Skip to main content

Pull Request Dependency Vulnerability Check

The following rule type is available to verify that pull requests do not add any vulnerable dependencies. For every pull request submitted to a repository, this rule will check if the pull request adds a new dependency with known vulnerabilities. If it does, the rule will fail and the pull request will be rejected or commented on.

stacklok/pr_vulnerability_check - Ensure that the pull request does not add any vulnerable dependencies.

Vulnerable dependencies can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and do not contain any known vulnerabilities.

Entity

  • pull_request

Type

  • stacklok/pr_vulnerability_check

Rule parameters

  • None

Rule definition options

The stacklok/pr_vulnerability_check rule supports the following options:

  • action (string) - The action to take if a vulnerability is found.
    • review - Minder will review the PR, suggest changes and mark the PR as changes requested if a vulnerability is found
    • commit_status - Minder will comment and suggest changes on the PR if a vulnerability is found. Additionally, Minder will set the commit_status of the PR HEAD to failed to prevent the commit from being merged.
    • comment - Minder will comment and suggest changes on the PR if a vulnerability is found, but not request changes
    • profile_only - The evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found
    • summary - The evaluator engine will add a single summary comment with a table listing the vulnerabilities found
  • ecosystem_config (array of objects) - The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used.
    • name (string): The name of the ecosystem to check. Currently npm, go and pypi are supported.
    • vulnerability_database_type (string): The kind of vulnerability database to use. Currently only osv is supported.
    • vulnerability_database_endpoint (string): The endpoint of the vulnerability database to use.
    • package_repository (object): The package repository to use. This is an object with the following options:
      • url (string): The URL of the package repository to use.
    • sum_repository (object): The Go sum repository to use. Only used if the ecosystem is go.This is an object with the following options:
      • url (string): The URL of the Go sum repository to use.