Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions docs/configuration/initiatives/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
|-----------|-------------|
| [Apply Scribe Template Policy](/docs/configuration/initiatives/rules/api/scribe-api.md) | Verify XX using the Scribe API template rule. |
| [Scribe Published Policy](/docs/configuration/initiatives/rules/api/scribe-api-published.md) | Verify image Scribe Publish flag is set for container image. |
| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [NTIA SBOM Compliance Check](/docs/configuration/initiatives/rules/sbom/NTIA-compliance.md) | Validates that SBOM metadata meets basic NTIA requirements for authors and supplier. |
| [Enforce SBOM Freshness](/docs/configuration/initiatives/rules/sbom/fresh-sbom.md) | Verify the SBOM is not older than the specified duration. |
| [Require SBOM Existence](/docs/configuration/initiatives/rules/sbom/evidence-exists.md) | Verify the SBOM exists as evidence. |
Expand All @@ -41,13 +42,13 @@
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/images/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Restrict Build Scripts](/docs/configuration/initiatives/rules/images/blocklist-build-scripts.md) | Verify no build scripts commands appear in block list. |
| [Registry Connection HTTPS](/docs/configuration/initiatives/rules/images/enforce-https-registry.md) | Checks if the container's registry scheme is HTTPS |
| [Verify NPM Packages Origin](/docs/configuration/initiatives/rules/images/allowed-npm-registries.md) | Verify that the artifact contains only components from allowed NPM registries. |
| [Require Image Labels](/docs/configuration/initiatives/rules/images/verify-labels-exist.md) | Verify the image has the specified labels. |
| [Require Healthcheck](/docs/configuration/initiatives/rules/images/require-healthcheck.md) | Checks that the container image includes at least one healthcheck property. |
| [Allowed Base Image](/docs/configuration/initiatives/rules/images/allowed-base-image.md) | Verifies that every base image is from an approved source. The rule returns a summary including the component names and versions of valid base images, or lists the invalid ones. This rule requires Dockerfile context; for example, run it with: `valint my_image --base-image Dockerfile`. |
| [Fresh Image](/docs/configuration/initiatives/rules/images/fresh-image.md) | Verify the image is not older than the specified threshold. |
| [Allowed Main Image Source](/docs/configuration/initiatives/rules/images/allowed-image-source.md) | Ensures the main container image referenced in the SBOM is from an approved source. |
| [Require Signed Container Image](/docs/configuration/initiatives/rules/images/image-signed.md) | Enforces that container images (target_type=container) are cryptographically signed. |
| [Verify No Critical or High Vulnerabilities](/docs/configuration/initiatives/rules/api/scribe-api-cve.md) | Verify via Scribe API that there are no critical or high severity vulnerabilities in the target artifact (container image, folder, etc.). |
| [Disallow Specific Users in SBOM](/docs/configuration/initiatives/rules/sbom/banned-users.md) | Verify specific users are not allowed in an SBOM. |
| [Enforce SBOM Dependencies](/docs/configuration/initiatives/rules/sbom/required-packages.md) | Verify the artifact includes all required dependencies. |
| [Enforce SBOM License Completeness](/docs/configuration/initiatives/rules/sbom/complete-licenses.md) | Verify all dependencies in the artifact have a license. |
Expand Down Expand Up @@ -109,6 +110,7 @@
| [Verify `secret_scanning` Setting in `security_and_analysis`](/docs/configuration/initiatives/rules/github/org/secret-scanning-sa.md) | Verify secret scanning is configured in the GitHub repository. |
| [Limit Admin Number in GitHub Organization](/docs/configuration/initiatives/rules/github/org/max-admins.md) | Verify the maximum number of GitHub organization admins is restricted. |
| [Verify `advanced_security_enabled_for_new_repositories` setting](/docs/configuration/initiatives/rules/github/org/advanced-security.md) | Verify Advanced Security is enabled for new repositories in the GitHub organization. |
