Skip to content
Merged

Dev #306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
198 commits
Select commit Hold shift + click to select a range
58221da
added initiatl initiatives description
cppvik Dec 12, 2024
fdccb25
fix
cppvik Dec 12, 2024
e11b6e2
updated initiative description
cppvik Dec 12, 2024
b603b19
fix
cppvik Dec 12, 2024
35e2619
update initiative docs
cppvik Dec 16, 2024
c36e8c4
added filter-by description to the initiatives
cppvik Dec 18, 2024
8192660
fix
cppvik Dec 18, 2024
4ed95ea
added field descriptions
cppvik Jan 27, 2025
5d16724
tried to fix docosaurus module versions
cppvik Jan 27, 2025
6e291f7
limit toc max level
cppvik Jan 27, 2025
a489288
adjusted markdown levels
cppvik Jan 27, 2025
7c60dfa
limit toc max level
cppvik Jan 27, 2025
53ff7a6
small updates
cppvik Jan 27, 2025
ed0d6be
missing rule fields
cppvik Jan 28, 2025
76e86a1
updated policy catalog ref to v2
cppvik Jan 28, 2025
c7cb80e
initiative guide
cppvik Jan 28, 2025
39d976e
initiative guide
cppvik Jan 28, 2025
d7e2efc
update result logs
cppvik Jan 29, 2025
40ce26f
hide policy results tables
cppvik Jan 29, 2025
a23e9fe
result tables description
cppvik Jan 29, 2025
2e3e809
fix links
cppvik Jan 29, 2025
a2b8a37
small refactoring
cppvik Jan 30, 2025
81c4af4
changes suggested by @dn
cppvik Feb 6, 2025
b42be27
added defaults to rule/initiative configs
cppvik Feb 6, 2025
928e843
small changes following @dn suggestions
cppvik Feb 6, 2025
e9aba98
refactor initiatives guide
cppvik Feb 11, 2025
5308aad
fix
cppvik Feb 11, 2025
2cec32c
multiline valint
cppvik Feb 11, 2025
44d3a32
multiline valint
cppvik Feb 12, 2025
198df95
fixes & improvements
cppvik Mar 3, 2025
8de3f1d
fixes & improvements
cppvik Mar 3, 2025
d4c91e8
grammar fixes
cppvik Mar 3, 2025
ed76126
fixes
cppvik Mar 3, 2025
e35f2db
grammar fixes
cppvik Mar 3, 2025
ad1b318
updates
cppvik Mar 5, 2025
d772046
updates
cppvik Mar 6, 2025
828d96c
* updated policy results page
cppvik Mar 6, 2025
27742d4
SSDF.PS -> SSDF
cppvik Mar 9, 2025
b2acc28
added some clarifications
cppvik Mar 9, 2025
77c29bf
added new Rule filtering section
cppvik Mar 9, 2025
5f6d422
added additional links
cppvik Mar 9, 2025
d0b6531
updated initiative introduction section
cppvik Mar 9, 2025
4df00c3
small text adjustment
cppvik Mar 9, 2025
0682900
updated policy results tables
cppvik Mar 10, 2025
eabf141
update
cppvik Mar 10, 2025
06d9bc8
docusaurus admonision messages for the initiatives
cppvik Mar 12, 2025
39b2e31
updates
houdini91 Jan 2, 2025
5e6507e
updates
houdini91 Jan 2, 2025
63e10fd
valint docs
houdini91 Jan 13, 2025
c474f81
mend wait_all
houdini91 Jan 13, 2025
4cd9e14
update docs
houdini91 Jan 13, 2025
cd1b45b
downgrade
houdini91 Jan 13, 2025
bc8e9f2
downgrade
houdini91 Jan 13, 2025
3977582
mend wait_all
houdini91 Jan 13, 2025
65e3c6d
Gen docs
houdini91 Jan 29, 2025
365742e
TEst
houdini91 Jan 29, 2025
4c3f766
mikey fixs= merge main
houdini91 Jan 29, 2025
46d0051
Retrigger
houdini91 Feb 25, 2025
3bd1ab2
Fix action
houdini91 Mar 2, 2025
6f5af36
upstream
houdini91 Mar 5, 2025
21f19be
Merge remote-tracking branch 'origin/dev' into dev-preview/initiatives
houdini91 Mar 12, 2025
f8856cc
tmp gen docs
houdini91 Mar 12, 2025
62206db
tmp gen docs
houdini91 Mar 12, 2025
9434429
tmp gen docs
houdini91 Mar 12, 2025
e6d6ca0
tmp gen docs
houdini91 Mar 12, 2025
7f85022
tmp gen docs
houdini91 Mar 12, 2025
fc6c200
tmp gen docs
houdini91 Mar 12, 2025
2f611b8
tmp gen docs
houdini91 Mar 12, 2025
7543f6c
tmp gen docs
houdini91 Mar 12, 2025
d5089f0
tmp gen docs
houdini91 Mar 12, 2025
75579cf
tmp gen docs
houdini91 Mar 12, 2025
7c7c3a6
tmp gen docs
houdini91 Mar 12, 2025
ab380a8
tmp gen docs
houdini91 Mar 12, 2025
249cea3
tmp gen docs
