Skip to content

Commit

Permalink
configure policy linting
Browse files Browse the repository at this point in the history
  • Loading branch information
matt-phylum committed Apr 29, 2024
1 parent 1ede406 commit e184641
Show file tree
Hide file tree
Showing 17 changed files with 239 additions and 263 deletions.
29 changes: 29 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Lint policies

on:
push:
workflow_dispatch:

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup OPA
uses: open-policy-agent/[email protected]
with:
version: 0.61

- name: Setup Regal
uses: StyraInc/[email protected]
with:
version: 0.21

- name: OPA Check
if: ${{ !cancelled() }}
run: opa check --strict --max-errors 0 .

- name: Regal Lint
if: ${{ !cancelled() }}
run: regal lint --format github ./policy
16 changes: 16 additions & 0 deletions .regal/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
capabilities:
from:
engine: opa
version: v0.61.0
minus:
builtins:
- name: http.send
rules:
idiomatic:
no-defined-entrypoint:
level: ignore
imports:
unresolved-import:
level: error
except-imports:
- data.phylum.*
60 changes: 27 additions & 33 deletions confirmed_malicious.rego
Original file line number Diff line number Diff line change
@@ -1,33 +1,27 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if the author is known malicious
issue contains "Author has published malicious packages" if {
data.issue.tag == "CA0001"
}

# Returns a violation if the package contains verified malware
issue contains "This package contains malware" if {
data.issue.tag == "CM0038"
}

# Returns a violation if the package contains a known-bad compiled binary
issue contains "Contains known-bad compiled binary" if {
data.issue.tag == "CM0037"
}

# Returns a violation if the package depends on a known malicious package
issue contains "This package depends on malware" if {
data.issue.tag == "CM0039"
}
package policy

import rego.v1

# Returns a violation if the author is known malicious
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Author has published malicious packages" if {
data.issue.tag == "CA0001"
}

# Returns a violation if the package contains verified malware
issue contains "This package contains malware" if {
data.issue.tag == "CM0038"
}

# Returns a violation if the package contains a known-bad compiled binary
issue contains "Contains known-bad compiled binary" if {
data.issue.tag == "CM0037"
}

# Returns a violation if the package depends on a known malicious package
issue contains "This package depends on malware" if {
data.issue.tag == "CM0039"
}
38 changes: 16 additions & 22 deletions data_exfiltration.rego
Original file line number Diff line number Diff line change
@@ -1,22 +1,16 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if the package contains common data exfiltration techniques
issue contains "Package contains environment variable enumeration" if {
data.issue.tag == "HM0025"
}

issue contains "Package contains webhook exfiltration" if {
data.issue.tag == "HM0036"
}
package policy

import rego.v1

# Returns a violation if the package contains common data exfiltration techniques
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains environment variable enumeration" if {
data.issue.tag == "HM0025"
}

issue contains "Package contains webhook exfiltration" if {
data.issue.tag == "HM0036"
}
3 changes: 1 addition & 2 deletions default.rego
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
package policy

import data.phylum.level
import future.keywords.contains
import future.keywords.if
import rego.v1

issue contains "risk level cannot exceed medium" if {
data.issue.severity > level.MEDIUM
Expand Down
30 changes: 12 additions & 18 deletions dependency_confusion.rego
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if the package appears to be a dependency confusion
issue contains "Package appears to be a dependency confusion" if {
data.issue.tag == "HM0018"
}
package policy

import rego.v1

# Returns a violation if the package appears to be a dependency confusion
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package appears to be a dependency confusion" if {
data.issue.tag == "HM0018"
}
30 changes: 12 additions & 18 deletions install_code.rego
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if there is code execution on package install
issue contains "Package contains code execution on install" if {
data.issue.tag in {"IM0042", "IM0043", "IM0044"}
}
package policy

import rego.v1

# Returns a violation if there is code execution on package install
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains code execution on install" if {
data.issue.tag in {"IM0042", "IM0043", "IM0044"}
}
39 changes: 16 additions & 23 deletions install_code_suspicious.rego
Original file line number Diff line number Diff line change
@@ -1,23 +1,16 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if there is suspicious code execution on package install

issue contains "Package contains suspicious code execution on install" if {
data.issue.tag == "CM0007"
}

issue contains "Package contains suspicious code execution on install" if {
endswith(data.issue.tag, "M0031")
}
package policy

import rego.v1

# Returns a violation if there is suspicious code execution on package install
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains suspicious code execution on install" if {
data.issue.tag == "CM0007"
}

issue contains "Package contains suspicious code execution on install" if {
endswith(data.issue.tag, "M0031")
}
30 changes: 12 additions & 18 deletions license_mismatch.rego
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if there is a license mismatch between metadata and files
issue contains "License mismatch" if {
data.issue.tag == "IL0022"
}
package policy

import rego.v1

# Returns a violation if there is a license mismatch between metadata and files
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "License mismatch" if {
data.issue.tag == "IL0022"
}
30 changes: 12 additions & 18 deletions minimal_code.rego
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if the package contains minimal code and is unlikley worth the security risk
issue contains "Package contains minimal code" if {
data.issue.tag == "IE0027"
}
package policy

import rego.v1

# Returns a violation if the package contains minimal code and is unlikley worth the security risk
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains minimal code" if {
data.issue.tag == "IE0027"
}
29 changes: 12 additions & 17 deletions obfuscated_code.rego
Original file line number Diff line number Diff line change
@@ -1,17 +1,12 @@
package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in

# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue

# Returns a violation if the package contains obfuscated code
issue contains "Package contains obfuscated code" if {
data.issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
}
package policy

import rego.v1

# Returns a violation if the package contains obfuscated code
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains obfuscated code" if {
data.issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
}
4 changes: 1 addition & 3 deletions per_domain.rego
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@ package policy

import data.phylum.domain
import data.phylum.level
import future.keywords.contains
import future.keywords.if
import future.keywords.in
import rego.v1

issue contains "risk level cannot exceed medium" if {
data.issue.domain in {domain.AUTHOR, domain.ENGINEERING, domain.VULNERABILITY}
Expand Down
Loading

0 comments on commit e184641

Please sign in to comment.