diff --git a/docs/configuration/initiatives/index.md b/docs/configuration/initiatives/index.md index 30035d07a..1cd377120 100644 --- a/docs/configuration/initiatives/index.md +++ b/docs/configuration/initiatives/index.md @@ -22,6 +22,7 @@ |-----------|-------------| | [Apply Scribe Template Policy](/docs/configuration/initiatives/rules/api/scribe-api.md) | Verify XX using the Scribe API template rule. | | [Scribe Published Policy](/docs/configuration/initiatives/rules/api/scribe-api-published.md) | Verify image Scribe Publish flag is set for container image. | +| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). | | [NTIA SBOM Compliance Check](/docs/configuration/initiatives/rules/sbom/NTIA-compliance.md) | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. | | [Enforce SBOM Freshness](/docs/configuration/initiatives/rules/sbom/fresh-sbom.md) | Verify the SBOM is not older than the specified duration. | | [Require SBOM Existence](/docs/configuration/initiatives/rules/sbom/evidence-exists.md) | Verify the SBOM exists as evidence. | @@ -41,13 +42,13 @@ | [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/images/banned-users.md) | Verify specific users are not allowed in an SBOM. | | [Restrict Build Scripts](/docs/configuration/initiatives/rules/images/blocklist-build-scripts.md) | Verify no build scripts commands appear in block list. | | [Registry Connection HTTPS](/docs/configuration/initiatives/rules/images/enforce-https-registry.md) | Checks if the container's registry scheme is HTTPS | +| [Verify NPM Packages Origin](/docs/configuration/initiatives/rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. | | [Require Image Labels](/docs/configuration/initiatives/rules/images/verify-labels-exist.md) | Verify the image has the specified labels. | | [Require Healthcheck](/docs/configuration/initiatives/rules/images/require-healthcheck.md) | Checks that the container image includes at least one healthcheck property. | | [Allowed Base Image](/docs/configuration/initiatives/rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. | | [Fresh Image](/docs/configuration/initiatives/rules/images/fresh-image.md) | Verify the image is not older than the specified threshold. | | [Allowed Main Image Source](/docs/configuration/initiatives/rules/images/allowed-image-source.md) | Ensures the main container image referenced in the SBOM is from an approved source. | | [Require Signed Container Image](/docs/configuration/initiatives/rules/images/image-signed.md) | Enforces that container images (target_type=container) are cryptographically signed. | -| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). | | [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/sbom/banned-users.md) | Verify specific users are not allowed in an SBOM. | | [Enforce SBOM Dependencies](/docs/configuration/initiatives/rules/sbom/required-packages.md) | Verify the artifact includes all required dependencies. | | [Enforce SBOM License Completeness](/docs/configuration/initiatives/rules/sbom/complete-licenses.md) | Verify all dependencies in the artifact have a license. | @@ -109,6 +110,7 @@ | [Verify `secret_scanning` Setting in `security_and_analysis`](/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md) | Verify secret scanning is configured in the GitHub repository. | | [Limit Admin Number in GitHub Organization](/docs/configuration/initiatives/rules/github/org/max-admins.md) | Verify the maximum number of GitHub organization admins is restricted. | | [Verify `advanced_security_enabled_for_new_repositories` setting](/docs/configuration/initiatives/rules/github/org/advanced-security.md) | Verify Advanced Security is enabled for new repositories in the GitHub organization. | +| [Require GitHub Organization Discovery Evidence](/docs/configuration/initiatives/rules/github/org/evidence-exists.md) | Verify the GitHub Organization exists as evidence. | | [Verify dependency_graph_enabled_for_new_repositories setting](/docs/configuration/initiatives/rules/github/org/dependency-graph.md) | Verify dependency graph is enabled for new repositories in the GitHub organization. | | [Verify GitHub Organization Requires Signoff on Web Commits](/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md) | Verify contributors sign commits through the GitHub web interface. | | [Verify Two-Factor Authentication (2FA) Requirement Enabled](/docs/configuration/initiatives/rules/github/org/2fa.md) | Verify Two-factor Authentication is required in the GitHub organization. | @@ -133,6 +135,7 @@ | [Verify secret scanning.](/docs/configuration/initiatives/rules/github/repository/validity-checks.md) | Verify both `secret_scanning_validity_checks` and `security_and_analysis` are set in GitHub organization and all the repositories. | | [Verify Dependabot security updates setting](/docs/configuration/initiatives/rules/github/repository/dependabot.md) | Verify Dependabot security updates are configured in the GitHub repository. | | [Verify Repository Is Private](/docs/configuration/initiatives/rules/github/repository/repo-private.md) | Verify the GitHub repository is private. | +| [Require GitHub Repository Discovery Evidence](/docs/configuration/initiatives/rules/github/repository/evidence-exists.md) | Verify the GitHub Repository exists as evidence. | | [Verify Repository Requires Commit Signoff](/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md) | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. | | [Verify Default Branch Protection](/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md) | Verify the default branch protection is configured in the GitHub repository. | | [Verify No Old Secrets Exist in Repository](/docs/configuration/initiatives/rules/github/repository/old-secrets.md) | Verify secrets in the GitHub repository are not older than the specified threshold. | @@ -215,6 +218,7 @@ |-----------|-------------| | [Allowed Container Images](/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md) | Verify only container images specified in the Allowed List run within the Kubernetes namespace. | | [Verify Namespace Termination](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md) | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. | +| [Require K8s Namespace Discovery Evidence](/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md) | Verify the K8s Namespace exists as evidence. | | [Allowed Namespaces](/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md) | Verify only namespaces specified in the Allowed List are allowed within the cluster. | | [Verify Namespace Runtime Duration](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md) | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. | | [Allowed Namespace Registries](/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md) | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. | @@ -226,6 +230,7 @@ | Rule Name | Description | |-----------|-------------| | [Verify Pod Runtime Duration](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md) | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. | +| [Require K8s Pod Discovery Evidence](/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md) | Verify the K8s Pod exists as evidence. | | [Verify Pod Termination](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md) | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. | | [Allowed Pods](/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md) | Verify only pods explicitly listed in the Allowed List are allowed to run. | @@ -235,6 +240,7 @@ | Rule Name | Description | |-----------|-------------| | [Prevent Long-Lived Tokens](/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md) | Verify Bitbucket API tokens expire before the maximum time to live. | +| [Require Bitbucket Project Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md) | Verify the Bitbucket Project exists as evidence. | | [Allowed Project Admins](/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. | | [Allowed Project Users](/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket project. | | [Prevent Credential Exposure](/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md) | Verify access to the Bitbucket project is blocked if exposed credentials are detected. | @@ -244,6 +250,7 @@ | Rule Name | Description | |-----------|-------------| +| [Require Bitbucket Repository Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md) | Verify the Bitbucket Repository exists as evidence. | | [Allowed Repository Admins](/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. | | [Verify Default Branch Protection Setting Is Configured](/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md) | Verify the default branch protection is enabled in the Bitbucket repository. | | [Allowed Repository Users](/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket repository. | @@ -253,18 +260,10 @@ | Rule Name | Description | |-----------|-------------| +| [Require Bitbucket Workspace Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md) | Verify the Bitbucket Workspace exists as evidence. | | [Allowed Workspace Admins](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. | | [Allowed Workspace Users](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. | -### Discovery Evidence -**Evidence Type:** [Discovery Evidence](/docs/platforms/discover) - -| Rule Name | Description | -|-----------|-------------| -| [Verify GitLab Pipeline Labels](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md) | Verify the pipeline includes all required label keys and values. | -| [GitLab pipeline verify labels exist](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md) | Verify the pipeline has all required label keys and values. | -| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. | - ### Dockerhub Project Discovery Evidence **Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery) @@ -273,11 +272,20 @@ | [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. | | [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. | +### Jenkins Folder Discovery Evidence +**Evidence Type:** [Jenkins Folder Discovery Evidence](/docs/platforms/discover#jenkins-discovery) + +| Rule Name | Description | +|-----------|-------------| +| [Require Jenkins Folder Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md) | Verify the Jenkins Folder exists as evidence. | +| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. | + ### Jenkins Instance Discovery Evidence **Evidence Type:** [Jenkins Instance Discovery Evidence](/docs/platforms/discover#jenkins-discovery) | Rule Name | Description | |-----------|-------------| +| [Require Jenkins Instance Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md) | Verify the Jenkins Instance exists as evidence. | | [Disallow Unused Users](/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md) | Verify there are no users with zero activity. | | [Verify Inactive Users](/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md) | Verify there are no inactive users. | diff --git a/docs/configuration/initiatives/rules/api/scribe-api-cve.md b/docs/configuration/initiatives/rules/api/scribe-api-cve.md index 420ce34c5..84a5e0040 100644 --- a/docs/configuration/initiatives/rules/api/scribe-api-cve.md +++ b/docs/configuration/initiatives/rules/api/scribe-api-cve.md @@ -33,6 +33,8 @@ with: cve: max: 0 severity: 6 + has_kev: true + has_fix: false ``` ## Mitigation @@ -48,10 +50,9 @@ This rule ensures that there are no critical or high severity vulnerabilities in | filter-by | ['product', 'target'] | | signed | False | | content_body_type | cyclonedx-json | -| target_type | container | ## Input Definitions | Parameter | Type | Required | Description | |-----------|------|----------|-------------| -| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int]] | +| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int], has_kev: bool, has_fix: bool]]. | diff --git a/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md index de262da4c..cbf578cdc 100644 --- a/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md +++ b/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=project | +| asset_platform | bitbucket | +| asset_type | project | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md index 013c0209c..83826bea0 100644 --- a/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md +++ b/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=project | +| asset_platform | bitbucket | +| asset_type | project | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md new file mode 100644 index 000000000..6c9e275f5 --- /dev/null +++ b/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require Bitbucket Project Discovery Evidence +title: Require Bitbucket Project Discovery Evidence +--- +# Require Bitbucket Project Discovery Evidence +**Type:** Rule +**ID:** `bb-project-exists` +**Source:** [v2/rules/bitbucket/project/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.rego) +**Labels:** Bitbucket, Project + +Verify the Bitbucket Project exists as evidence. + +:::note +This rule requires Bitbucket Project Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: bitbucket/project/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | bitbucket | +| asset_type | project | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md b/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md index 82a465060..4ff8b5b2f 100644 --- a/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md +++ b/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=project | +| asset_platform | bitbucket | +| asset_type | project | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md b/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md index 828f6e046..ddc631e83 100644 --- a/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md +++ b/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md @@ -49,7 +49,20 @@ It performs the following steps: | signed | False | | content_body_type | generic | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=project
- platform=bitbucket
- platform_instance=bitbucket_dc | +| asset_platform | bitbucket | +| asset_type | project | +| asset_name | Template value (see below) | +| labels | - platform_instance=bitbucket_dc | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md index bdcb29925..b45507813 100644 --- a/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md +++ b/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=repository | +| asset_platform | bitbucket | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md index 7f9d70f65..d63e86351 100644 --- a/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md +++ b/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=repository | +| asset_platform | bitbucket | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md b/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md index 347cd4b4d..fb763fafc 100644 --- a/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md +++ b/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=repository | +| asset_platform | bitbucket | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md new file mode 100644 index 000000000..43f7c2242 --- /dev/null +++ b/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require Bitbucket Repository Discovery Evidence +title: Require Bitbucket Repository Discovery Evidence +--- +# Require Bitbucket Repository Discovery Evidence +**Type:** Rule +**ID:** `bb-repo-exists` +**Source:** [v2/rules/bitbucket/repository/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/repository/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/repository/evidence-exists.rego) +**Labels:** Bitbucket, Repository + +Verify the Bitbucket Repository exists as evidence. + +:::note +This rule requires Bitbucket Repository Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: bitbucket/repository/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | bitbucket | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md index 793de740c..b549e9fa3 100644 --- a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md +++ b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=workspace | +| asset_platform | bitbucket | +| asset_type | workspace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "workspace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md index 0a6d19ee1..f3e8a56eb 100644 --- a/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md +++ b/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=bitbucket
- asset_type=workspace | +| asset_platform | bitbucket | +| asset_type | workspace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "workspace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md b/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md new file mode 100644 index 000000000..45322ca78 --- /dev/null +++ b/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require Bitbucket Workspace Discovery Evidence +title: Require Bitbucket Workspace Discovery Evidence +--- +# Require Bitbucket Workspace Discovery Evidence +**Type:** Rule +**ID:** `bb-workspace-exists` +**Source:** [v2/rules/bitbucket/workspace/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/workspace/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/workspace/evidence-exists.rego) +**Labels:** Bitbucket, Workspace + +Verify the Bitbucket Workspace exists as evidence. + +:::note +This rule requires Bitbucket Workspace Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: bitbucket/workspace/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | bitbucket | +| asset_type | workspace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "workspace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/dockerhub/token-expiration.md b/docs/configuration/initiatives/rules/dockerhub/token-expiration.md index 31c705621..d0a7936a9 100644 --- a/docs/configuration/initiatives/rules/dockerhub/token-expiration.md +++ b/docs/configuration/initiatives/rules/dockerhub/token-expiration.md @@ -49,5 +49,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=project
- platform=dockerhub | +| asset_platform | dockerhub | +| asset_type | oci_repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "oci_repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/dockerhub/token-not-used.md b/docs/configuration/initiatives/rules/dockerhub/token-not-used.md index 14ba8e6e3..c1f4fc788 100644 --- a/docs/configuration/initiatives/rules/dockerhub/token-not-used.md +++ b/docs/configuration/initiatives/rules/dockerhub/token-not-used.md @@ -44,5 +44,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=project
- platform=dockerhub | +| asset_platform | dockerhub | +| asset_type | oci_repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "oci_repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/org/2fa.md b/docs/configuration/initiatives/rules/github/org/2fa.md index 644e07024..f0d31dc8e 100644 --- a/docs/configuration/initiatives/rules/github/org/2fa.md +++ b/docs/configuration/initiatives/rules/github/org/2fa.md @@ -52,7 +52,19 @@ layer of security against unauthorized access. | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/org/advanced-security.md b/docs/configuration/initiatives/rules/github/org/advanced-security.md index e74375a12..32cd77c26 100644 --- a/docs/configuration/initiatives/rules/github/org/advanced-security.md +++ b/docs/configuration/initiatives/rules/github/org/advanced-security.md @@ -52,7 +52,19 @@ introducing vulnerabilities or unapproved software. | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/allow-admins.md b/docs/configuration/initiatives/rules/github/org/allow-admins.md index 8ef25f7f2..5ba2e3c76 100644 --- a/docs/configuration/initiatives/rules/github/org/allow-admins.md +++ b/docs/configuration/initiatives/rules/github/org/allow-admins.md @@ -54,7 +54,19 @@ the desired value, a violation is recorded. This ensures that only users in the | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/allow-users.md b/docs/configuration/initiatives/rules/github/org/allow-users.md index ca8df3d50..0ffd3e3c0 100644 --- a/docs/configuration/initiatives/rules/github/org/allow-users.md +++ b/docs/configuration/initiatives/rules/github/org/allow-users.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/create-private-repos.md b/docs/configuration/initiatives/rules/github/org/create-private-repos.md index 60db251bb..83f83966a 100644 --- a/docs/configuration/initiatives/rules/github/org/create-private-repos.md +++ b/docs/configuration/initiatives/rules/github/org/create-private-repos.md @@ -54,7 +54,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/create-repos.md b/docs/configuration/initiatives/rules/github/org/create-repos.md index 8f3e68c18..ef6226252 100644 --- a/docs/configuration/initiatives/rules/github/org/create-repos.md +++ b/docs/configuration/initiatives/rules/github/org/create-repos.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md b/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md index 6805700cf..e499bad7a 100644 --- a/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md +++ b/docs/configuration/initiatives/rules/github/org/dependabot-alerts.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md index ae9bac2b0..4991eebca 100644 --- a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md +++ b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates-sa.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md index 45e410708..649db827e 100644 --- a/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md +++ b/docs/configuration/initiatives/rules/github/org/dependabot-security-updates.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/dependency-graph.md b/docs/configuration/initiatives/rules/github/org/dependency-graph.md index 9999445b2..e6430aea4 100644 --- a/docs/configuration/initiatives/rules/github/org/dependency-graph.md +++ b/docs/configuration/initiatives/rules/github/org/dependency-graph.