Skip to main content

Pull Request Dependency Stacklok Insight Check

The following rule type is available to verify that pull requests do not add any dependencies with risk indicators from Stacklok Insight, that are deprecated, or known to be malicious.

For every pull request submitted to a repository, this rule will check any software dependencies for the supported ecosystems and flag any problems found with them. Based on the Stacklok Insight data, Minder can block the PR or mark the policy as failed.

stacklok/pr_trusty_check - Ensure that pull requests do not add dependencies with risk indicators from Stacklok Insight

Dependencies of questionable origin, without active maintenance or known to be malicious, can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and come from reputable sources.

Entity

  • pull_request

Type

  • stacklok/pr_trusty_check

Rule parameters

  • None

Rule definition options

The stacklok/pr_trusty_check rule supports the following options:

  • action (string) - The action to take if a risky package is found. Valid values are:
    • profile_only - The evaluator engine will merely pass on an error, marking the profile as failed if a risky package is found
    • summary - The evaluator engine will add a single summary comment with a table listing risky packages found
    • review: The evaluator will add a review asking for changes when problematic dependencies are found. Use the review action to block any pull requests introducing dependencies that break the policy defined by the rule.
  • ecosystem_config (array of objects) - The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used.
    • name (string): The name of the ecosystem to check. Currently npm, go and pypi are supported.
    • score (integer): DEPRECATED - this score is deprecated and only remains for backward compatibility. It always returns a value of 0. We recommend setting this option to 0 and using the other options to control this rule's behavior.
    • provenance (number): Minimum provenance score to consider a package's proof of origin satisfactory.
    • activity (number): Minimum activity score to consider a package as active.
    • allow_malicious (boolean): Don't raise an error when a PR introduces dependencies known to be malicious (not recommended)
    • allow_deprecated (boolean): Don't block when a pull request introduces dependencies marked as deprecated upstream.