Creating a Profile
A profile defines your security policies that you want to apply to your software supply chain. Once you have registered repositories in your Minder account, you can create one or more profiles:
-
Click Profiles in the left sidebar
-
Click New Profile to create a new profile
-
In the Select Profile dialog, you can add one of Stacklok's pre-defined profiles that can help you maintain best practices in your repositories:
- GitHub Repository Security: ensures that security settings are configured for GitHub repositories.
- GitHub Actions Workflow Security: ensures best practices are configured for GitHub Actions workflow security.
- Dependency Security: ensures pull requests do not introduce packages with vulnerabilities or low Trusty Scores.
- Artifact Security: ensures that containers and packages in GitHub Container Registry are signed with provenance.
-
If you want to create a custom profile for your organization, click Create Custom Profile.
-
Give your profile a name.
-
Select a rule to add to your profile. Each rule specifies an individual policy to apply to your repositories -- for example, to ensure that Secret Scanning is enabled for your repository, or that pull requests do not introduce dependencies with a low Trusty Score. Click "Add Rule" to add it to your new profile.
-
If the rule requires configuration, you'll be prompted to configure the rule. For example, the Dependabot rule requires configuration about the package ecosystem. When you have configured the rule, click "Add Rule" to save the configuration.
-
You can add additional rules to your profile to complete your security profile.
-
-
By default, your new profile will have alerts enabled — to open GitHub Security Advisories on rule failures — and will have automatic remediations disabled.
To change settings for alerts or automatic remediations, select Profiles in the left sidebar. On the profile that you want to configure, click the three-dots menu on the right side of the profile.
-
To change alerts settings, select "Turn on Security Advisories" or "Turn off Security Advisories".
-
To change automatic remediation settings, select "Turn on Security Advisories" or "Turn off Security Advisories".
-
You can add additional profiles to further refine your security posture. Once you have registered repositories and added profiles, you can click Dashboard in the left sidebar to see your profile status.