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/evidence-exists.md b/docs/configuration/initiatives/rules/github/org/evidence-exists.md new file mode 100644 index 000000000..7b30d4482 --- /dev/null +++ b/docs/configuration/initiatives/rules/github/org/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require GitHub Organization Discovery Evidence +title: Require GitHub Organization Discovery Evidence +--- +# Require GitHub Organization Discovery Evidence +**Type:** Rule +**ID:** `github-org-exists` +**Source:** [v2/rules/github/org/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/org/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/org/evidence-exists.rego) +**Labels:** GitHub, Organization + +Verify the GitHub Organization exists as evidence. + +:::note +This rule requires Github Organization Discovery Evidence. See [here](/docs/platforms/discover#github-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: github/org/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/github/org/max-admins.md b/docs/configuration/initiatives/rules/github/org/max-admins.md index 458ae9876..8fce427bd 100644 --- a/docs/configuration/initiatives/rules/github/org/max-admins.md +++ b/docs/configuration/initiatives/rules/github/org/max-admins.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/old-secrets.md b/docs/configuration/initiatives/rules/github/org/old-secrets.md index fee218e54..34c7c29cb 100644 --- a/docs/configuration/initiatives/rules/github/org/old-secrets.md +++ b/docs/configuration/initiatives/rules/github/org/old-secrets.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/pp-custom-link.md b/docs/configuration/initiatives/rules/github/org/pp-custom-link.md index a09354b45..8fa5c5586 100644 --- a/docs/configuration/initiatives/rules/github/org/pp-custom-link.md +++ b/docs/configuration/initiatives/rules/github/org/pp-custom-link.md @@ -34,7 +34,19 @@ uses: github/org/pp-custom-link@v2 | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/org/push-protection-sa.md b/docs/configuration/initiatives/rules/github/org/push-protection-sa.md index ff0d21fe2..b34ac3b70 100644 --- a/docs/configuration/initiatives/rules/github/org/push-protection-sa.md +++ b/docs/configuration/initiatives/rules/github/org/push-protection-sa.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/org/push-protection.md b/docs/configuration/initiatives/rules/github/org/push-protection.md index 5aadbeab3..19349ceb4 100644 --- a/docs/configuration/initiatives/rules/github/org/push-protection.md +++ b/docs/configuration/initiatives/rules/github/org/push-protection.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/repo-visibility.md b/docs/configuration/initiatives/rules/github/org/repo-visibility.md index 98603f352..48a923646 100644 --- a/docs/configuration/initiatives/rules/github/org/repo-visibility.md +++ b/docs/configuration/initiatives/rules/github/org/repo-visibility.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md b/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md index 16fabb0dd..79eca1c85 100644 --- a/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md +++ b/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/org/secret-scanning.md b/docs/configuration/initiatives/rules/github/org/secret-scanning.md index aad5af60f..094c470ec 100644 --- a/docs/configuration/initiatives/rules/github/org/secret-scanning.md +++ b/docs/configuration/initiatives/rules/github/org/secret-scanning.md @@ -34,7 +34,19 @@ uses: github/org/secret-scanning@v2 | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md b/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md index ba7944eb9..846fee4c3 100644 --- a/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md +++ b/docs/configuration/initiatives/rules/github/org/validity-checks-sa.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/org/validity-checks.md b/docs/configuration/initiatives/rules/github/org/validity-checks.md index e0e954854..e0fe070b0 100644 --- a/docs/configuration/initiatives/rules/github/org/validity-checks.md +++ b/docs/configuration/initiatives/rules/github/org/validity-checks.md @@ -34,7 +34,19 @@ uses: github/org/validity-checks@v2 | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md b/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md index 50f953fd3..cea1ae3a5 100644 --- a/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md +++ b/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=organization | +| asset_platform | github | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md b/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md index 21ebba0c3..2993d9056 100644 --- a/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md +++ b/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/repository/branch-protection.md b/docs/configuration/initiatives/rules/github/repository/branch-protection.md index 89069fd1d..5a98e7a54 100644 --- a/docs/configuration/initiatives/rules/github/repository/branch-protection.md +++ b/docs/configuration/initiatives/rules/github/repository/branch-protection.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/repository/branch-verification.md b/docs/configuration/initiatives/rules/github/repository/branch-verification.md index 48232d5e9..7ed9f8f8b 100644 --- a/docs/configuration/initiatives/rules/github/repository/branch-verification.md +++ b/docs/configuration/initiatives/rules/github/repository/branch-verification.md @@ -48,7 +48,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md b/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md index dec363eed..61e7eab52 100644 --- a/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md +++ b/docs/configuration/initiatives/rules/github/repository/check-signed-commits.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md b/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md index 1d266e99a..82dcad2f0 100644 --- a/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md +++ b/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/dependabot.md b/docs/configuration/initiatives/rules/github/repository/dependabot.md index 08b9ba9ba..1075bc73d 100644 --- a/docs/configuration/initiatives/rules/github/repository/dependabot.md +++ b/docs/configuration/initiatives/rules/github/repository/dependabot.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md b/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md index 3893a88d4..522165bec 100644 --- a/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md +++ b/docs/configuration/initiatives/rules/github/repository/ephemeral-runners-only.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/evidence-exists.md b/docs/configuration/initiatives/rules/github/repository/evidence-exists.md new file mode 100644 index 000000000..7ef28bd7d --- /dev/null +++ b/docs/configuration/initiatives/rules/github/repository/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require GitHub Repository Discovery Evidence +title: Require GitHub Repository Discovery Evidence +--- +# Require GitHub Repository Discovery Evidence +**Type:** Rule +**ID:** `github-repo-exists` +**Source:** [v2/rules/github/repository/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/repository/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/github/repository/evidence-exists.rego) +**Labels:** GitHub, Repository + +Verify the GitHub Repository exists as evidence. + +:::note +This rule requires Github Repository Discovery Evidence. See [here](/docs/platforms/discover#github-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: github/repository/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md b/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md index 8f2e89285..1ad92ea1d 100644 --- a/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md +++ b/docs/configuration/initiatives/rules/github/repository/no-cache-usage.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md b/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md index be2c1a241..493694831 100644 --- a/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md +++ b/docs/configuration/initiatives/rules/github/repository/no-org-secrets.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/old-secrets.md b/docs/configuration/initiatives/rules/github/repository/old-secrets.md index fd5293186..1337e07ad 100644 --- a/docs/configuration/initiatives/rules/github/repository/old-secrets.md +++ b/docs/configuration/initiatives/rules/github/repository/old-secrets.md @@ -48,7 +48,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Rule Parameters (`with`) | Parameter | Default | diff --git a/docs/configuration/initiatives/rules/github/repository/push-protection.md b/docs/configuration/initiatives/rules/github/repository/push-protection.md index 7bedd3d91..c1421015a 100644 --- a/docs/configuration/initiatives/rules/github/repository/push-protection.md +++ b/docs/configuration/initiatives/rules/github/repository/push-protection.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/repo-private.md b/docs/configuration/initiatives/rules/github/repository/repo-private.md index 3f093b80b..f18bdad1a 100644 --- a/docs/configuration/initiatives/rules/github/repository/repo-private.md +++ b/docs/configuration/initiatives/rules/github/repository/repo-private.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/secret-scanning.md b/docs/configuration/initiatives/rules/github/repository/secret-scanning.md index c36877398..de375e7af 100644 --- a/docs/configuration/initiatives/rules/github/repository/secret-scanning.md +++ b/docs/configuration/initiatives/rules/github/repository/secret-scanning.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/signed-commits.md b/docs/configuration/initiatives/rules/github/repository/signed-commits.md index 7d5d1e7a1..97eb14d10 100644 --- a/docs/configuration/initiatives/rules/github/repository/signed-commits.md +++ b/docs/configuration/initiatives/rules/github/repository/signed-commits.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/validity-checks.md b/docs/configuration/initiatives/rules/github/repository/validity-checks.md index 4b385d1f0..fbfb8e5de 100644 --- a/docs/configuration/initiatives/rules/github/repository/validity-checks.md +++ b/docs/configuration/initiatives/rules/github/repository/validity-checks.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/github/repository/visibility.md b/docs/configuration/initiatives/rules/github/repository/visibility.md index 897e4c6fb..10758380e 100644 --- a/docs/configuration/initiatives/rules/github/repository/visibility.md +++ b/docs/configuration/initiatives/rules/github/repository/visibility.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md b/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md index 224fb90da..87af8cb30 100644 --- a/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md +++ b/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=github
