WIP: Add csp-security-policies

elastic · Oct 11, 2023 · d2ffd38 · d2ffd38
1 parent 86d0671
commit d2ffd38
Show file tree

Hide file tree

Showing 67 changed files with 519 additions and 733 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -19,3 +19,9 @@ If this PR adds a new feature, please add an example screenshot or data (finding
 ### Checklist
 - [ ] I have added tests that prove my fix is effective or that my feature works
 - [ ] I have added the necessary README/documentation (if appropriate)
+
+#### Introducing a new rule?
+
+- [ ] Generate rule metadata using [this script](https://github.com/elastic/cloudbeat/tree/main/csp-security-policies/dev#generate-rules-metadata)
+- [ ] Add relevant unit tests
+- [ ] Generate relevant rule templates using [this script](https://github.com/elastic/cloudbeat/tree/main/csp-security-policies/dev#generate-rule-templates), and open a PR in [elastic/packages/cloud_security_posture](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture)
diff --git a/...icies/.github/workflows/test-coverage.yml → .github/workflows/test-opa-coverage.yml b/...icies/.github/workflows/test-coverage.yml → .github/workflows/test-opa-coverage.yml
@@ -1,4 +1,4 @@
-name: Test Coverage
+name: Test OPA Coverage
 
 on:
   push:
@@ -8,15 +8,15 @@ on:
 jobs:
   test-coverage:
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./csp-security-policies
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Download OPA Binary
-        run: |
-          curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
-          chmod +x opa
-          ./opa -h
+      - name: Init Hermit
+        run: ../bin/hermit env -r >> $GITHUB_ENV
 
       - name: OPA test coverage
         run: |

diff --git a/...icies/.github/workflows/test-policies.yml → .github/workflows/test-opa-policies.yml b/...icies/.github/workflows/test-policies.yml → .github/workflows/test-opa-policies.yml
@@ -1,4 +1,4 @@
-name: Test Policies
+name: Test OPA Policies
 
 on:
   pull_request:
@@ -9,14 +9,15 @@ jobs:
   test-rego-policies:
     name: Test Rego Policies
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./csp-security-policies
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Setup OPA
-        uses: open-policy-agent/setup-opa@v2
-        with:
-          version: 0.53.1
+      - name: Init Hermit
+        run: ../bin/hermit env -r >> $GITHUB_ENV
 
       - name: OPA format
         run: opa fmt ./bundle --fail=true --diff
@@ -36,13 +37,16 @@ jobs:
   update-rules-status:
     name: Update rules status
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./csp-security-policies
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - uses: actions/setup-python@v4
         with:
-          python-version: '3.10'
+          python-version: '3.11'
 
       - name: Install dependencies
         run: |
@@ -58,13 +62,16 @@ jobs:
   update-rule-metadata:
     name: Update rules metadata
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./csp-security-policies
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - uses: actions/setup-python@v4
         with:
-          python-version: '3.10'
+          python-version: '3.11'
 
       - name: Install dependencies
         run: |
@@ -75,4 +82,4 @@ jobs:
         run: poetry run python ./dev/generate_rule_metadata.py
 
       - name: Rule metadata mismatch - to fix run our pre-commit hooks
-        run: git diff --exit-code
+        run: git diff --exit-code
diff --git a/.mergify.yml b/.mergify.yml
@@ -4,6 +4,9 @@ queue_rules:
       - check-success=Cloudbeat-CI / Integration Tests (pull_request)
       - check-success=Cloudbeat-CI / Build (pull_request)
       - check-success=UnitTests / Unit Tests (pull_request)
+      - check-success=Test Rego Policies (pull_request)
+      - check-success=Update rules status (pull_request)
+      - check-success=Update rules metadata (pull_request)
 pull_request_rules:
   - name: self-assign PRs
     conditions:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,7 +12,7 @@ repos:
       - id: check-json
       - id: check-executables-have-shebangs
       - id: trailing-whitespace
-        exclude: cloudbeat.reference.yml
+        exclude: (cloudbeat.reference.yml|csp-security-policies/bundle/.*)
 
       ## Security
       - id: detect-private-key
@@ -45,6 +45,8 @@ repos:
             "-rn", # Only display messages
             "--rcfile=tests/pylintrc", # Link to your config file
           ]
+        # TODO: Apply pylint in csp-security-policies
+        exclude: csp-security-policies.*
 
   - repo: https://github.com/psf/black
     rev: 23.9.1
@@ -92,3 +94,50 @@ repos:
         language: system
         files: .*.go
         pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: opa-fmt
+        name: OPA fmt
+        description: Formats Rego policy using opa fmt
+        entry: opa fmt
+        args: [ -w ]
+        language: system
+        files: (\.rego)$
+
+      - id: opa-check
+        name: OPA check
+        description: Check syntax of staged Rego files
+        entry: opa check
+        args: [ -S, './csp-security-policies/bundle/compliance' ]
+        pass_filenames: false
+        language: system
+        files: (\.rego)$
+
+      - id: opa-test
+        name: OPA test
+        description: Runs OPA unit tests on rego source files
+        entry: opa test
+        args: [ -b, './csp-security-policies/bundle' ]
+        pass_filenames: false
+        language: system
+
+      - id: update-rules-status
+        name: Update rules status
+        description: Update rules status in rules_table.md
+        require_serial: true
+        entry: poetry run -C csp-security-policies python csp-security-policies/dev/update_rule_status.py
+        language: system
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.32.2
+    hooks:
+      - id: markdownlint
+        args: [ '--disable',
+                MD013,  # Line length can be ignored for now
+                MD033,  # Allow inline HTML
+                MD046,  # Allow code blocks to be fenced with backticks
+                MD041,  # Allow multiple top level headers
+                '--' ]
+        # TODO: Apply makrdownlint in other files
+        files: $csp-security-policies.*\.(md|markdown)$
diff --git a/csp-security-policies/.github/CODEOWNERS b/csp-security-policies/.github/CODEOWNERS
diff --git a/csp-security-policies/.github/ISSUE_TEMPLATE/bug_report.md b/csp-security-policies/.github/ISSUE_TEMPLATE/bug_report.md
diff --git a/csp-security-policies/.github/ISSUE_TEMPLATE/feature_request.md b/csp-security-policies/.github/ISSUE_TEMPLATE/feature_request.md
diff --git a/csp-security-policies/.github/ISSUE_TEMPLATE/issue_template.md b/csp-security-policies/.github/ISSUE_TEMPLATE/issue_template.md
diff --git a/csp-security-policies/.github/pull_request_template.md b/csp-security-policies/.github/pull_request_template.md