Improve rule checks #13

TomHennen · 2025-01-10T14:09:48Z

Right now the rule check in actions/vsa_creator/determine_source_level_gh.sh doesn't check

a. That the rule has enforcement active
b. That the user hasn't made other changes to the code prior to this revision with the rule deactived.

Currently the spec doesn't really address (b) but it probably should in some way.

A quick proposal for what we could do here:

Get the ruleset ID for the rules we care about from the rules API call.

e.g.

$ curl -L   -H "Accept: application/vnd.github+json"   -H "X-GitHub-Api-Version: 2022-11-28"   https://api.github.com/repos/TomHennen/slsa-source-poc/rules/branches/main
[
  {
    "type": "deletion",
    "ruleset_source_type": "Repository",
    "ruleset_source": "TomHennen/slsa-source-poc",
    "ruleset_id": 3184000   # <-- use this
  },
  {
    "type": "non_fast_forward",
    "ruleset_source_type": "Repository",
    "ruleset_source": "TomHennen/slsa-source-poc",
    "ruleset_id": 3184000   # <-- and this
  }
]

Use the rulesets API to get the details about those rulesets (they could be different!)

$ curl -L   -H "Accept: application/vnd.github+json"   -H "X-GitHub-Api-Version: 2022-11-28"   https://api.github.com/repos/TomHennen/slsa-source-poc/rulesets/3184000
{
  "id": 3184000,
  "name": "no-force-push",
  "target": "branch",
  "source_type": "Repository",
  "source": "TomHennen/slsa-source-poc",
  "enforcement": "active",
  "conditions": {
    "ref_name": {
      "exclude": [

      ],
      "include": [
        "~DEFAULT_BRANCH"
      ]
    }
  },
  "rules": [
    {
      "type": "deletion"
    },
    {
      "type": "non_fast_forward"
    }
  ],
  "node_id": "RRS_lACqUmVwb3NpdG9yec42arxDzgAwlYA",
  "created_at": "2025-01-07T14:10:13.659Z",
  "updated_at": "2025-01-09T22:13:35.296Z",
  "_links": {
    "self": {
      "href": "https://api.github.com/repos/TomHennen/slsa-source-poc/rulesets/3184000"
    },
    "html": {
      "href": "https://github.com/TomHennen/slsa-source-poc/rules/3184000"
    }
  }
}

Check that .enforcement is active (protects 'a' above)
Check that .updated_at is at least X days in the past. (provides some protection for 'b' above).

It seems like this should be possible to do with jq and more shell scripting, but maybe someone would be interested into turning this into something more formal?

The text was updated successfully, but these errors were encountered:

TomHennen · 2025-01-10T14:11:30Z

I think there's an outstanding question about what 'X' should be for check '4'.

When chatting about it with @adityasaky I suggested '90 days' for Level 2, but it might be possible to go much shorter if we wanted to. It will require some thought.

For now, in this PoC, maybe we'd prefer to keep it simple and say '7' days or something like that? That should make it easier to see progress in the near term.

This introduces a golang CLI that determines the level instead of using shell scripts. It also implements the ideas in #13 to ensure the rulesets are active and have been active for a sufficient length of time. The go program introduced here: 1. Checks that deletion and non-fast-forward rules exist. 2. That they are active within a certain about of time of the provided commit being pushed to the branch. It also starts to introduce support for producing and signing the VSA with Sigstore, but currently stops short because it got too complicated.

TomHennen mentioned this issue Jan 23, 2025

Determine source level in go #15

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve rule checks #13

Improve rule checks #13

TomHennen commented Jan 10, 2025

TomHennen commented Jan 10, 2025

Improve rule checks #13

Improve rule checks #13

Comments

TomHennen commented Jan 10, 2025

TomHennen commented Jan 10, 2025