- asset_type=repository | +| asset_platform | github | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md b/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md index 73c7c93f6..f4c8a340b 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md +++ b/docs/configuration/initiatives/rules/gitlab/org/allow-admins.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md b/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md index 3e2bdf5c5..edcc4c73c 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md +++ b/docs/configuration/initiatives/rules/gitlab/org/allow-token-scopes.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/allow-users.md b/docs/configuration/initiatives/rules/gitlab/org/allow-users.md index cdc185c53..2e496a650 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/allow-users.md +++ b/docs/configuration/initiatives/rules/gitlab/org/allow-users.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md b/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md index 0486fbdf8..7e57cc902 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md +++ b/docs/configuration/initiatives/rules/gitlab/org/blocked-users.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md index 824fc4a93..fbe766e9f 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md +++ b/docs/configuration/initiatives/rules/gitlab/org/expiring-tokens.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md b/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md index 4c5950612..33a351d90 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md +++ b/docs/configuration/initiatives/rules/gitlab/org/forbid-token-scopes.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md b/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md index 74e4dbbf7..6740ce944 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md +++ b/docs/configuration/initiatives/rules/gitlab/org/inactive-projects.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md index 922de7791..b8716586d 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md +++ b/docs/configuration/initiatives/rules/gitlab/org/longlive-tokens.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/max-admins.md b/docs/configuration/initiatives/rules/gitlab/org/max-admins.md index 7ab171500..fb28f1912 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/max-admins.md +++ b/docs/configuration/initiatives/rules/gitlab/org/max-admins.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md b/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md index 303c97227..7ff76ba3c 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md +++ b/docs/configuration/initiatives/rules/gitlab/org/projects-visibility.md @@ -48,7 +48,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md b/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md index 619affeb1..8a2aec6ef 100644 --- a/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md +++ b/docs/configuration/initiatives/rules/gitlab/org/unused-tokens.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=organization | +| asset_platform | gitlab | +| asset_type | organization | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "organization" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json b/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json deleted file mode 100644 index a57065cbf..000000000 --- a/docs/configuration/initiatives/rules/gitlab/pipeline/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "label": "Pipeline", - "position": 1 -} \ No newline at end of file diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md b/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md deleted file mode 100644 index 9c019a28e..000000000 --- a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -sidebar_label: GitLab pipeline verify labels exist -title: GitLab pipeline verify labels exist ---- -# GitLab pipeline verify labels exist -**Type:** Rule -**ID:** `gitlab-pipeline-verify-labels-exist` -**Source:** [v2/rules/gitlab/pipeline/verify-labels-exist.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels-exist.yaml) -**Rego Source:** [verify-labels-exist.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels-exist.rego) -**Labels:** Gitlab, Pipeline - -Verify the pipeline has all required label keys and values. - -:::note -This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details. -::: -:::tip -Signed Evidence for this rule **IS NOT** required by default but is recommended. -::: -:::warning -Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. -::: - -## Usage example - -```yaml -uses: gitlab/pipeline/verify-labels-exist@v2 -with: - labels: - - "app.kubernetes.io/instance" -``` - -## Mitigation -Ensure that all required labels exist in the pipeline to reduce the risk of misconfiguration. - - -## Description -This rule ensures that the pipeline has all required label keys and values. -It performs the following steps: - -1. Checks the settings of the GitLab pipeline. -2. Verifies that all required labels exist in the pipeline. - -**Evidence Requirements:** -- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitLab pipeline resources. - -## Evidence Requirements -| Field | Value | -|-------|-------| -| signed | False | -| content_body_type | generic | -| target_type | data | -| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=pipeline | - -## Input Definitions -| Parameter | Type | Required | Description | -|-----------|------|----------|-------------| -| labels | array | True | List of labels to verify exist in the pipeline. | - diff --git a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md b/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md deleted file mode 100644 index cc46d1ca1..000000000 --- a/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -sidebar_label: Verify GitLab Pipeline Labels -title: Verify GitLab Pipeline Labels ---- -# Verify GitLab Pipeline Labels -**Type:** Rule -**ID:** `gitlab-pipeline-verify-labels` -**Source:** [v2/rules/gitlab/pipeline/verify-labels.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels.yaml) -**Rego Source:** [verify-labels.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/gitlab/pipeline/verify-labels.rego) -**Labels:** Gitlab, Pipeline - -Verify the pipeline includes all required label keys and values. - -:::note -This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details. -::: -:::tip -Signed Evidence for this rule **IS NOT** required by default but is recommended. -::: -:::warning -Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. -::: - -## Usage example - -```yaml -uses: gitlab/pipeline/verify-labels@v2 -with: - labels: - app.kubernetes.io/instance: "defaul1t" -``` - -## Mitigation -Ensure that all required labels exist in the pipeline to reduce the risk of misconfiguration. - - -## Description -This rule ensures that the pipeline includes all required label keys and values. -It performs the following steps: - -1. Checks the settings of the GitLab pipeline. -2. Verifies that all required labels exist in the pipeline. -2.1 Verify that all the label values match the expected values. - -**Evidence Requirements:** -- Evidence must be provided by the Scribe Platform's CLI tool through scanning GitLab pipeline resources. - -## Evidence Requirements -| Field | Value | -|-------|-------| -| signed | False | -| content_body_type | generic | -| target_type | data | -| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=pipeline | - -## Input Definitions -| Parameter | Type | Required | Description | -|-----------|------|----------|-------------| -| labels | object | True | List of labels to verify exist in the pipeline. | - diff --git a/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md b/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md index 8d523c739..1c7441747 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md +++ b/docs/configuration/initiatives/rules/gitlab/project/abandoned-project.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md b/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md index 43e902f13..f04bfedd4 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/approvals-policy-check.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md b/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md index 1e54c8d91..0269752c2 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md +++ b/docs/configuration/initiatives/rules/gitlab/project/approvers-per-merge-request.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md b/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md index cfb8cda12..dd23455a1 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md +++ b/docs/configuration/initiatives/rules/gitlab/project/author-email-regex.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md b/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md index a125c366a..c3507ab4b 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md +++ b/docs/configuration/initiatives/rules/gitlab/project/check-cwe.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md b/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md index a80374c33..f4b2e2e68 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md +++ b/docs/configuration/initiatives/rules/gitlab/project/check-signed-commits.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md b/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md index bf4a52c38..e9d1b3ff7 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md +++ b/docs/configuration/initiatives/rules/gitlab/project/co-approval-required.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md index d77361ab8..4cf4ebcc7 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/commit-author-email-check.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md index 55e087650..7154f4dc9 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/commit-author-name-check.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md index a2fddaafd..125f21f61 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/commit-committer-check.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md b/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md index 56cf33494..fd92fd8c2 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/commit-message-check.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md b/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md index 2786a114a..891b91819 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md +++ b/docs/configuration/initiatives/rules/gitlab/project/commits-validated.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md b/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md index 5f48fd56c..afad9430c 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/committer-email-check.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md b/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md index 8a9d8858e..bc137b18a 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/committer-name-check.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md b/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md index b1fe783df..d13edef26 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md +++ b/docs/configuration/initiatives/rules/gitlab/project/critical-severity-limit.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md b/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md index c099ebfcb..171fff51b 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/description-substring-check.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md b/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md index 1dc623619..4e0d69848 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md +++ b/docs/configuration/initiatives/rules/gitlab/project/disallowed-banned-approvers.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md b/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md index a7563bf66..6a9138984 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md +++ b/docs/configuration/initiatives/rules/gitlab/project/force-push-protection.