Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update regos for policy marketplace #9

Merged
merged 23 commits into from
Jul 12, 2024
Merged
Show file tree
Hide file tree
Changes from 17 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 18 additions & 13 deletions confirmed_malicious.rego
Original file line number Diff line number Diff line change
@@ -1,27 +1,32 @@
package policy
# METADATA
# title: Confirmed Malicious
# description: |
# Return a violation if the pacakge or author is tied to known malicious behavior

furi0us333 marked this conversation as resolved.
Show resolved Hide resolved
package policy.v1
furi0us333 marked this conversation as resolved.
Show resolved Hide resolved

import rego.v1

# Returns a violation if the author is known malicious
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Author has published malicious packages" if {
data.issue.tag == "CA0001"
deny contains issue if {
some issue in data.issues
furi0us333 marked this conversation as resolved.
Show resolved Hide resolved
issue.tag == "CA0001"
}

# Returns a violation if the package contains verified malware
issue contains "This package contains malware" if {
data.issue.tag == "CM0038"
deny contains issue if {
some issue in data.issues
issue.tag == "CM0037"
}

# Returns a violation if the package contains a known-bad compiled binary
issue contains "Contains known-bad compiled binary" if {
data.issue.tag == "CM0037"
deny contains issue if {
some issue in data.issues
issue.tag == "CM0038"
}

# Returns a violation if the package depends on a known malicious package
issue contains "This package depends on malware" if {
data.issue.tag == "CM0039"
deny contains issue if {
some issue in data.issues
issue.tag == "CM0039"
}
24 changes: 14 additions & 10 deletions data_exfiltration.rego
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
package policy
# METADATA
# title: Data Exfiltration
# description: |
# Returns a violation if the package contains common data exfiltration techniques

package policy.v1

import rego.v1

# Returns a violation if the package contains common data exfiltration techniques
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains environment variable enumeration" if {
data.issue.tag == "HM0025"
# Package contains environment variable enumeration
deny contains issue if {
some issue in data.issues
issue.tag == "HM0025"
}

issue contains "Package contains webhook exfiltration" if {
data.issue.tag == "HM0036"
# Package contains webhook exfiltration
deny contains issue if {
some issue in data.issues
issue.tag == "HM0036"
}
18 changes: 10 additions & 8 deletions dependency_confusion.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA

Check failure on line 1 in dependency_confusion.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Dependency Confusion
# description: |
# Returns a violation if the package appears to be a dependency confusion

package policy.v1

import rego.v1

# Returns a violation if the package appears to be a dependency confusion
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package appears to be a dependency confusion" if {
data.issue.tag == "HM0018"
# Package contains environment variable enumeration
deny contains issue if {
some issue in data.issues
issue.tag == "HM0018"
}
18 changes: 10 additions & 8 deletions install_code.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA

Check failure on line 1 in install_code.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Install Code Execution
# description: |
# Returns a violation if there is code execution on package install

package policy.v1

import rego.v1

# Returns a violation if there is code execution on package install
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains code execution on install" if {
data.issue.tag in {"IM0042", "IM0043", "IM0044"}
# Package contains code execution on install
deny contains issue if {
some issue in data.issues
issue.tag in {"IM0042", "IM0043", "IM0044"}
}
24 changes: 14 additions & 10 deletions install_code_suspicious.rego
Original file line number Diff line number Diff line change
@@ -1,16 +1,20 @@
package policy
# METADATA

Check failure on line 1 in install_code_suspicious.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Install Code Execution (Suspicious)
# description: |
# Returns a violation if there is suspicious code execution on pacakge install

package policy.v1

import rego.v1

# Returns a violation if there is suspicious code execution on package install
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains suspicious code execution on install" if {
data.issue.tag == "CM0007"
# Package contains suspicious code execution on install
deny contains issue if {
some issue in data.issues
issue.tag == "CM0007"
}

issue contains "Package contains suspicious code execution on install" if {
endswith(data.issue.tag, "M0031")
# Package contains suspicious code execution on install
deny contains issue if {
some issue in data.issues
endswith(issue.tag, "M0031")
}
18 changes: 10 additions & 8 deletions license_mismatch.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA

Check failure on line 1 in license_mismatch.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: License Mismatch
# description: |
# Returns a violation if there is a license mismatch between metadata and files

package policy.v1

import rego.v1

# Returns a violation if there is a license mismatch between metadata and files
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "License mismatch" if {
data.issue.tag == "IL0022"
# License mismatch
deny contains issue if {
some issue in data.issues
issue.tag == "IL0022"
}
18 changes: 10 additions & 8 deletions minimal_code.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA

Check failure on line 1 in minimal_code.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Minimal Code
# description: |
# Returns a violation if the package contains minimal code and is unlikley worth the security risk

package policy.v1

import rego.v1

# Returns a violation if the package contains minimal code and is unlikley worth the security risk
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains minimal code" if {
data.issue.tag == "IE0027"
# Package contains minimal code
deny contains issue if {
some issue in data.issues
issue.tag == "IE0027"
}
18 changes: 10 additions & 8 deletions obfuscated_code.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA

Check failure on line 1 in obfuscated_code.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Obfuscated Code
# description: |
# Returns a violation if the package contains obfuscated code

package policy.v1

import rego.v1

# Returns a violation if the package contains obfuscated code
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Package contains obfuscated code" if {
data.issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
# Package contains obfuscated code
deny contains issue if {
some issue in data.issues
issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"}
}
14 changes: 14 additions & 0 deletions runs_remote_code.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# METADATA

Check failure on line 1 in runs_remote_code.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Runs Remote Code
# description: |
# Returns a violation if the package runs remote code

package policy.v1

import rego.v1

# Runs remote code
deny contains issue if {
some issue in data.issues
issue.tag in {"CM0024", "MM0024", "HM0032"}
}
18 changes: 10 additions & 8 deletions secret_non_test.rego
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package policy
# METADATA
# title: Minimal Code
# description: |
furi0us333 marked this conversation as resolved.
Show resolved Hide resolved
# Returns a violation if the package contains secrets/tokens excluding test/example files

package policy.v1

import rego.v1

# Returns a violation if the package contains secrets/tokens excluding test/example files
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Secrets in non-test file" if {
data.issue.tag == "ME0016"
# Secrets in non-test file
deny contains issue if {
some issue in data.issues
issue.tag == "ME0016"
}
12 changes: 10 additions & 2 deletions show_all.rego
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
package policy
# METADATA

Check failure on line 1 in show_all.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Show All
furi0us333 marked this conversation as resolved.
Show resolved Hide resolved
# description: |
# Returns a violation for all identified issues

package policy.v1

import rego.v1

issue contains "Policy Violation"
# Policy Violation
deny contains issue if {
some issue in data.issues
}
14 changes: 14 additions & 0 deletions suspicious_url.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# METADATA
# title: Suspicious URL References
# description: |
# Returns a violation if the package references sites uncommon to legitimate software

package policy.v1

import rego.v1

# Suspicious URL reference
deny contains issue if {
some issue in data.issues
issue.tag == "MM0028"
}
31 changes: 12 additions & 19 deletions typosquat.rego
Original file line number Diff line number Diff line change
@@ -1,26 +1,19 @@
package policy
# METADATA

Check failure on line 1 in typosquat.rego

View workflow job for this annotation

GitHub Actions / lint

Detached metadata annotation. To learn more, see: https://docs.styra.com/regal/rules/style/detached-metadata
# title: Typosquat
# description: |
# Returns a violation if the package contains a potential typosquat with malicious characteristics

import data.phylum.domain
package policy.v1

import data.phylum.domain
import rego.v1

# Returns `true` if the given dependency has a typosquat issue
has_typosquat if {
some issue in data.dependency.issues
issue.tag == "HM0008"
}
# Potential typosquat with malicious characteristics
deny contains typosquat_issue if {
some dependency in data.dependencies

# Returns `true` if the dependency has more than one malware issue
has_more_than_one_malware_issue if {
some issue in data.dependency.issues
count([dom | issue.domain == domain.MALICIOUS; dom := issue.domain]) > 1
}
some typosquat_issue in dependency.issues
typosquat_issue.tag == "HM0008"

# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Potential typosquat with malicious characteristics" if {
has_typosquat
has_more_than_one_malware_issue
count([d | dependency.issues[i].domain == domain.MALICIOUS; d := dependency.issues[i].domain]) > 1

Check failure on line 18 in typosquat.rego

View workflow job for this annotation

GitHub Actions / lint

Use `some` to declare output variables. To learn more, see: https://docs.styra.com/regal/rules/idiomatic/use-some-for-output-vars
}
20 changes: 11 additions & 9 deletions vuln_crit.rego
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
package policy
# METADATA
# title: Critical Software Vulnerability
# description: |
# Returns a violation if the package has a Critical software vulnerability

package policy.v1

import data.phylum.domain
import data.phylum.level
import rego.v1

# Returns a violation if the package has a Critical software vulnerability
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Critical software vulnerability" if {
data.issue.domain == domain.VULNERABILITY
data.issue.severity > level.HIGH
# Critical software vulnerability
deny contains issue if {
some issue in data.issues
issue.domain == domain.VULNERABILITY
issue.severity == level.CRITICAL
}
20 changes: 11 additions & 9 deletions vuln_crit_high.rego
Original file line number Diff line number Diff line change
@@ -1,15 +1,17 @@
package policy
# METADATA
# title: Critical/High Software Vulnerability
# description: |
# Returns a violation if the package has a Critical or High software vulnerability

package policy.v1

import data.phylum.domain
import data.phylum.level
import rego.v1

# Returns a violation if the package has a Critical or High software vulnerability
# METADATA
# scope: rule
# schemas:
# - data.issue: schema.issue
issue contains "Critical or High software vulnerability" if {
data.issue.domain == domain.VULNERABILITY
data.issue.severity > level.MEDIUM
# Critical or High software vulnerability
deny contains issue if {
some issue in data.issues
issue.domain == domain.VULNERABILITY
issue.severity > level.MEDIUM
}
Loading