| [Require GitHub Organization Discovery Evidence](/docs/configuration/initiatives/rules/github/org/evidence-exists.md) | Verify the GitHub Organization exists as evidence. |
| [Verify dependency_graph_enabled_for_new_repositories setting](/docs/configuration/initiatives/rules/github/org/dependency-graph.md) | Verify dependency graph is enabled for new repositories in the GitHub organization. |
| [Verify GitHub Organization Requires Signoff on Web Commits](/docs/configuration/initiatives/rules/github/org/web-commit-signoff.md) | Verify contributors sign commits through the GitHub web interface. |
| [Verify Two-Factor Authentication (2FA) Requirement Enabled](/docs/configuration/initiatives/rules/github/org/2fa.md) | Verify Two-factor Authentication is required in the GitHub organization. |
Expand All @@ -133,6 +135,7 @@
| [Verify secret scanning.](/docs/configuration/initiatives/rules/github/repository/validity-checks.md) | Verify both `secret_scanning_validity_checks` and `security_and_analysis` are set in GitHub organization and all the repositories. |
| [Verify Dependabot security updates setting](/docs/configuration/initiatives/rules/github/repository/dependabot.md) | Verify Dependabot security updates are configured in the GitHub repository. |
| [Verify Repository Is Private](/docs/configuration/initiatives/rules/github/repository/repo-private.md) | Verify the GitHub repository is private. |
| [Require GitHub Repository Discovery Evidence](/docs/configuration/initiatives/rules/github/repository/evidence-exists.md) | Verify the GitHub Repository exists as evidence. |
| [Verify Repository Requires Commit Signoff](/docs/configuration/initiatives/rules/github/repository/web-commit-signoff.md) | Verify contributors sign off on commits to the GitHub repository through the GitHub web interface. |
| [Verify Default Branch Protection](/docs/configuration/initiatives/rules/github/repository/default-branch-protection.md) | Verify the default branch protection is configured in the GitHub repository. |
| [Verify No Old Secrets Exist in Repository](/docs/configuration/initiatives/rules/github/repository/old-secrets.md) | Verify secrets in the GitHub repository are not older than the specified threshold. |
Expand Down Expand Up @@ -215,6 +218,7 @@
|-----------|-------------|
| [Allowed Container Images](/docs/configuration/initiatives/rules/k8s/namespace/allowed-images.md) | Verify only container images specified in the Allowed List run within the Kubernetes namespace. |
| [Verify Namespace Termination](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-termination.md) | Verify Kubernetes namespaces are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| [Require K8s Namespace Discovery Evidence](/docs/configuration/initiatives/rules/k8s/namespace/evidence-exists.md) | Verify the K8s Namespace exists as evidence. |
| [Allowed Namespaces](/docs/configuration/initiatives/rules/k8s/namespace/white-listed-namespaces.md) | Verify only namespaces specified in the Allowed List are allowed within the cluster. |
| [Verify Namespace Runtime Duration](/docs/configuration/initiatives/rules/k8s/namespace/verify-namespace-duration.md) | Verify Kubernetes namespaces adhere to a specified runtime duration to enforce lifecycle limits. |
| [Allowed Namespace Registries](/docs/configuration/initiatives/rules/k8s/namespace/allowed-registries.md) | Verify container images in Kubernetes namespaces originate from registries in the Allowed List. |
Expand All @@ -226,6 +230,7 @@
| Rule Name | Description |
|-----------|-------------|
| [Verify Pod Runtime Duration](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-duration.md) | Verify Kubernetes pods adhere to a specified runtime duration to enforce lifecycle limits. |
| [Require K8s Pod Discovery Evidence](/docs/configuration/initiatives/rules/k8s/pods/evidence-exists.md) | Verify the K8s Pod exists as evidence. |
| [Verify Pod Termination](/docs/configuration/initiatives/rules/k8s/pods/verify-pod-termination.md) | Verify Kubernetes pods are properly terminated to prevent lingering resources and maintain cluster hygiene. |
| [Allowed Pods](/docs/configuration/initiatives/rules/k8s/pods/white-listed-pod.md) | Verify only pods explicitly listed in the Allowed List are allowed to run. |