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md b/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md index 97b566385..a44269fc9 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md +++ b/docs/configuration/initiatives/rules/gitlab/project/medium-severity-limit.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/member-check.md b/docs/configuration/initiatives/rules/gitlab/project/member-check.md index d5e607ecc..ea95263c1 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/member-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/member-check.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md b/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md index 699e195a9..618dbd9ea 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md +++ b/docs/configuration/initiatives/rules/gitlab/project/merge-access-level.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md index 03f4f6a7d..6ebc685ba 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md +++ b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-author-approval.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md index 73012b220..80fdf5d31 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md +++ b/docs/configuration/initiatives/rules/gitlab/project/merge-requests-disable-committers-approval.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md b/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md index 9bb75f6dd..891078453 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/message-substring-check.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md b/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md index 8aa4d7b58..ebdaeb6c4 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/prevent-secrets-check.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md b/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md index d34548bc4..a340d3847 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md +++ b/docs/configuration/initiatives/rules/gitlab/project/protect-ci-secrets.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md b/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md index 8c0ef7478..18e800736 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md +++ b/docs/configuration/initiatives/rules/gitlab/project/push-access-level.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md b/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md index 77d37f3fc..0e3353d67 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md +++ b/docs/configuration/initiatives/rules/gitlab/project/push-rules-set.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md b/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md index d966af231..9db5035cc 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md +++ b/docs/configuration/initiatives/rules/gitlab/project/reject-unsigned-commits.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md b/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md index 74629475a..7cb56dbcc 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md +++ b/docs/configuration/initiatives/rules/gitlab/project/require-password-to-approve.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md b/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md index a1d23a6e1..c163f145d 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md +++ b/docs/configuration/initiatives/rules/gitlab/project/required-minimal-approvers.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md b/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md index f598ceaac..947751fcc 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md +++ b/docs/configuration/initiatives/rules/gitlab/project/reset-pprovals-on-push.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md b/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md index ee0b45035..bd3ac19f8 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md +++ b/docs/configuration/initiatives/rules/gitlab/project/sast-scan-pass.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md b/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md index f2dd6cb95..5a5ea427f 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md +++ b/docs/configuration/initiatives/rules/gitlab/project/sast-scanning.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md b/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md index f1259f531..a42d791ca 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md +++ b/docs/configuration/initiatives/rules/gitlab/project/secrets-scan-pass.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md b/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md index d928ba814..4ca5510f2 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md +++ b/docs/configuration/initiatives/rules/gitlab/project/secrets-scanning.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md b/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md index b6394dc4e..558338740 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md +++ b/docs/configuration/initiatives/rules/gitlab/project/selective-code-owner-removals.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md b/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md index 713c49fe2..4024768f5 100644 --- a/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md +++ b/docs/configuration/initiatives/rules/gitlab/project/visibility-check.md @@ -50,7 +50,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - platform=gitlab
- asset_type=project | +| asset_platform | gitlab | +| asset_type | repo | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "project" "repo" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/images/allowed-base-image.md b/docs/configuration/initiatives/rules/images/allowed-base-image.md index 2c4b9596b..141df3d36 100644 --- a/docs/configuration/initiatives/rules/images/allowed-base-image.md +++ b/docs/configuration/initiatives/rules/images/allowed-base-image.md @@ -30,8 +30,8 @@ Rule is scoped by target and product. uses: images/allowed-base-image@v2 with: approved_sources: - - "docker.io/library/*" - - "docker.io/my_org/*" + - "docker.io/.*" + - "docker.io/my_org/.*" ``` ## Mitigation @@ -62,6 +62,5 @@ is found, a violation is recorded indicating that the necessary base image infor ## Input Definitions | Parameter | Type | Required | Description | |-----------|------|----------|-------------| -| approved_sources | array | False | A list of approved base image pattern. | -| fail_on_no_base_image | boolean | False | Whether to fail the rule if no base image is found. | +| approved_sources | array | False | A list of approved base image registry URL prefixes. | diff --git a/docs/configuration/initiatives/rules/images/allowed-npm-registries.md b/docs/configuration/initiatives/rules/images/allowed-npm-registries.md new file mode 100644 index 000000000..f8f37638f --- /dev/null +++ b/docs/configuration/initiatives/rules/images/allowed-npm-registries.md @@ -0,0 +1,67 @@ +--- +sidebar_label: Verify NPM Packages Origin +title: Verify NPM Packages Origin +--- +# Verify NPM Packages Origin +**Type:** Rule +**ID:** `sbom-allowed-npm-registries` +**Source:** [v2/rules/images/allowed-npm-registries.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/images/allowed-npm-registries.yaml) +**Rego Source:** [allowed-npm-registries.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/images/allowed-npm-registries.rego) +**Labels:** SBOM, Image + +Verify that the artifact contains only components from allowed NPM registries. + +:::note +This rule requires Image SBOM. See [here](/docs/valint/sbom) for more details. +::: +:::note +Components type reference: https://cyclonedx.org/docs/1.6/json/#components_items_type +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: +:::info +Rule is scoped by product and target. +::: + +## Usage example + +```yaml +uses: images/allowed-npm-registries@v2 +with: + types: + - library + - operating-system +``` + +## Mitigation +Ensures that only NPM components from approved registries are included in the SBOM, reducing the risk of introducing vulnerabilities or unapproved dependencies into the software supply chain. + + +## Description +This rule inspects the CycloneDX SBOM evidence for the artifact to verify that it contains only components from allowed registries. +It performs the following steps: + +1. Iterates over NPM components listed in the SBOM. +2. For remotely installed components, checks the `registryUrl` property to ensure it matches one of the allowed NPM registries specified in the `with.allowed_registries` configuration. + +**Evidence Requirements:** +- Evidence must be provided in the CycloneDX JSON format. +- The SBOM must include a list of components with their types and names. + +## Evidence Requirements +| Field | Value | +|-------|-------| +| filter-by | ['product', 'target'] | +| signed | False | +| content_body_type | cyclonedx-json | +| target_type | container | + +## Input Definitions +| Parameter | Type | Required | Description | +|-----------|------|----------|-------------| +| allowed_registries | array | False | A list of allowed NPM registries. | + diff --git a/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md b/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md new file mode 100644 index 000000000..21ee07092 --- /dev/null +++ b/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require Jenkins Folder Discovery Evidence +title: Require Jenkins Folder Discovery Evidence +--- +# Require Jenkins Folder Discovery Evidence +**Type:** Rule +**ID:** `jenkins-folder-exists` +**Source:** [v2/rules/jenkins/folder/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/folder/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/folder/evidence-exists.rego) +**Labels:** Jenkins, Folder + +Verify the Jenkins Folder exists as evidence. + +:::note +This rule requires Jenkins Folder Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: jenkins/folder/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | jenkins | +| asset_type | folder | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "folder" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md b/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md index 851ca8a62..6c6a8771a 100644 --- a/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md +++ b/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md @@ -12,7 +12,7 @@ title: Verify Exposed Credentials Verify there are no exposed credentials. :::note -This rule requires Discovery Evidence. See [here](/docs/platforms/discover) for more details. +This rule requires Jenkins Folder Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details. ::: :::tip Signed Evidence for this rule **IS NOT** required by default but is recommended. @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=folder | +| asset_platform | jenkins | +| asset_type | folder | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "folder" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md b/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md new file mode 100644 index 000000000..5b757d3ec --- /dev/null +++ b/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require Jenkins Instance Discovery Evidence +title: Require Jenkins Instance Discovery Evidence +--- +# Require Jenkins Instance Discovery Evidence +**Type:** Rule +**ID:** `jenkins-instance-exists` +**Source:** [v2/rules/jenkins/instance/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/instance/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/jenkins/instance/evidence-exists.rego) +**Labels:** Jenkins, Instance + +Verify the Jenkins Instance exists as evidence. + +:::note +This rule requires Jenkins Instance Discovery Evidence. See [here](/docs/platforms/discover#jenkins-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: jenkins/instance/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | jenkins | +| asset_type | instance | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "instance" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md b/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md index e4a94c697..75b15f5ad 100644 --- a/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md +++ b/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md @@ -49,7 +49,19 @@ It performs the following steps: | signed | False | | content_body_type | generic | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=instance