houdini91 Mar 12, 2025
5f0d914
tmp gen docs
houdini91 Mar 12, 2025
0ee3aa3
tmp gen docs
houdini91 Mar 12, 2025
af8e9df
tmp gen docs
houdini91 Mar 12, 2025
3af3cc9
tmp gen docs
houdini91 Mar 12, 2025
f664f22
tmp gen docs
houdini91 Mar 12, 2025
6e9f687
tmp gen docs
houdini91 Mar 12, 2025
0f0bcb9
tmp gen docs
houdini91 Mar 12, 2025
82d7d03
tmp gen docsush
houdini91 Mar 12, 2025
00d08c8
tmp gen docsush
houdini91 Mar 12, 2025
24adb9e
tmp gen docsush
houdini91 Mar 12, 2025
4e07826
tmp gen docsush
houdini91 Mar 12, 2025
2327077
tmp gen docsush
houdini91 Mar 12, 2025
9c67092
tmp gen docsush
houdini91 Mar 12, 2025
dd6e3bd
tmp gen docsush
houdini91 Mar 12, 2025
92be1c9
tmp gen docsush
houdini91 Mar 12, 2025
3ed1750
tmp gen docsush
houdini91 Mar 12, 2025
4c45f17
tmp gen docsush
houdini91 Mar 12, 2025
3f94670
tmp gen docsush
houdini91 Mar 12, 2025
b3c02c2
tmp gen docsush
houdini91 Mar 12, 2025
f76c089
tmp gen docsush
houdini91 Mar 12, 2025
6220690
tmp gen docsush
houdini91 Mar 12, 2025
a0fb069
tmp gen docsush
houdini91 Mar 12, 2025
dac4986
tmp gen docsush
houdini91 Mar 12, 2025
1bcd4bd
tmp gen docsush
houdini91 Mar 12, 2025
adfe090
tmp gen docsush
houdini91 Mar 12, 2025
ab74160
tmp gen docsush
houdini91 Mar 12, 2025
a5ff2ea
tmp gen docsush
houdini91 Mar 12, 2025
cf3f4c8
tmp gen docsush
houdini91 Mar 12, 2025
698bfac
tmp gen docsush
houdini91 Mar 12, 2025
cde656e
tmp gen docsush
houdini91 Mar 12, 2025
1117cd7
tmp gen docsush
houdini91 Mar 12, 2025
f1601ea
small adjustments
cppvik Mar 12, 2025
94bd8b8
test gen docs
houdini91 Mar 13, 2025
9210376
test gen docs
houdini91 Mar 13, 2025
90c754c
test gen docs
houdini91 Mar 13, 2025
2c279a6
test gen docs
houdini91 Mar 13, 2025
d4799c9
test gen docs
houdini91 Mar 13, 2025
9b4c8a9
test gen docs
houdini91 Mar 13, 2025
d0c608d
test gen docs
houdini91 Mar 13, 2025
071ed76
test gen docs
houdini91 Mar 13, 2025
798da84
test usage examples
cppvik Mar 13, 2025
f255557
Revert "test usage examples"
cppvik Mar 13, 2025
80c85f7
Revert "test gen docs"
cppvik Mar 13, 2025
d2fd86d
test usage examples
cppvik Mar 13, 2025
0850a08
Revert "test gen docs"
cppvik Mar 13, 2025
26d0bf3
test usage examples
cppvik Mar 13, 2025
d98ce43
test usage examples
cppvik Mar 13, 2025
224837e
test gen docs
houdini91 Mar 13, 2025
4446468
test gen docs
houdini91 Mar 13, 2025
e7361e0
test gen docs
houdini91 Mar 13, 2025
223cfe7
test gen docs
houdini91 Mar 13, 2025
db6ed40
test gen docs
houdini91 Mar 13, 2025
bda7327
test gen docs
houdini91 Mar 13, 2025
cc539b1
test gen docs
houdini91 Mar 13, 2025
ba0ce67
test gen docs
houdini91 Mar 13, 2025
a68903e
test gen docs
houdini91 Mar 13, 2025
a4f50a9
test gen docs
houdini91 Mar 13, 2025
052ac5d
test gen docs
houdini91 Mar 13, 2025
7e0426e
test gen docs
houdini91 Mar 13, 2025
ce5bcfa
test gen docs
houdini91 Mar 13, 2025
2e3b9ee
test gen docs
houdini91 Mar 13, 2025
91a4a3e
test gen docs
houdini91 Mar 13, 2025
42bfeb1
test gen docs
houdini91 Mar 13, 2025
35f4860
test gen docs
houdini91 Mar 16, 2025
7bb270e
test gen docs
houdini91 Mar 16, 2025
cd50511
test gen docs
houdini91 Mar 16, 2025
b395fe4
update index location
houdini91 Mar 16, 2025
7ddf02e
update index location
houdini91 Mar 16, 2025
74d9c82
update index location
houdini91 Mar 16, 2025
fcedb85
update index location
houdini91 Mar 16, 2025
b3b8c8e
update index location
houdini91 Mar 16, 2025
17b2e1b
update index location
houdini91 Mar 16, 2025
e5dd129
update index location
houdini91 Mar 16, 2025
a63f97b
update index location
houdini91 Mar 16, 2025
5641f82
update index location
houdini91 Mar 16, 2025
0a5d1a8
update index location
houdini91 Mar 16, 2025
1f2d369
update
houdini91 Mar 16, 2025
c07235c
update
cppvik Mar 16, 2025
440199d
update
