Known Vulnerabilities Rule
The following rule type is available for known vulnerabilities.
pr_vulnerability_check
- Verifies that pull requests do not add dependencies with known vulnerabilities
For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with known vulnerabilities based on the OSV database. If it does, the rule will fail and the pull request will be rejected or commented on.
Entity
pull_request
Type
pr_vulnerability_check
Rule Parameters
- None
Rule Definition Options
The pr_vulnerability_check
rule has the following options:
action
(string): The action to take if a vulnerability is found. Valid values are:review
: Minder will review the PR, suggest changes and mark the PR as changes requested if a vulnerability is foundcommit_status
: Minder will comment and suggest changes on the PR if a vulnerability is found. Additionally, Minder will set the commit_status of the PRHEAD
tofailed
to prevent the commit from being mergedcomment
: Minder will comment and suggest changes on the PR if a vulnerability is found, but not request changessummary
: The evaluator engine will add a single summary comment with a table listing the vulnerabilities foundprofile_only
: The evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found
ecosystem_config
: An array of ecosystem configurations to check. Each ecosystem configuration has the following options:name
(string): The name of the ecosystem to check. Currentlynpm
,go
andpypi
are supported.vulnerability_database_type
(string): The kind of vulnerability database to use. Currently onlyosv
is supported.vulnerability_database_endpoint
(string): The endpoint of the vulnerability database to use.package_repository
: The package repository to use. This is an object with the following options:url
(string): The URL of the package repository to use. Only thego
ecosystem uses this option.
sum_repository
: The Go sum repository to use. This is an object with the following options:url
(string): The URL of the Go sum repository to use.
Note that if the review
action is selected, minder
will only be able to mark the PR as changes requested if the submitter
is not the same as the Minder identity. If the submitter is the same as the
Minder identity, the PR will only be commented on.
Also note that if commit_status
action is selected, the PR can only be prevented from merging if the branch protection rules
are set to require a passing commit status.
Examples
- type: pr_vulnerability_check
def:
action: review
ecosystem_config:
- name: npm
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://registry.npmjs.org
- name: go
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://proxy.golang.org
sum_repository:
url: https://sum.golang.org
- name: pypi
vulnerability_database_type: osv
vulnerability_database_endpoint: https://api.osv.dev/v1/query
package_repository:
url: https://pypi.org/pypi