- platform=jenkins | +| asset_platform | jenkins | +| asset_type | instance | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "instance" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md b/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md index e389c4c5b..f4daabdd7 100644 --- a/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md +++ b/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md @@ -47,5 +47,17 @@ It performs the following steps: | signed | False | | content_body_type | generic | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=instance
- platform=jenkins | +| asset_platform | jenkins | +| asset_type | instance | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "instance" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md b/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md index 6d4175020..adbf66157 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md b/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md index 86df02e4e..236b1f84c 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md @@ -53,7 +53,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md b/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md new file mode 100644 index 000000000..4eaa7c886 --- /dev/null +++ b/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require K8s Namespace Discovery Evidence +title: Require K8s Namespace Discovery Evidence +--- +# Require K8s Namespace Discovery Evidence +**Type:** Rule +**ID:** `k8s-namespace-exists` +**Source:** [v2/rules/k8s/namespace/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/namespace/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/namespace/evidence-exists.rego) +**Labels:** K8s, Namespace + +Verify the K8s Namespace exists as evidence. + +:::note +This rule requires K8s Namespace Discovery Evidence. See [here](/docs/platforms/discover#k8s-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: k8s/namespace/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md index 9f3ab6a6e..1f6880769 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md index 2f09ed274..9b1c0eb16 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md index 9fa04fe21..e118fc2aa 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md @@ -52,7 +52,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md index 16ca50ecf..4bd55523d 100644 --- a/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md +++ b/docs/configuration/initiatives/rules/k8s/namespace/white-listed-pod.md @@ -55,7 +55,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=namespace
- platform=k8s | +| asset_platform | k8s | +| asset_type | namespace | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "namespace" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md b/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md new file mode 100644 index 000000000..b1bdce2b9 --- /dev/null +++ b/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Require K8s Pod Discovery Evidence +title: Require K8s Pod Discovery Evidence +--- +# Require K8s Pod Discovery Evidence +**Type:** Rule +**ID:** `k8s-pod-exists` +**Source:** [v2/rules/k8s/pods/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/pods/evidence-exists.yaml) +**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/k8s/pods/evidence-exists.rego) +**Labels:** K8s, Pod + +Verify the K8s Pod exists as evidence. + +:::note +This rule requires K8s Pod Discovery Evidence. See [here](/docs/platforms/discover#k8s-discovery) for more details. +::: +:::tip +> Evidence **IS** required for this rule and will fail if missing. +::: +:::tip +Signed Evidence for this rule **IS NOT** required by default but is recommended. +::: +:::warning +Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided. +::: + +## Usage example + +```yaml +uses: k8s/pods/evidence-exists@v2 +``` + +## Evidence Requirements +| Field | Value | +|-------|-------| +| signed | False | +| content_body_type | generic | +| target_type | data | +| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | +| asset_platform | k8s | +| asset_type | pod | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "pod" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` + diff --git a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md index 3bd9120a7..bbbc68efe 100644 --- a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md +++ b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md @@ -51,7 +51,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=pod
- platform=k8s | +| asset_platform | k8s | +| asset_type | pod | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "pod" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md index 0419bfd0d..e6c5a6fcd 100644 --- a/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md +++ b/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md @@ -48,5 +48,17 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=pod
- platform=k8s | +| asset_platform | k8s | +| asset_type | pod | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "pod" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` diff --git a/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md b/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md index 2c2f7e044..397e71aa0 100644 --- a/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md +++ b/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md @@ -55,7 +55,19 @@ It performs the following steps: | content_body_type | generic | | target_type | data | | predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 | -| labels | - asset_type=pod
- platform=k8s | +| asset_platform | k8s | +| asset_type | pod | +| asset_name | Template value (see below) | + +**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details) + +``` +{{- if eq .Context.asset_type "pod" -}} +{{- on_target .Context.asset_name -}} +{{- else -}} +{{- on_target nil -}} +{{- end -}} +``` ## Input Definitions | Parameter | Type | Required | Description | diff --git a/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md b/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md index 070aa80fc..1f15794ba 100644 --- a/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md +++ b/docs/configuration/initiatives/rules/sarif/trivy/verify-cve-severity.md @@ -18,9 +18,6 @@ the defined severity threshold. This rule requires SARIF Evidence. See [here](/docs/valint/sarif) for more details. ::: :::tip -> Evidence **IS** required for this rule and will fail if missing. -::: -:::tip Signed Evidence for this rule **IS NOT** required by default but is recommended. ::: :::info diff --git a/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md b/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md index 5104fbfec..313c70946 100644 --- a/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md +++ b/docs/configuration/initiatives/rules/sarif/trivy/verify-trivy-report.md @@ -64,6 +64,7 @@ threshold. If the number of such violations exceeds the allowed maximum, a viola | rule_level | array | False | List of rule levels to check for in the Trivy SARIF report. | | precision | array | False | List of precision levels to check for in the Trivy SARIF report. | | rule_ids | array | False | List of rule IDs to check for in the Trivy SARIF report. | +| rule_names | array | False | List of rule names to check for in the Trivy SARIF report. | | ignore | array | False | List of rule IDs to ignore in the Trivy SARIF report. | | max_allowed | integer | False | The maximum number of allowed violations. | diff --git a/docs/configuration/initiatives/rules/sarif/verify-sarif.md b/docs/configuration/initiatives/rules/sarif/verify-sarif.md index 1dacfc9d2..9f4dda3f9 100644 --- a/docs/configuration/initiatives/rules/sarif/verify-sarif.md +++ b/docs/configuration/initiatives/rules/sarif/verify-sarif.md @@ -63,6 +63,7 @@ severity, and the corresponding location in the artifact. | rule_level | array | False | List of rule levels to check for in the SARIF report. | | precision | array | False | List of precision levels to check for in the SARIF report. | | rule_ids | array | False | List of rule IDs to check for in the SARIF report. | +| rule_names | array | False | List of rule names to check for in the SARIF report. | | ignore | array | False | List of rule IDs to ignore in the SARIF report. | | max_allowed | integer | False | The maximum number of allowed violations. | diff --git a/docs/configuration/initiatives/sp-800-190.md b/docs/configuration/initiatives/sp-800-190.md index d7f0538c5..c9d45f4c6 100644 --- a/docs/configuration/initiatives/sp-800-190.md +++ b/docs/configuration/initiatives/sp-800-190.md @@ -41,15 +41,20 @@ Ensures that all container images meet organizational security policies before | Rule ID | Rule Name | Rule Description | |---------|-----------|------------------| -| [trivy-verify-vulnerability-findings](rules/sarif/trivy/verify-cve-severity.md) | [4.1.1 Severity-Based Vulnerabilities (Trivy)](rules/sarif/trivy/verify-cve-severity.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. | -| [trivy-blocklist-cve](rules/sarif/trivy/blocklist-cve.md) | [4.1.1 High-Profile Vulnerabilities (Trivy)](rules/sarif/trivy/blocklist-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. | -| [sbom-disallowed-users](rules/images/banned-users.md) | [4.1.2 Default Non-Root User](rules/images/banned-users.md) | Ensures that containers do not run as the root user. | -| [images-banned-ports](rules/images/banned-ports.md) | [4.1.2 Banned Open Port 22](rules/images/banned-ports.md) | Blocks images that expose SSH (port 22), which should not be used in containerized applications. | -| [images-require-healthcheck](rules/images/require-healthcheck.md) | [4.1.3 Set HEALTHCHECK Instruction](rules/images/require-healthcheck.md) | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. | -| [image-labels](rules/images/verify-labels.md) | [4.1.3 Verify Required Image Labels](rules/images/verify-labels.md) | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. | -| [images-allowed-base-image](rules/images/allowed-base-image.md) | [4.1.5 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. | -| [images-allowed-image-source](rules/images/allowed-image-source.md) | [4.1.5 Approved Source Images](rules/images/allowed-image-source.md) | Ensures that application images are built from approved sources. | -| [images-require-signed-image](rules/images/image-signed.md) | [4.1.5 Signed Images](rules/images/image-signed.md) | Ensures that images are cryptographically signed before execution. | +| [4.1.1-trivy-verify-vulnerability-findings](rules/sarif/trivy/verify-cve-severity.md) | [4.1.1 Severity-Based Vulnerabilities](rules/sarif/trivy/verify-cve-severity.