Add rule types to check for Anchore's scan-action which calls grype

This ensures that folks do container or repo scanning and uses the Grype tool for the job Signed-off-by: Juan Antonio Osorio <[email protected]>
mindersec · Dec 18, 2024 · 3e88272 · 3e88272
1 parent 1dc6e7e
commit 3e88272
Show file tree

Hide file tree

Showing 2 changed files with 177 additions and 0 deletions.
diff --git a/rule-types/github/grype_github_action_scan_container_image.yaml b/rule-types/github/grype_github_action_scan_container_image.yaml
@@ -0,0 +1,68 @@
+---
+version: v1
+release_phase: beta
+type: rule-type
+name: grype_github_action_scan_container_image
+display_name: Ensure Grype GitHub Action Scans Container Images
+short_failure_message: Grype GitHub Action is not enabled for container image scanning.
+severity:
+  value: medium
+context:
+  provider: github
+description: |
+  This rule checks whether the Grype GitHub Action is enabled to scan container images for vulnerabilities.
+  Grype, a vulnerability scanner from Anchore, provides a robust mechanism to identify issues in container images. 
+  Implementing this action helps maintain secure and compliant workflows for containerized applications.
+
+guidance: |
+  Enable the Grype GitHub Action in your GitHub Actions workflow to scan container images for vulnerabilities. 
+  
+  You can add the Grype action to your workflow using the following configuration:
+
+  ```yaml
+  - name: Scan image
+    uses: anchore/[email protected]
+    with:
+      image: "<image-reference>"
+  ```
+
+  For more details, refer to the [Grype action documentation](https://github.com/anchore/scan-action).
+
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        default allow := false
+        default message := "Grype GitHub Action is not enabled for container image scanning."
+
+        allow {
+            # List all workflows
+            workflows := file.ls("./.github/workflows")
+
+            # Read all workflows
+            some w
+            workflowstr := file.read(workflows[w])
+
+            workflow := yaml.unmarshal(workflowstr)
+
+            # Iterate jobs
+            job := workflow.jobs[_]
+
+            # Iterate steps
+            step := job.steps[_]
+
+            # Check if the step is a Grype action
+            startswith(step.uses, "anchore/scan-action@")
+        
+            # Check that the "with.image" field is set
+            step["with"]["image"] != ""
+        }
diff --git a/rule-types/github/grype_github_action_scan_repo.yaml b/rule-types/github/grype_github_action_scan_repo.yaml
@@ -0,0 +1,109 @@
+---
+version: v1
+release_phase: beta
+type: rule-type
+name: grype_github_action_scan_repo
+display_name: Ensure Grype GitHub Action Scans Repository
+short_failure_message: Grype GitHub Action is not enabled for repository scanning.
+severity:
+  value: medium
+context:
+  provider: github
+description: |
+  This rule checks whether the Grype GitHub Action is enabled to scan the repository for vulnerabilities.
+  
+  Grype, a vulnerability scanner from Anchore, provides a robust mechanism to identify vulnerabilities.
+  Implementing this action helps maintain secure and compliant dependencies for applications.
+
+guidance: |
+  Enable the Grype GitHub Action in your GitHub Actions workflow to scan repositories for vulnerabilities. 
+  
+  You can add the Grype action to your workflow using the following configuration:
+
+  ```yaml
+  - name: Scan image
+    uses: anchore/[email protected]
+    with:
+      path: "."
+  ```
+
+  For more details, refer to the [Grype action documentation](https://github.com/anchore/scan-action).
+
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        default allow := false
+        default message := "Grype GitHub Action is not enabled for repository scanning."
+
+        allow {
+            # List all workflows
+            workflows := file.ls("./.github/workflows")
+
+            # Read all workflows
+            some w
+            workflowstr := file.read(workflows[w])
+
+            workflow := yaml.unmarshal(workflowstr)
+
+            # Iterate jobs
+            job := workflow.jobs[_]
+
+            # Iterate steps
+            step := job.steps[_]
+
+            # Check if the step is a Grype action
+            startswith(step.uses, "anchore/scan-action@")
+        
+            # Check that the "with.path" field is set
+            step["with"]["image"] != ""
+        }
+  remediate:
+    type: pull_request
+    pull_request:
+      title: "Add Grypo repository scanning configuration"
+      body: |
+        This is a Minder automated pull request.
+        
+        This pull request adds a Grype GitHub Action workflow to the repository.
+        
+        For more information, see https://github.com/anchore/scan-action
+      contents:
+        - path: .github/workflows/grype-repo-scan.yml
+          action: replace
+          content: |
+            name: "Grype Repository Scan"
+
+            on:
+              workflow_dispatch:
+              pull_request:
+              schedule:
+                - cron: '{{ .Profile.schedule_interval }}'
+
+            jobs:
+              repo-scan:
+                name: Scan
+                runs-on: 'ubuntu-latest'
+                permissions:
+                  actions: read
+                  contents: read
+
+                steps:
+                  - name: Checkout repository
+                    uses: actions/checkout@v4
+
+                  - name: Scan current project
+                    uses: anchore/[email protected]
+                    with:
+                      path: "."
+                      fail-build: true
+                      severity-cutoff: "high"