houdini91 Mar 16, 2025
699113b
update
houdini91 Mar 16, 2025
2d6ef9f
update
houdini91 Mar 16, 2025
f7fb5f7
update
houdini91 Mar 16, 2025
a5e4bbf
update
houdini91 Mar 16, 2025
4b02074
update
houdini91 Mar 16, 2025
235bdca
update
houdini91 Mar 16, 2025
c2edbfe
remove client id
houdini91 Mar 17, 2025
ab6f7b4
update
cppvik Mar 23, 2025
f222b28
update
cppvik Mar 23, 2025
59f4f3b
update
cppvik Mar 24, 2025
785f501
update
cppvik Mar 24, 2025
242d421
update
cppvik Mar 24, 2025
6a76d74
update
cppvik Mar 24, 2025
1867ceb
Merge pull request #299 from scribe-security/dev-preview/initiatives_…
cppvik Mar 25, 2025
aec8a56
migration guide
cppvik Mar 25, 2025
ab98e3a
- separated advanced features and technical details of the feature core
cppvik Apr 2, 2025
86c0f91
update gendocs
cppvik Apr 3, 2025
4303d39
update (removed the DOC_SITE_URL prefix)
cppvik Apr 3, 2025
c4a00c0
ssdf fix
cppvik Apr 3, 2025
a7eb9e8
updated list of supported fields in the Match Context
cppvik Apr 9, 2025
973286a
updated the beautify flag description
cppvik Apr 9, 2025
e8dfff3
cosign update
houdini91 Apr 9, 2025
10361b1
Merge pull request #302 from scribe-security/initiatives_cosign_compl…
houdini91 Apr 9, 2025
2ad085a
Update docs/configuration/initiatives/rules/api/scribe-api-cve.md
houdini91 Apr 9, 2025
7b05242
Update docs/configuration/initiatives/rules/api/scribe-api-cve-produc…
houdini91 Apr 9, 2025
f9cfe55
Update docs/configuration/initiatives/rules/api/scribe-api.md
houdini91 Apr 9, 2025
ac9489e
updated list of supported fields in the Match Context
cppvik Apr 9, 2025
c85c9e9
added migration example
cppvik Apr 14, 2025
fce3543
updated generated docs
cppvik Apr 14, 2025
5e679e2
added descriptions for new SLSA rules
cppvik Apr 14, 2025
de9e7f0
fixed new SLSA rules descriptions
cppvik Apr 14, 2025
6f67c88
updated results example
cppvik Apr 15, 2025
41ceca8
fix: updated default list of filter-by groups
cppvik Apr 15, 2025
476e069
fixed SARIF paths for kyverno
cppvik Apr 15, 2025
53befde
update rule descriptions
cppvik Apr 16, 2025
42a0b7f
updated filter-by description
cppvik Apr 20, 2025
7d238fd
updated generated rule docs
cppvik May 18, 2025
c27b685
Merge remote-tracking branch 'origin/dev' into dev-preview/initiatives
cppvik May 18, 2025
1d52e59
Partially Revert "upstream valint v1.5.19"
cppvik May 18, 2025
3bf4911
Merge pull request #286 from scribe-security/dev-preview/initiatives
houdini91 May 22, 2025
6c95286
Update export.yaml
cppvik May 23, 2025
3004f64
update
houdini91 May 27, 2025
601ffd3
add initiative example
houdini91 May 27, 2025
e48d2f7
Merge branch 'dev' into prep_v2_0_0
houdini91 May 27, 2025
554bd83
Merge pull request #305 from scribe-security/prep_v2_0_0
houdini91 May 27, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/export.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04] # TODO: only build
os: [ubuntu-24.04] # TODO: only build
repo: ["valint", "action-bom", "action-verify", "action-slsa", "orbs", "azure-tasks", "helm-charts", "valint-pipe"]
runs-on: ${{ matrix.os }}
defaults:
Expand Down Expand Up @@ -52,4 +52,4 @@ jobs:
branch: docs_import_${{ steps.extract_branch.outputs.branch }}
path: sub/${{ matrix.repo }}
token: ${{ secrets.PR_PAT }}
title: autogen - docs export
title: autogen - docs export
4 changes: 4 additions & 0 deletions docs/configuration/_category_.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Configuration",
"position": 999
}
4 changes: 4 additions & 0 deletions docs/configuration/initiatives/_category_.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Reference: Policies and Configuration Guide",
"position": 999
}
311 changes: 311 additions & 0 deletions docs/configuration/initiatives/index.md