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. | +| [4.1.1-trivy-blocklist-cve](rules/sarif/trivy/blocklist-cve.md) | [4.1.1 High-Profile Vulnerabilities](rules/sarif/trivy/blocklist-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. | +| [4.1.1-scribe-api-verify-vulnerability-findings](rules/api/scribe-api-cve.md) | [4.1.1 Severity-Based Vulnerabilities](rules/api/scribe-api-cve.md) | Ensures that images do not contain high-severity vulnerabilities. Blocks images if any CVEs exceed the defined severity threshold. | +| [4.1.1-scribe-api-blocklist-cve](rules/api/scribe-api-cve.md) | [4.1.1 High-Profile Vulnerabilities](rules/api/scribe-api-cve.md) | Blocks images that contain specific high-profile CVEs that are actively exploited or widely known. | +| [4.1.2-image-disallowed-users](rules/images/banned-users.md) | [4.1.2 Default Non-Root User](rules/images/banned-users.md) | Ensures that containers do not run as the root user. | +| [4.1.2-image-banned-ports](rules/images/banned-ports.md) | [4.1.2 Banned Open Port 22](rules/images/banned-ports.md) | Blocks images that expose SSH (port 22), which should not be used in containerized applications. | +| [4.1.2-image-allowed-base](rules/images/allowed-base-image.md) | [4.1.2 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. | +| [4.1.2-image-fresh-base](rules/images/fresh-base-image.md) | [4.1.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. | +| [4.1.3-image-require-healthcheck](rules/images/require-healthcheck.md) | [4.1.3 Set HEALTHCHECK Instruction](rules/images/require-healthcheck.md) | Ensures that container images include a HEALTHCHECK instruction to monitor their runtime health. | +| [4.1.3-image-verify-labels](rules/images/verify-labels.md) | [4.1.3 Verify Required Image Labels](rules/images/verify-labels.md) | Enforces the presence of essential OpenContainers labels, such as creation time, version, and source repository. | +| [4.1.5-image-allowed-base](rules/images/allowed-base-image.md) | [4.1.5 Approved Source Base Images](rules/images/allowed-base-image.md) | Ensures that base images originate from approved and trusted sources. | +| [4.1.5-image-allowed-source](rules/images/allowed-image-source.md) | [4.1.5 Approved Source Images](rules/images/allowed-image-source.md) | Ensures that application images are built from approved sources. | +| [4.1.5-image-signed](rules/images/image-signed.md) | [4.1.5 Signed Images](rules/images/image-signed.md) | Ensures that images are cryptographically signed before execution. | +| [4.1.5-image-fresh](rules/images/fresh-image.md) | [4.1.5 Fresh Images](rules/images/fresh-image.md) | Ensures that images are not older than a specified time limit. | ## [4.2] 4.2 REGISTRY COUNTERMEASURES @@ -63,6 +68,6 @@ Reduces risks associated with registry security, stale images, and unauthorized | Rule ID | Rule Name | Rule Description | |---------|-----------|------------------| -| [images-registry-https-check](rules/images/enforce-https-registry.md) | [4.2.1 Registry Connection Enforcement](rules/images/enforce-https-registry.md) | Ensures that images are only pulled from registries using HTTPS. | -| [images-fresh-base-image](rules/images/fresh-base-image.md) | [4.2.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. | -| [fresh-image](rules/images/fresh-image.md) | [4.2.2 Up-to-Date Derived Images](rules/images/fresh-image.md) | Ensures that derived images are refreshed regularly and not outdated. | +| [4.2.1-registry-enforce-https](rules/images/enforce-https-registry.md) | [4.2.1 Registry Connection Enforcement](rules/images/enforce-https-registry.md) | Ensures that images are only pulled from registries using HTTPS. | +| [4.2.2-registry-fresh-base](rules/images/fresh-base-image.md) | [4.2.2 Up-to-Date Base Images](rules/images/fresh-base-image.md) | Ensures that base images are not older than a specified time limit. | +| [4.2.2-registry-fresh-image](rules/images/fresh-image.md) | [4.2.2 Up-to-Date Derived Images](rules/images/fresh-image.md) | Ensures that derived images are refreshed regularly and not outdated. | diff --git a/docs/configuration/initiatives/sspb-gh.md b/docs/configuration/initiatives/sspb-gh.md index 90d5a22ae..1381a0408 100644 --- a/docs/configuration/initiatives/sspb-gh.md +++ b/docs/configuration/initiatives/sspb-gh.md @@ -153,6 +153,7 @@ Teams should be aware of implicit runtime dependencies as well as explicit build | Rule ID | Rule Name | Rule Description | |---------|-----------|------------------| | [allowed-base-image](rules/images/allowed-base-image.md) | [Ensure that base images are from an approved source](rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. | +| [allowed-npm-registries](rules/images/allowed-npm-registries.md) | [Verify NPM Packages Origin](rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. | ## [CTL-6] Any critical or high severity vulnerability breaks the build diff --git a/docs/configuration/initiatives/sspb-gl.md b/docs/configuration/initiatives/sspb-gl.md index 44e5e0faa..e35c7bf53 100644 --- a/docs/configuration/initiatives/sspb-gl.md +++ b/docs/configuration/initiatives/sspb-gl.md @@ -156,6 +156,7 @@ Teams should be aware of implicit runtime dependencies as well as explicit build | Rule ID | Rule Name | Rule Description | |---------|-----------|------------------| | [allowed-base-image](rules/images/allowed-base-image.md) | [Ensure that base images are from an approved source](rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. | +| [allowed-npm-registries](rules/images/allowed-npm-registries.md) | [Verify NPM Packages Origin](rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. | ## [CTL-6] Any critical or high severity vulnerability breaks the build diff --git a/docs/guides/enforcing-sdlc-initiative.md b/docs/guides/enforcing-sdlc-initiative.md index e14462cfd..77e47aba3 100644 --- a/docs/guides/enforcing-sdlc-initiative.md +++ b/docs/guides/enforcing-sdlc-initiative.md @@ -35,7 +35,7 @@ For a detailed initiative description, see the **[initiatives](../valint/initiat See [Getting started with valint](../valint/getting-started-valint.md) for more information on the `bom` command. -Alternatively, you can use GitHub actions, as described in detail in [Setting up an integration in GitHub](../quick-start/set-up-integration/set-up-github.md). +Alternatively, you can use GitHub actions, as described in detail in [Setting up an integration in GitHub](../../integrating-scribe/ci-integrations/github). ### Verifying an initiative @@ -449,7 +449,8 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | [SLSA L1 Framework](/docs/configuration/initiatives/slsa.l1.md) | Evaluate SLSA Level 1 | | [SLSA L2 Framework](/docs/configuration/initiatives/slsa.l2.md) | Evaluate SLSA Level 2 | | [SSDF Client Initiative](/docs/configuration/initiatives/ssdf.md) | Evaluate PS rules from the SSDF initiative | -| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb.md) | Blueprint for secure pipelines - Gitlab | +| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb-gl.md) | Blueprint for secure pipelines - Gitlab | +| [Secure Software Pipeline Blueprint](/docs/configuration/initiatives/sspb-gh.md) | Blueprint for secure pipelines - GitHub | ## Rules @@ -461,6 +462,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo |-----------|-------------| | [Apply Scribe Template Policy](/docs/configuration/initiatives/rules/api/scribe-api.md) | Verify XX using the Scribe API template rule. | | [Scribe Published Policy](/docs/configuration/initiatives/rules/api/scribe-api-published.md) | Verify image Scribe Publish flag is set for container image. | +| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). | | [NTIA SBOM Compliance Check](/docs/configuration/initiatives/rules/sbom/NTIA-compliance.md) | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. | | [Enforce SBOM Freshness](/docs/configuration/initiatives/rules/sbom/fresh-sbom.md) | Verify the SBOM is not older than the specified duration. | | [Require SBOM Existence](/docs/configuration/initiatives/rules/sbom/evidence-exists.md) | Verify the SBOM exists as evidence. | @@ -473,7 +475,6 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| -| [Verify File Integrity](/docs/configuration/initiatives/rules/multievidence/files_integrity.md) | Verify the checksum of each file in one SBOM matches the checksum in a second SBOM. | | [Verify Image Labels](/docs/configuration/initiatives/rules/images/verify-labels.md) | Verify specified labels key-value pairs exist in the image. | | [Forbid Large Images](/docs/configuration/initiatives/rules/images/forbid-large-images.md) | Verify the image size is below the specified threshold. | | [Disallow Container Shell Entrypoint](/docs/configuration/initiatives/rules/images/restrict-shell-entrypoint.md) | Verify the container image disallows shell entrypoint. | @@ -482,13 +483,13 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/images/banned-users.md) | Verify specific users are not allowed in an SBOM. | | [Restrict Build Scripts](/docs/configuration/initiatives/rules/images/blocklist-build-scripts.md) | Verify no build scripts commands appear in block list. | | [Registry Connection HTTPS](/docs/configuration/initiatives/rules/images/enforce-https-registry.md) | Checks if the container's registry scheme is HTTPS | +| [Verify NPM Packages Origin](/docs/configuration/initiatives/rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. | | [Require Image Labels](/docs/configuration/initiatives/rules/images/verify-labels-exist.md) | Verify the image has the specified labels. | | [Require Healthcheck](/docs/configuration/initiatives/rules/images/require-healthcheck.md) | Checks that the container image includes at least one healthcheck property. | | [Allowed Base Image](/docs/configuration/initiatives/rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. | | [Fresh Image](/docs/configuration/initiatives/rules/images/fresh-image.md) | Verify the image is not older than the specified threshold. | | [Allowed Main Image Source](/docs/configuration/initiatives/rules/images/allowed-image-source.md) | Ensures the main container image referenced in the SBOM is from an approved source. | | [Require Signed Container Image](/docs/configuration/initiatives/rules/images/image-signed.md) | Enforces that container images (target_type=container) are cryptographically signed. | -| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). | | [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/sbom/banned-users.md) | Verify specific users are not allowed in an SBOM. | | [Enforce SBOM Dependencies](/docs/configuration/initiatives/rules/sbom/required-packages.md) | Verify the artifact includes all required dependencies. | | [Enforce SBOM License