Flexible policy enforcement with Minder profile selectors

Enforcing security and compliance policies in a software development organization is rarely a one-size-fits-all exercise. Security teams need the flexibility to customize how and when policies are applied to different types of resources like repositories and build artifacts. This is especially true when introducing new rules and remediations, as an uncontrolled rollout can disrupt production pipelines. And inevitably, exceptions must be taken into account.

Alert fatigue is another potential problem when policies are applied too broadly. When users are flooded with alerts, especially irrelevant ones, significant issues are easily lost in the noise. To avoid this, platform and security teams must ensure that rules are properly scoped so only relevant, actionable alerts are delivered to developers.

In Minder, profiles determine which rules apply to software supply chain entities like repositories, pull requests, and artifacts. They also control whether Minder issues alerts or automatically remediates violations. By default, profiles apply to all repositories that Minder manages in your organization. This approach makes sense for broad requirements like enabling secret scanning across all your repositories. But sometimes you need more flexibility.

Introducing profile selectors

With profile selectors, you can easily customize how Minder profiles are applied to your projects. This gives you the power to apply the right rules to the right resources, reducing alert fatigue and enabling a more controlled rollout of policy enforcement across an organization.

Some common scenarios for selectors might include:

• Apply a more rigorous set of policies for resources with higher sensitivity like production apps or builds in your PCI compliance scope.

• Test new rules on a subset of “canary” repositories, reducing the risk of mistakes impacting production work.

• Perform a phased rollout of automatic remediation to satisfy your change control processes.

• Apply ecosystem-specific rules based on the programming language.

• Allow teams to enforce their workflow preferences without impacting other teams.

• Exclude specific repositories from a profile when an exception is granted.

Profile selectors provide the flexibility to apply security rules more effectively across your organization, roll out new rules in a controlled manner, and reduce alert fatigue for developers.

How it works

Selectors are written using CEL (Common Expression Language), a simple and efficient open source expression language. A selector defines the entity type you want to filter (repository, pull_request, or artifact) and the selector condition to evaluate.

In this example, the profile will be applied to private repositories in the “acmecorp” organization and to all container artifacts:

version: v1
type: profile
name: profile-with-selectors
selection:
  - entity: repository
    selector: repository.is_private == true && repository.name.startsWith('acmecorp/')
    comment: "Only apply to private repositories in the acmecorp org"
  - entity: artifact
    selector: artifact.type == 'container'
    comment: "Apply to all container artifacts"

Selectors can also be used to opt-out entities in the case of exceptions:

selection:
  - entity: repository
    selector: repository.name != 'acmecorp/repo-with-exception'
    comment: "Exception granted for testing"

You can also reference provider-specific properties in selectors. This example uses GitHub provider properties to filter repositories based on the primary language and license, along with pull requests authored by Dependabot:

selection:
  - entity: repository
    selector: repository.properties['github/primary_language'] == 'TypeScript'
    comment: "Apply to TypeScript projects"
  - entity: repository
    selector: repository.properties['github/license'].contains('MIT') == true
    comment: "Only projects with the MIT license"
  - entity: pull_request
    selector: pull_request.properties['github/pull_author_login'] == 
'dependabot'
    comment: "PRs opened by Dependabot"

Multiple selectors for a given entity type like in the previous example are evaluated with a logical ‘AND’ – entities must match all of the conditions to be included. In this example, the profile applies to any repository matching both repository selectors, or any pull request matching the single pull_request selector.

For a full listing of the available selectors and properties, refer to the Minder policy and profile management documentation.

Manage profile selectors in Minder Cloud

We are also excited to introduce support for profile selectors in Minder Cloud, the SaaS version of Minder operated by Stacklok, which is free to use with public repositories. Selectors can be added to a profile by navigating to the Selectors tab on the profile settings page.

To learn more about managing profile selectors in Minder Cloud, check out the Apply a profile to a subset of entities page.

Next steps

Profile selectors in Minder are powerful tools that enable you to customize how compliance rules are applied to your software supply chain. This level of control can significantly reduce alert fatigue and allow for more controlled policy enforcement, giving developers a less noisy experience and better security outcomes.

In the future, we will introduce more ways to organize and apply your profiles so that you can ensure that Minder seamlessly aligns with your organization's policies.

We’d love to hear about how you’re using profile selectors with your projects. You can reach out to us on Discord or open an issue to share your feedback and request new features.

Dan Barr

Senior Technical Marketing Engineer

Dan Barr On Github

Dan Barr On LinkedIn

Dan Barr On Mastodon