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions docs/configuration/initiatives/rules/_category_.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Rule Configuration",
"position": 999
}
4 changes: 4 additions & 0 deletions docs/configuration/initiatives/rules/api/_category_.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Scribe API",
"position": 1
}
38 changes: 38 additions & 0 deletions docs/configuration/initiatives/rules/api/scribe-api-cve-product.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
sidebar_label: Verify No Critical or High Vulnerabilities in Product
title: Verify No Critical or High Vulnerabilities in Product
---
# Verify No Critical or High Vulnerabilities in Product
**Type:** Rule
**ID:** `scribe-cve-product`
**Source:** [v2/rules/api/scribe-api-cve-product.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-cve-product.yaml)
**Rego Source:** [scribe-api.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api.rego)
**Labels:** SCA, Blueprint, Scribe

Verify via Scribe API that there are no critical or high severity vulnerabilities in any deliverable component of the product.

:::tip
Evidence **IS NOT** required for this rule.
:::
:::tip
Rule requires the Scribe API to be enabled. Ensure that you provide the Scribe Token to the `valint` utility.
:::

## Usage example

```yaml
uses: api/scribe-api-cve-product@v2
```

## Mitigation
Ensure that all critical or high severity vulnerabilities are addressed before delivering the product.


## Description
This rule ensures that there are no critical or high severity vulnerabilities in any deliverable component of the product by verifying via the Scribe API.

## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| cve | array | True | List of CVEs to check against the product components. |

57 changes: 57 additions & 0 deletions docs/configuration/initiatives/rules/api/scribe-api-cve.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
sidebar_label: Verify No Critical or High Vulnerabilities
title: Verify No Critical or High Vulnerabilities
---
# Verify No Critical or High Vulnerabilities
**Type:** Rule
**ID:** `scribe-cve`
**Source:** [v2/rules/api/scribe-api-cve.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-cve.yaml)
**Rego Source:** [scribe-api-cve.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-cve.rego)
**Labels:** SCA, Blueprint, Scribe

Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.).

:::tip
Rule requires the Scribe API to be enabled. Ensure that you provide the Scribe Token to the `valint` utility.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::warning
Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
:::
:::info
Rule is scoped by product and target.
:::

## Usage example

```yaml
uses: api/scribe-api-cve@v2
with:
superset:
cve:
max: 0
severity: 6
```

## Mitigation
Ensure that all critical or high severity vulnerabilities are addressed before delivering the product.


## Description
This rule ensures that there are no critical or high severity vulnerabilities in any deliverable component of the product by verifying via the Scribe API.

## Evidence Requirements
| Field | Value |
|-------|-------|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |

## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int]] |

60 changes: 60 additions & 0 deletions docs/configuration/initiatives/rules/api/scribe-api-findings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
sidebar_label: Verify No 3rd Party Findings via Scribe API
title: Verify No 3rd Party Findings via Scribe API
---
# Verify No 3rd Party Findings via Scribe API
**Type:** Rule
**ID:** `scribe-findings`
**Source:** [v2/rules/api/scribe-api-findings.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-findings.yaml)
**Rego Source:** [scribe-api-findings.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-findings.rego)
**Labels:** SCA, Blueprint, Scribe

Verify via Scribe API that there are no findings reported by 3rd party tools in the target product.

