Skip to main content

Alerts from Minder

Minder issues alerts to notify you when the state of your software supply chain does not meet the criteria that you've defined in your profile.

Alerts are a core feature of Minder providing you with notifications about the status of your registered repositories. These alerts automatically open and close based on the evaluation of the rules defined in your profiles.

When a rule fails, Minder opens an alert to bring your attention to the non-compliance issue. Conversely, when the rule evaluation passes, Minder will automatically close any previously opened alerts related to that rule.

In the alert, you'll be able to see details such as:

  • The repository that is affected
  • The rule type that failed
  • The profile that the rule belongs to
  • Guidance on how to remediate and also fix the issue
  • Severity of the issue. The severity of the alert is based on what is set in the rule type definition.

Enabling alerts in a profile

To activate the alert feature within a profile, you need to adjust the YAML definition. Specifically, you should set the alert parameter to "on":

alert: "on"

Enabling alerts at the profile level means that for any rules included in the profile, alerts will be generated for any rule failures. For better clarity, consider this rule snippet:

---
version: v1
type: rule-type
name: sample_rule
def:
  alert:
      type: security_advisory
      security_advisory:
        severity: "medium"

In this example, the sample_rule defines an alert action that creates a medium severity security advisory in the repository for any non-compliant repositories.

Now, let's see how this works in practice within a profile. Consider the following profile configuration with alerts turned on:

version: v1
type: profile
name: sample-profile
context:
  provider: github
alert: "on"
repository:
  - type: sample_rule
    def:
      enabled: true

In this profile, all repositories that do not meet the conditions specified in the sample_rule will automatically generate security advisories.

Alert types

Minder supports alerts of type GitHub Security Advisory.

The following is an example of how the alert definition looks like for a give rule type:

---
version: v1
type: rule-type
name: artifact_signature
...
def:
  # Defines the configuration for alerting on the rule
  alert:
    type: security_advisory
    security_advisory:
      severity: "medium"

Configuring alerts in profiles

Alerts are configured in the alert section of the profile yaml file. The following example shows how to configure alerts for a profile:

---
version: v1
type: profile
name: github-profile
context:
  provider: github
alert: "on"
repository:
  - type: secret_scanning
    def:
      enabled: true

The alert section can be configured with the following values: on (default), off and dry_run. Dry run would be useful for testing. In dry_run Minder will process the alert conditions and output the resulted REST call, but it won't execute it.