Stacklok Insight Integration

Minder integrates directly with Stacklok Insight to enable policy-driven dependency management based on the risk level of dependencies.

Minder provides a Stacklok Insight rule type which allows you to monitor new pull requests for newly added dependencies with risk indicators from Stacklok Insight.

For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with risk indicators from Stacklok Insight that exceed thresholds that you define. If a risky dependency is added, Minder will notify you and suggest an alternative package, if one is available.

Here we see Minder in action, commenting on a pull request that adds a package with a risk indicators from Stacklok Insight:

Create a profile

Minder Cloud ships with the Stacklok Insight rule type, pr_trusty_check pre-registered. To enable the rule, create a profile that applies the rule to all registered repositories.

Create a new file called stacklok-insight-risk-profile.yaml. In this profile the following options are configured:

• action is set to summary allowing Minder to comment on pull requests with risk indicators from Stacklok Insight, providing an explanation of the issue and possible alternatives.
• ecosystem_config is set to check the pypi ecosystem for new dependencies whose Stacklok Insight activity score is below the threshold of 5.

---
version: v1
type: profile
name: stacklok-insight-risk-profile
context:
  provider: github
remediate: "on"
pull_request:
  - type: stacklok/pr_trusty_check
    def:
      action: summary
      ecosystem_config:
        - name: pypi
          activity: 5

Create the profile in Minder:

minder profile create -f stacklok-insight-risk-profile.yaml

That's it! Any registered repos will now be monitored for new dependencies with risk indicators from Stacklok Insight.