:::tip
Evidence **IS NOT** required for this rule.
:::
:::tip
Rule requires the Scribe API to be enabled. Ensure that you provide the Scribe Token to the `valint` utility.
:::

## Usage example

```yaml
uses: api/scribe-api-findings@v2
with:
superset:
findings:
severities:
- Critical
- High
tools:
- Trivy
- Snyk
titles:
- "CVE-2023-1234"
- "CVE-2023-5678"
- "CVE-2025"
cwes:
- "CWE-123"
- "CWE-456"
descriptions:
- "Vulnerability in component X"
- "Misconfiguration in component Y"
descriptions_to_ignore:
- "False positive in component Z"
- "Known issue in component A"
```

## Mitigation
Ensure that all findings reported by 3rd party tools are addressed before delivering the product.


## Description
This rule ensures that there are no findings, such as vulnerabilities, misconfigurations, or other issues reported by 3rd party tools, in any component of the product by verifying via the Scribe API.

## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| superset | object | False | Filters for the findings. See usage example. |

47 changes: 47 additions & 0 deletions docs/configuration/initiatives/rules/api/scribe-api-published.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
sidebar_label: Scribe Published Policy
title: Scribe Published Policy
---
# Scribe Published Policy
**Type:** Rule
**ID:** `scribe-published-policy`
**Source:** [v2/rules/api/scribe-api-published.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-published.yaml)
**Rego Source:** [scribe-api-published.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api-published.rego)
**Labels:** Scribe

Verify image Scribe Publish flag is set for container image.

:::tip
Rule requires the Scribe API to be enabled. Ensure that you provide the Scribe Token to the `valint` utility.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::warning
Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
:::

## Usage example

```yaml
uses: api/scribe-api-published@v2
```

## Mitigation
Ensure that all critical or high severity vulnerabilities are addressed before delivering the product.


## Description
This rule ensures that the product is published only after all critical or high severity vulnerabilities are addressed.

## Evidence Requirements
| Field | Value |
|-------|-------|
| signed | False |
| content_body_type | cyclonedx-json |

## Rule Parameters (`with`)
| Parameter | Default |
|-----------|---------|
| superset | `{'published': None}` |

44 changes: 44 additions & 0 deletions docs/configuration/initiatives/rules/api/scribe-api.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
sidebar_label: Apply Scribe Template Policy
title: Apply Scribe Template Policy
---
# Apply Scribe Template Policy
**Type:** Rule
**ID:** `scribe-template`
**Source:** [v2/rules/api/scribe-api.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api.yaml)
**Rego Source:** [scribe-api.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/api/scribe-api.rego)
**Labels:** Scribe

Verify XX using the Scribe API template rule.

:::tip
Rule requires the Scribe API to be enabled. Ensure that you provide the Scribe Token to the `valint` utility.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::warning
Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
:::
:::info
Rule is scoped by product and target.
:::

## Usage example

```yaml
uses: api/scribe-api@v2
```

## Evidence Requirements
| Field | Value |
|-------|-------|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |

## Rule Parameters (`with`)
| Parameter | Default |
|-----------|---------|
| superset | `{'cve': {'max': 0, 'severity': 6}, 'licences': {'max': 500}, 'unmaintained': {'max': 2000}, 'images': {'max': 20}}` |

Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Bitbucket",
"position": 1
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Project",
"position": 1
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
sidebar_label: Allowed Project Admins
title: Allowed Project Admins
---
# Allowed Project Admins
**Type:** Rule
**ID:** `bb-project-allowed-project-admins`
**Source:** [v2/rules/bitbucket/project/allow-admins.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/allow-admins.yaml)
**Rego Source:** [allow-admins.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/allow-admins.rego)

Verify only users specified in the Allowed List have admin privileges in the Bitbucket project.

:::note
This rule requires Bitbucket Project Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::warning
Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
:::

## Usage example

```yaml
uses: bitbucket/project/allow-admins@v2
with:
allowed_admins:
- "user1"
- "user2"
- "user3"
```

## Mitigation
Ensure that only users in the Allowed List have admin privileges in the Bitbucket project to reduce the risk of unauthorized changes.


## Description
This rule ensures that only users in the Allowed List have admin privileges in the Bitbucket project.
It performs the following steps:

1. Checks the settings of the Bitbucket project.
2. Verifies that only users in the Allowed List have admin privileges.

**Evidence Requirements:**
- Evidence must be provided by the Scribe Platform's CLI tool through scanning Bitbucket project resources.

## Evidence Requirements
| Field | Value |
|-------|-------|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=project |

## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| allowed_admins | array | False | List of users allowed to have admin privileges in the Bitbucket project. |

Loading