關於ReposaurReposaur是一款針對開發平台和開源項目的合規性檢測工具,在該工具的幫助下,廣大研究人員可以直接使用預定義或自定義的策略來對目標項目或代碼進行審核跟驗證,並對數據和配置進行合規性檢測。因此,Reposaur能夠確保代碼庫中每一位代碼貢獻者都能夠符合特定的安全標準或最佳實踐準則。當前版本的Reposaur支持GitHub和GitLab,隨後將添加對Gitea的支持。功能介紹4、報告遵循標準的SARIF格式,便於與不同系統集成;工具安裝源碼獲取廣大研究人員可以使用下列命令將該項目源碼克隆至本地:git clone https://github.com/reposaur/reposaur.gitHomebrew安裝$ brew install reposaur/tap/reposaurDEB、ROM和APK包廣大研究人員可以直接從該項目的【Releases頁面】下載.deb、.rmp或.apk包,然後使用特定的工具來安裝它們。Go安裝$ go install github.com/reposaur/reposaur/cmd/rsr@latest腳本安裝$ curl -o- https://raw.githubusercontent.com/reposaur/reposaur/main/install.sh | bash工具使用編寫自定義策略策略可以通過多個模塊(文件)進行組合,必須符合同一命名空間(包),每一個模塊可以定義多個規則。下面的演示中,我們將通過一個github.repository命名空間下的單一模塊進行演示。命名空間非常重要,因為Reposaur需要通過它來判斷要對目標數據執行哪種規則:package github.repository接下來就要定義一個規則來獲取默認的分支保護數據了,GitHub返回的數據不包含這部分內容,因此我們還需要添加額外的請求來獲取:protection = data {resp := github.request("GET /repos/{owner}/{repo}/branches/{branch}/protection", {"owner": input.owner.login,"repo": input.name,"branch": input.default_branch,})resp.status == 200data := resp.body}violation_default_branch_not_protected {not protection}接下來,我們可以通過下列規則來檢測默認分支是否啟用了其他保護策略:violation_default_branch_pull_not_required {not protection.required_pull_request_reviews}violation_default_branch_approvals_not_required {not protection.required_pull_request_reviews.required_approving_review_count}violation_default_branch_approvals_not_required {protection.required_pull_request_reviews.required_approving_review_count < 1}violation_default_branch_code_owners_reviews_not_required {not protection.required_pull_request_reviews.require_code_owner_reviews}violation_default_branch_status_checks_not_required {not protection.required_status_checks}violation_default_branch_up_to_date_not_required {not protection.required_status_checks.strict}package github.repositoryprotection = data {resp := github.request("GET /repos/{owner}/{repo}/branches/{branch}/protection", {"owner": input.owner.login,"repo": input.name,"branch": input.default_branch,})resp.status == 200data := resp.body}violation_default_branch_not_protected {not protection}violation_default_branch_pull_not_required {not protection.required_pull_request_reviews}violation_default_branch_approvals_not_required {not protection.required_pull_request_reviews.required_approving_review_count}violation_default_branch_approvals_not_required {protection.required_pull_request_reviews.required_approving_review_count < 1}violation_default_branch_code_owners_reviews_not_required {not protection.required_pull_request_reviews.require_code_owner_reviews}violation_default_branch_status_checks_not_required {not protection.required_status_checks}violation_default_branch_up_to_date_not_required {not protection.required_status_checks.strict}策略執行現在,我們就可以使用自定義策略來對真實場景中的數據進行合規性檢測了。$ gh api /repos/reposaur/test | rsr exec$ gh api /orgs/reposaur | rsr execSARIF報告生成{ "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": [ { "tool": { "driver": { "informationUri": "https://github.com/reposaur/reposaur", "name": "Reposaur", "rules": [ { "id": "github.repository/note/not_innersource_ready", "name": "Repository is not InnerSource ready", "shortDescription": { "text": "Repository is not InnerSource ready" }, "fullDescription": { "text": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing.", "markdown": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing." }, "help": { "markdown": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing." }, "properties": { "security-severity": "1" } } ] } }, "results": [ { "ruleId": "github.repository/note/not_innersource_ready", "ruleIndex": 0, "level": "note", "message": { "text": "Repository is not InnerSource ready" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "." } } } ] } ], "properties": { "default_branch": "main", "owner": "reposaur", "repo": "test" } } ]}許可證協議項目地址https://github.com/reposaur/reposaur參考資料https://www.openpolicyagent.org/docs/latest/policy-language/https://docs.reposaur.com/guides/writing-your-first-policy
留言列表
留言列表