Apply a profile to a subset of entities
Profiles allow you to apply a consistent set of rules to a group of entities within your project. By default, these profiles are applied universally across all entities in a project. However, you may need to target a specific subset, such as repositories belonging to a specific organization. Minder simplifies this process with profile selectors, enabling you to easily customize which entities a profile applies to.
Prerequisites
- A Minder account with
at least
editor
permission - An enrolled Provider (e.g., GitHub) and registered repositories
Add a selector to a profile in the UI
To add a selector to a profile in the UI, you can either do so when creating the profile or by editing an existing one. Follow these steps to add a selector:
- Select the Profile: Start by choosing the profile you want the selector to apply to.
- Navigate to the Selectors Tab: Go to the "Selectors" tab within the profile settings.
- Choose the Selector Type: From the dropdown menu, select "Conditional" to apply the profile based on specific conditions.
Selectors are written using CEL (Common Expression Language), a language designed for expressing conditions and rules. To add a selector to your profile:
- Select the Entity Type: Begin by choosing the entity type you want to
filter, for example
Repository
. - Define the Condition: Next, define the condition that entities must meet to be included in the profile.
For example, the following CEL expression filters repositories to include only those that are not forks and whose name starts with "stacklok/". In other words, those that are part of the stacklok organization.
repository.is_fork != true && repository.name.startsWith('stacklok/')
Below, you will find a comprehensive list of available selectors for each entity type, which you can use as a reference to create more specific conditions.
Add a selector to a profile in the CLI
Selectors are written using CEL (Common Expression Language). To add a selector to your profile, you need to define the entity and the condition you want to apply. Below is an example showing how to configure a selector to filter repositories and artifacts:
name: profile-with-selectors
selection:
- entity: repository
selector:
repository.is_fork != true && repository.name.startsWith('stacklok/')
- entity: artifact
selector: artifact.provider.name == 'github-app-stacklok'
- entity: repository
selector: repository.properties['github/license'].contains('GPL') == true
comment: 'Be extra careful with GPL licenses'
- entity: repository
selector: repository.properties['github/primary_language'] == 'Go'
comment: 'Only Go repositories'
- entity: repository
selector: repository.provider.class.contains('github')
comment: 'Only github repositories'
Let's break down the example above:
entity
: Defines the type of entity you want to filter (repository
,artifact
, orpull_request
). In the case that theentity
type is omitted, the selector will be applied to all entities.selector
: The CEL expression that specifies the filtering criteria. In the example:- The first selector filters repositories to include only those that are not forks and whose name starts with stacklok. In other words, those that are part of the stacklok organization.
- The second selector filters artifacts to include only those provided by
github-app-stacklok
. - The third selector filters repositories to include only those with a GPL license and the fourth selector filters repositories to include only those written in Go. These two selectors use the properties map which is provider-specific.
- The fourth selector filters repositories to include only that use Go as the primary language.
- The fifth selector filters repositories to include only those provided by
the GitHub provider. We use the
contains
function to check if the provider class contains the stringgithub
to cover for bothgithub
andgithub-app
providers.
Below you can find the full list of selectors available for each entity type.
Repository selectors
Selectors for repositories allow you to filter and manage repositories based on specific attributes and properties. The attributes are common to all providers, while the properties are provider-specific and prefixed with the provider name.
Field | Description | Type |
---|---|---|
name | The full name of the repository, e.g. mindersec/minder | string |
is_fork | true if the repository is a fork, nil if unknown or not applicable to this provider | bool |
is_private | true if the repository is private, nil if unknown or not applicable to this provider | bool |
provider | The provider of the repository, for more details see Provider Selectors | ProviderSelector |
Repository properties set by the GitHub provider
Field | Description | Type |
---|---|---|
github/license | The license of the repository, e.g. MIT, GPL, Apache-2.0, etc. | string |
github/primary_language | The primary language of the repository, e.g. Go, Python, Java, etc. | string |
github/default_branch | The default branch of the repository, e.g. main , master , etc. | string |
github/repo_id | The GitHub repo ID | integer |
github/repo_name | The GitHub repo name (e.g. stacklok ) | string |
github/repo_owner | The GitHub repo owner (e.g. minder ) | string |
Artifact selectors
Field | Description | Type |
---|---|---|
name | The full name of the artifact, e.g. mindersec/minder-server | string |
type | The type of the artifact, e.g. "container" | string |
provider | The provider of the artifact, for more details see Provider Selectors | ProviderSelector |
Artifact properties set by the GitHub provider
Field | Description | Type |
---|---|---|
github/created_at | The time the artifact was created formatted as RFC3339 string | string |
github/name | The full name of the artifact. | string |
github/type | The type of the artifact, e.g. "container" | string |
github/visibility | The visibility of the artifact, e.g. "public" | string |
github/owner | The full name of the artifact owner. Can be a repo or an org. | string |
github/repo | The GitHub repo full name (e.g. mindersec/minder ). Empty for org packages. | string |
github/repo_name | The GitHub repo name (e.g. stacklok ). Empty for org packages. | string |
github/repo_owner | The GitHub repo owner (e.g. minder ). Empty for org packages. | string |
Pull request selectors
Field | Description | Type |
---|---|---|
name | The full name of the pull request, e.g. mindersec/minder/123 | string |
Pull request properties set by the GitHub provider
Field | Description | Type |
---|---|---|
github/pull_url | The URL of the pull request | string |
github/pull_number | The number of the pull request | string |
github/pull_author_id | The numerical ID of the author of the pull request | int |
github/pull_author_login | The GitHub login of the author of the pull request | string |
github/repo_name | The GitHub repo name (e.g. minder ). | string |
github/repo_owner | The GitHub repo owner (e.g. stacklok ). | string |
Entity provider selectors
Each entity can be filtered based on its provider.
Field | Description | Type |
---|---|---|
name | The name of the provider, e.g. github-app-stacklok | string |
class | The class of the provider, e.g. github-app | string |