Skip to main content

Pull Request Dependency Trusty Score Check

The following rule type is available to verify that pull requests do not add any dependencies with low Trusty scores, that are deprecated or known to be malicious.

For every pull request submitted to a repository, this rule will check any software dependencies for the supported ecosystems and flag any problems found with them. Based on the Trusty data, Minder can block the PR or mark the policy as failed.

stacklok/pr_trusty_check - Ensure That Pull Requests Do Not Add Dependencies With Low Trusty Scores

Dependencies of questionable origin, without active maintenance or known to be malicious can introduce security risks to the repository and its users. It is important to ensure that the dependencies are secure and come from reputable sources.

Entity

  • pull_request

Type

  • stacklok/pr_trusty_check

Rule parameters

  • None

Rule definition options

The stacklok/pr_trusty_check rule supports the following options:

  • action (string) - The action to take if a vulnerability is found.
    • profile_only - The evaluator engine will merely pass on an error, marking the profile as failed if a vulnerability is found
    • summary - The evaluator engine will add a single summary comment with a table listing the vulnerabilities found
    • review: The Trusty evaluator will add a review asking for changes when problematic dependencies are found. Use the review action to block any pull requests introducing dependencies that break the policy defined by the rule.
  • ecosystem_config (array of objects) - The configuration for the ecosystems to check. Optional. If not explicitly set, Minder's default configuration will be used.
    • name (string): The name of the ecosystem to check. Currently npm, go and pypi are supported.
    • score (integer): The minimum Trusty score for a dependency to be considered safe.
    • provenance (number): Minimum provenance score to consider a package's proof of origin satisfactory.
    • activity (number): Minimum activity score to consider a package as active.
    • allow_malicious (boolean): Don't raise an error when a PR introduces dependencies known to be malicious (not recommended)
    • allow_deprecated (boolean): Don't block when a pull request introduces dependencies marked as deprecated upstream.