Completeness](/docs/configuration/initiatives/rules/sbom/complete-licenses.md) | Verify all dependencies in the artifact have a license. | @@ -536,6 +537,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| +| [3rd Party Scanner Violations](/docs/configuration/initiatives/rules/generic/3rd-pty.md) | Limit allowed violations in 3rd party scanner reports | | [Required Trivy Evidence Exists](/docs/configuration/initiatives/rules/generic/trivy-exists.md) | Verify required Trivy evidence exists | | [Required Generic Evidence Exists](/docs/configuration/initiatives/rules/generic/evidence-exists.md) | Verify required evidence exists. | | [Generic Artifact Signed](/docs/configuration/initiatives/rules/generic/artifact-signed.md) | Verify required evidence is signed. | @@ -553,6 +555,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | [Verify `secret_scanning` Setting in `security_and_analysis`](/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md) | Verify secret scanning is configured in the GitHub repository. | | [Limit Admin Number in GitHub Organization](/docs/configuration/initiatives/rules/github/org/max-admins.md) | Verify the maximum number of GitHub organization admins is restricted. | | [Verify `advanced_security_enabled_for_new_repositories` setting](/docs/configuration/initiatives/rules/github/org/advanced-security.md) | Verify Advanced Security is enabled for new repositories in the GitHub organization. | +| [Require GitHub Organization Discovery Evidence](/docs/configuration/initiatives/rules/github/org/evidence-exists.md) | Verify the GitHub Organization exists as evidence. | | [Verify dependency_graph_enabled_for_new_repositories setting](/docs/configuration/initiatives/rules/github/org/dependency-graph.md) | Verify dependency graph is enabled for new repositories in the GitHub organization. | | [Verify GitHub Organization Requires Signoff on Web Commits](/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md) | Verify contributors sign commits through the GitHub web interface. | | [Verify Two-Factor Authentication (2FA) Requirement Enabled](/docs/configuration/initiatives/rules/github/org/2fa.md) | Verify Two-factor Authentication is required in the GitHub organization. | @@ -574,9 +577,11 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| +| [Pull request approval policy check for GitHub repository](/docs/configuration/initiatives/rules/github/repository/approvals-policy-check.md) | Verify the repository's pull request approval policy | | [Verify secret scanning.](/docs/configuration/initiatives/rules/github/repository/validity-checks.md) | Verify both `secret_scanning_validity_checks` and `security_and_analysis` are set in GitHub organization and all the repositories. | | [Verify Dependabot security updates setting](/docs/configuration/initiatives/rules/github/repository/dependabot.md) | Verify Dependabot security updates are configured in the GitHub repository. | | [Verify Repository Is Private](/docs/configuration/initiatives/rules/github/repository/repo-private.md) | Verify the GitHub repository is private. | +| [Require GitHub Repository Discovery Evidence](/docs/configuration/initiatives/rules/github/repository/evidence-exists.md) | Verify the GitHub Repository exists as evidence. | | [Verify Repository Requires Commit Signoff](/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md) | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. | | [Verify Default Branch Protection](/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md) | Verify the default branch protection is configured in the GitHub repository. | | [Verify No Old Secrets Exist in Repository](/docs/configuration/initiatives/rules/github/repository/old-secrets.md) | Verify secrets in the GitHub repository are not older than the specified threshold. | @@ -662,6 +667,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo |-----------|-------------| | [Allowed Container Images](/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md) | Verify only container images specified in the Allowed List run within the Kubernetes namespace. | | [Verify Namespace Termination](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md) | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. | +| [Require K8s Namespace Discovery Evidence](/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md) | Verify the K8s Namespace exists as evidence. | | [Allowed Namespaces](/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md) | Verify only namespaces specified in the Allowed List are allowed within the cluster. | | [Verify Namespace Runtime Duration](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md) | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. | | [Allowed Namespace Registries](/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md) | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. | @@ -674,6 +680,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| | [Verify Pod Runtime Duration](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md) | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. | +| [Require K8s Pod Discovery Evidence](/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md) | Verify the K8s Pod exists as evidence. | | [Verify Pod Termination](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md) | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. | | [Allowed Pods](/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md) | Verify only pods explicitly listed in the Allowed List are allowed to run. | @@ -684,6 +691,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| | [Prevent Long-Lived Tokens](/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md) | Verify Bitbucket API tokens expire before the maximum time to live. | +| [Require Bitbucket Project Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md) | Verify the Bitbucket Project exists as evidence. | | [Allowed Project Admins](/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. | | [Allowed Project Users](/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket project. | | [Prevent Credential Exposure](/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md) | Verify access to the Bitbucket project is blocked if exposed credentials are detected. | @@ -694,6 +702,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| +| [Require Bitbucket Repository Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md) | Verify the Bitbucket Repository exists as evidence. | | [Allowed Repository Admins](/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. | | [Verify Default Branch Protection Setting Is Configured](/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md) | Verify the default branch protection is enabled in the Bitbucket repository. | | [Allowed Repository Users](/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket repository. | @@ -704,27 +713,27 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| +| [Require Bitbucket Workspace Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md) | Verify the Bitbucket Workspace exists as evidence. | | [Allowed Workspace Admins](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. | | [Allowed Workspace Users](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. | -### Discovery Evidence +### Dockerhub Project Discovery Evidence -**Evidence Type:** [Discovery Evidence](/docs/platforms/discover) +**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery) | Rule Name | Description | |-----------|-------------| -| [Verify GitLab Pipeline Labels](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md) | Verify the pipeline includes all required label keys and values. | -| [GitLab pipeline verify labels exist](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md) | Verify the pipeline has all required label keys and values. | -| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. | +| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. | +| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. | -### Dockerhub Project Discovery Evidence +### Jenkins Folder Discovery Evidence -**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery) +**Evidence Type:** [Jenkins Folder Discovery Evidence](/docs/platforms/discover#jenkins-discovery) | Rule Name | Description | |-----------|-------------| -| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. | -| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. | +| [Require Jenkins Folder Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md) | Verify the Jenkins Folder exists as evidence. | +| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. | ### Jenkins Instance Discovery Evidence @@ -732,6 +741,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| +| [Require Jenkins Instance Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md) | Verify the Jenkins Instance exists as evidence. | | [Disallow Unused Users](/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md) | Verify there are no users with zero activity. | | [Verify Inactive Users](/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md) | Verify there are no inactive users. | @@ -741,7 +751,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | Rule Name | Description | |-----------|-------------| -| [SLSA External Parameters Match in Provenance Document](/docs/configuration/initiatives/rules/slsa/verify-external-parameters.md) | Verify the specified exterenal parameters value match in the provenance document. | +| [SLSA External Parameters Match in Provenance Document](/docs/configuration/initiatives/rules/slsa/verify-external-parameters.md) | Verify the specified external parameters value match in the provenance document. | | [Verify that provenance is authenticated](/docs/configuration/initiatives/rules/slsa/l2-provenance-authenticated.md) | Verify the artifact is signed. | | [SLSA Field Exists in Provenance Document](/docs/configuration/initiatives/rules/slsa/field-exists.md) | Verify the specified field exists in the provenance document. | | [Verify Provenance Document Exists](/docs/configuration/initiatives/rules/slsa/l1-provenance-exists.md) | Verify that the Provenance document evidence exists. | @@ -763,6 +773,7 @@ To use a custom initiatives rule catalog, you can specify the path to the catalo | [Sign Selected Commits in GitLab](/docs/configuration/initiatives/rules/gitlab/api/signed-commits-list.md) | Verify the selected commits are signed in the GitLab organization. | | [Set Push Rules in GitLab](/docs/configuration/initiatives/rules/gitlab/api/push-rules.md) | Verify GitLab push rules are configured via the API. | | [Sign Selected Commit Range in GitLab](/docs/configuration/initiatives/rules/gitlab/api/signed-commits-range.md) | Verify the selected range of commits is signed via the GitLab API. | +| [Verify No 3rd Party Findings via Scribe API](/docs/configuration/initiatives/rules/api/scribe-api-findings.md) | Verify via Scribe API that there are no findings reported by 3rd party tools in the target product. | | [Verify No Critical or High Vulnerabilities in Product](/docs/configuration/initiatives/rules/api/scribe-api-cve-product.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in any deliverable component of the product. |