@v3 + with: + name: policy.tar + + - name: Upload assets to release + uses: softprops/action-gh-release@v0.1.15 + with: + files: | + policy.tar \ No newline at end of file diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index debd7659..9f761930 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -2,6 +2,9 @@ name: Check POLICIES.md is up-to-date on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + jobs: konstraint_doc: runs-on: ubuntu-latest diff --git a/.github/workflows/gatekeeper-k8s-integrationtests.yaml b/.github/workflows/gatekeeper-k8s-integrationtests.yaml index f11ecc2a..3f40141f 100644 --- a/.github/workflows/gatekeeper-k8s-integrationtests.yaml +++ b/.github/workflows/gatekeeper-k8s-integrationtests.yaml @@ -2,6 +2,9 @@ name: Run gatekeeper-k8s-integrationtests.sh on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + jobs: kind: runs-on: ubuntu-latest diff --git a/.github/workflows/opa-profile.yaml b/.github/workflows/opa-profile.yaml index 4ba082e3..d1f3209c 100644 --- a/.github/workflows/opa-profile.yaml +++ b/.github/workflows/opa-profile.yaml @@ -2,6 +2,9 @@ name: Run opa-profile.sh on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + jobs: opa: runs-on: ubuntu-latest diff --git a/.github/workflows/regal-lint.yaml b/.github/workflows/regal-lint.yaml index 956275bf..9b61aa25 100644 --- a/.github/workflows/regal-lint.yaml +++ b/.github/workflows/regal-lint.yaml @@ -2,9 +2,15 @@ name: Lint policies with Regal on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + jobs: lint-policy: runs-on: ubuntu-latest + env: + # renovate: datasource=github-releases depName=StyraInc/regal + REGAL_VERSION: v0.13.0 steps: - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -12,7 +18,7 @@ jobs: - name: Setup Regal uses: StyraInc/setup-regal@94ad2891f53efdb7ebe7c6836bc25ecc9504aec1 # v0.2.0 with: - version: v0.10.1 + version: ${{ env.REGAL_VERSION }} - name: Run Regal lint run: regal lint --format github policy diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..cf7de46d --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '36 19 * * 3' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + sarif_file: results.sarif diff --git a/.regal/config.yaml b/.regal/config.yaml index 8d09d7c3..4f90e0b6 100644 --- a/.regal/config.yaml +++ b/.regal/config.yaml @@ -1,7 +1,14 @@ rules: + bugs: + inconsistent-args: + level: ignore idiomatic: no-defined-entrypoint: level: ignore + use-contains: + level: ignore + use-if: + level: ignore style: avoid-get-and-list-prefix: level: ignore @@ -20,3 +27,5 @@ rules: level: ignore todo-comment: level: ignore + unconditional-assignment: + level: ignore \ No newline at end of file diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..5f448566 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# https://github.com/orgs/redhat-cop/teams/rego-policies-mergers +* @redhat-cop/rego-policies-mergers \ No newline at end of file diff --git a/OWNERS b/OWNERS deleted file mode 100644 index f267c0a7..00000000 --- a/OWNERS +++ /dev/null @@ -1,18 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -reviewers: - - etsauer - - garethahealy - - oybed - - pabrahamsson - - sabre1041 - - springdo - - ckavili -approvers: - - etsauer - - garethahealy - - oybed - - pabrahamsson - - sabre1041 - - springdo - - ckavili diff --git a/README.md b/README.md index 71ad974a..3699d388 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,8 @@ -![Run conftest-unittests.sh](https://github.com/redhat-cop/rego-policies/workflows/Run%20conftest-unittests.sh/badge.svg) +[![Run conftest-unittests.sh](https://github.com/redhat-cop/rego-policies/actions/workflows/conftest-unittests.yaml/badge.svg)](https://github.com/redhat-cop/rego-policies/actions/workflows/conftest-unittests.yaml) +[![Check POLICIES.md is up-to-date](https://github.com/redhat-cop/rego-policies/actions/workflows/docs.yaml/badge.svg)](https://github.com/redhat-cop/rego-policies/actions/workflows/docs.yaml) +[![Lint policies with Regal](https://github.com/redhat-cop/rego-policies/actions/workflows/regal-lint.yaml/badge.svg)](https://github.com/redhat-cop/rego-policies/actions/workflows/regal-lint.yaml) +[![Run gatekeeper-k8s-integrationtests.sh](https://github.com/redhat-cop/rego-policies/actions/workflows/gatekeeper-k8s-integrationtests.yaml/badge.svg)](https://github.com/redhat-cop/rego-policies/actions/workflows/gatekeeper-k8s-integrationtests.yaml) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/redhat-cop/rego-policies/badge)](https://securityscorecards.dev/viewer/?uri=github.com/redhat-cop/rego-policies) # rego-policies [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) policies collection. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..cd856d7f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Security Policy + +## Supported Versions + +Only the latest version is supported. + +## Reporting a Vulnerability + +For any issues or concerns, please contact: [@container-cop-core](https://github.com/orgs/redhat-cop/teams/container-cop-core) \ No newline at end of file diff --git a/renovate.json b/renovate.json index 01ae43ad..5ee1e64d 100644 --- a/renovate.json +++ b/renovate.json @@ -2,6 +2,21 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:best-practices", + "regexManagers:githubActionsVersions", "schedule:earlyMondays" + ], + "packageRules": [ + { + "matchDepTypes": [ + "action" + ], + "matchPackageNames": [ + "slsa-framework/slsa-github-generator" + ], + "matchUpdateTypes": [ + "pinDigest" + ], + "enabled": false + } ] }