Expand All @@ -235,6 +240,7 @@
| Rule Name | Description |
|-----------|-------------|
| [Prevent Long-Lived Tokens](/docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md) | Verify Bitbucket API tokens expire before the maximum time to live. |
| [Require Bitbucket Project Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/project/evidence-exists.md) | Verify the Bitbucket Project exists as evidence. |
| [Allowed Project Admins](/docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket project. |
| [Allowed Project Users](/docs/configuration/initiatives/rules/bitbucket/project/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket project. |
| [Prevent Credential Exposure](/docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md) | Verify access to the Bitbucket project is blocked if exposed credentials are detected. |
Expand All @@ -244,6 +250,7 @@

| Rule Name | Description |
|-----------|-------------|
| [Require Bitbucket Repository Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/repository/evidence-exists.md) | Verify the Bitbucket Repository exists as evidence. |
| [Allowed Repository Admins](/docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket repository. |
| [Verify Default Branch Protection Setting Is Configured](/docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md) | Verify the default branch protection is enabled in the Bitbucket repository. |
| [Allowed Repository Users](/docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket repository. |
Expand All @@ -253,18 +260,10 @@

| Rule Name | Description |
|-----------|-------------|
| [Require Bitbucket Workspace Discovery Evidence](/docs/configuration/initiatives/rules/bitbucket/workspace/evidence-exists.md) | Verify the Bitbucket Workspace exists as evidence. |
| [Allowed Workspace Admins](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-admins.md) | Verify only users specified in the Allowed List have admin privileges in the Bitbucket workspace. |
| [Allowed Workspace Users](/docs/configuration/initiatives/rules/bitbucket/workspace/allow-users.md) | Verify only users specified in the Allowed List have user access to the Bitbucket workspace. |

### Discovery Evidence
**Evidence Type:** [Discovery Evidence](/docs/platforms/discover)

| Rule Name | Description |
|-----------|-------------|
| [Verify GitLab Pipeline Labels](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels.md) | Verify the pipeline includes all required label keys and values. |
| [GitLab pipeline verify labels exist](/docs/configuration/initiatives/rules/gitlab/pipeline/verify-labels-exist.md) | Verify the pipeline has all required label keys and values. |
| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |

### Dockerhub Project Discovery Evidence
**Evidence Type:** [Dockerhub Project Discovery Evidence](/docs/platforms/discover#dockerhub-discovery)

Expand All @@ -273,11 +272,20 @@
| [Verify DockerHub Tokens are Active](/docs/configuration/initiatives/rules/dockerhub/token-expiration.md) | Verify that all discovered Dockerhub tokens are set to Active in Dockerhub. |
| [Verify no unused Dockerhub](/docs/configuration/initiatives/rules/dockerhub/token-not-used.md) | Verify that there are no unused Dockerhub. |

### Jenkins Folder Discovery Evidence
**Evidence Type:** [Jenkins Folder Discovery Evidence](/docs/platforms/discover#jenkins-discovery)

| Rule Name | Description |
|-----------|-------------|
| [Require Jenkins Folder Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/folder/evidence-exists.md) | Verify the Jenkins Folder exists as evidence. |
| [Verify Exposed Credentials](/docs/configuration/initiatives/rules/jenkins/folder/exposed-credentials.md) | Verify there are no exposed credentials. |

### Jenkins Instance Discovery Evidence
**Evidence Type:** [Jenkins Instance Discovery Evidence](/docs/platforms/discover#jenkins-discovery)

| Rule Name | Description |
|-----------|-------------|
| [Require Jenkins Instance Discovery Evidence](/docs/configuration/initiatives/rules/jenkins/instance/evidence-exists.md) | Verify the Jenkins Instance exists as evidence. |
| [Disallow Unused Users](/docs/configuration/initiatives/rules/jenkins/instance/unused-users.md) | Verify there are no users with zero activity. |
| [Verify Inactive Users](/docs/configuration/initiatives/rules/jenkins/instance/inactive-users.md) | Verify there are no inactive users. |

Expand Down
5 changes: 3 additions & 2 deletions docs/configuration/initiatives/rules/api/scribe-api-cve.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ with:
cve:
max: 0
severity: 6
has_kev: true
has_fix: false
```

## Mitigation
Expand All @@ -48,10 +50,9 @@ This rule ensures that there are no critical or high severity vulnerabilities in
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |

## Input Definitions
| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int]] |
| superset | object | False | The superset of CVEs to check for, including the following format [cve: [max: int, severity: int], has_kev: bool, has_fix: bool]]. |

Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=project |
| asset_platform | bitbucket |
| asset_type | project |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "project" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

## Input Definitions
| Parameter | Type | Required | Description |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=project |
| asset_platform | bitbucket |
| asset_type | project |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "project" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

## Input Definitions
| Parameter | Type | Required | Description |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
sidebar_label: Require Bitbucket Project Discovery Evidence
title: Require Bitbucket Project Discovery Evidence
---
# Require Bitbucket Project Discovery Evidence
**Type:** Rule
**ID:** `bb-project-exists`
**Source:** [v2/rules/bitbucket/project/evidence-exists.yaml](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.yaml)
**Rego Source:** [evidence-exists.rego](https://github.com/scribe-public/sample-policies/blob/main/v2/rules/bitbucket/project/evidence-exists.rego)
**Labels:** Bitbucket, Project

Verify the Bitbucket Project exists as evidence.

:::note
This rule requires Bitbucket Project Discovery Evidence. See [here](/docs/platforms/discover#bitbucket-discovery) for more details.
:::
:::tip
> Evidence **IS** required for this rule and will fail if missing.
:::
:::tip
Signed Evidence for this rule **IS NOT** required by default but is recommended.
:::
:::warning
Rule requires evaluation with a target. Without one, it will be **disabled** unless the `--all-evidence` flag is provided.
:::

## Usage example

```yaml
uses: bitbucket/project/evidence-exists@v2
```

## Evidence Requirements
| Field | Value |
|-------|-------|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| asset_platform | bitbucket |
| asset_type | project |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "project" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

Original file line number Diff line number Diff line change
Expand Up @@ -48,5 +48,17 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=project |
| asset_platform | bitbucket |
| asset_type | project |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "project" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,20 @@ It performs the following steps:
| signed | False |
| content_body_type | generic |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - asset_type=project<br/>- platform=bitbucket<br/>- platform_instance=bitbucket_dc |
| asset_platform | bitbucket |
| asset_type | project |
| asset_name | Template value (see below) |
| labels | - platform_instance=bitbucket_dc |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "project" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

## Input Definitions
| Parameter | Type | Required | Description |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=repository |
| asset_platform | bitbucket |
| asset_type | repo |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "repo" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

## Input Definitions
| Parameter | Type | Required | Description |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,19 @@ It performs the following steps:
| content_body_type | generic |
| target_type | data |
| predicate_type | http://scribesecurity.com/evidence/discovery/v0.1 |
| labels | - platform=bitbucket<br/>- asset_type=repository |
| asset_platform | bitbucket |
| asset_type | repo |
| asset_name | Template value (see below) |

**Template Value** (see [here](/docs/valint/initiatives#template-arguments) for more details)

```
{{- if eq .Context.asset_type "repo" -}}
{{- on_target .Context.asset_name -}}
{{- else -}}
{{- on_target nil -}}
{{- end -}}
```

## Input Definitions
| Parameter | Type | Required | Description |
Expand Down
Loading