Blog

Flexible policy enforcement with Minder profile selectors

Profile selectors, now available in Minder, enable you to customize how profiles are applied to your software supply chain. With selectors, you can apply the right rules to the right resources to increase compliance flexibility and reduce alert fatigue.

Author: Dan Barr
/
4 mins read
/
Sep 19, 2024
Flexible policy enforcement with Minder profile selectors

Enforcing security and compliance policies in a software development organization is rarely a one-size-fits-all exercise. Security teams need the flexibility to customize how and when policies are applied to different types of resources like repositories and build artifacts. This is especially true when introducing new rules and remediations, as an uncontrolled rollout can disrupt production pipelines. And inevitably, exceptions must be taken into account.

Alert fatigue is another potential problem when policies are applied too broadly. When users are flooded with alerts, especially irrelevant ones, significant issues are easily lost in the noise. To avoid this, platform and security teams must ensure that rules are properly scoped so only relevant, actionable alerts are delivered to developers.

In Minder, profiles determine which rules apply to software supply chain entities like repositories, pull requests, and artifacts. They also control whether Minder issues alerts or automatically remediates violations. By default, profiles apply to all repositories that Minder manages in your organization. This approach makes sense for broad requirements like enabling secret scanning across all your repositories. But sometimes you need more flexibility.

Introducing profile selectors

With profile selectors, you can easily customize how Minder profiles are applied to your projects. This gives you the power to apply the right rules to the right resources, reducing alert fatigue and enabling a more controlled rollout of policy enforcement across an organization.

Some common scenarios for selectors might include:

  • Apply a more rigorous set of policies for resources with higher sensitivity like production apps or builds in your PCI compliance scope.

  • Test new rules on a subset of “canary” repositories, reducing the risk of mistakes impacting production work.

  • Perform a phased rollout of automatic remediation to satisfy your change control processes.

  • Apply ecosystem-specific rules based on the programming language.

  • Allow teams to enforce their workflow preferences without impacting other teams.

  • Exclude specific repositories from a profile when an exception is granted.

Profile selectors provide the flexibility to apply security rules more effectively across your organization, roll out new rules in a controlled manner, and reduce alert fatigue for developers.

How it works

Selectors are written using CEL (Common Expression Language), a simple and efficient open source expression language. A selector defines the entity type you want to filter (repository, pull_request, or artifact) and the selector condition to evaluate.

In this example, the profile will be applied to private repositories in the “acmecorp” organization and to all container artifacts:

Yaml
version: v1
type: profile
name: profile-with-selectors
selection:
  - entity: repository
    selector: repository.is_private == true && repository.name.startsWith('acmecorp/')
    comment: "Only apply to private repositories in the acmecorp org"
  - entity: artifact
    selector: artifact.type == 'container'
    comment: "Apply to all container artifacts"

Selectors can also be used to opt-out entities in the case of exceptions:

Yaml
selection:
  - entity: repository
    selector: repository.name != 'acmecorp/repo-with-exception'
    comment: "Exception granted for testing"

You can also reference provider-specific properties in selectors. This example uses GitHub provider properties to filter repositories based on the primary language and license, along with pull requests authored by Dependabot:

Yaml
selection:
  - entity: repository
    selector: repository.properties['github/primary_language'] == 'TypeScript'
    comment: "Apply to TypeScript projects"
  - entity: repository
    selector: repository.properties['github/license'].contains('MIT') == true
    comment: "Only projects with the MIT license"
  - entity: pull_request
    selector: pull_request.properties['github/pull_author_login'] == 
'dependabot'
    comment: "PRs opened by Dependabot"

Multiple selectors for a given entity type like in the previous example are evaluated with a logical ‘AND’ – entities must match all of the conditions to be included. In this example, the profile applies to any repository matching both repository selectors, or any pull request matching the single pull_request selector.

For a full listing of the available selectors and properties, refer to the Minder policy and profile management documentation.

Manage profile selectors in Minder Cloud

We are also excited to introduce support for profile selectors in Minder Cloud, the SaaS version of Minder operated by Stacklok, which is free to use with public repositories. Selectors can be added to a profile by navigating to the Selectors tab on the profile settings page.

A screenshot from Minder Cloud showing selector conditions being applied to a profile
Add selectors to a profile in the Minder Cloud UI

To learn more about managing profile selectors in Minder Cloud, check out the Apply a profile to a subset of entities page.

Next steps

Profile selectors in Minder are powerful tools that enable you to customize how compliance rules are applied to your software supply chain. This level of control can significantly reduce alert fatigue and allow for more controlled policy enforcement, giving developers a less noisy experience and better security outcomes.

In the future, we will introduce more ways to organize and apply your profiles so that you can ensure that Minder seamlessly aligns with your organization's policies.

If you’re an open source maintainer, you can use Minder for free on your public repos to manage repo configuration and security. Head to cloud.stacklok.com to get started.

We’d love to hear about how you’re using profile selectors with your projects. You can reach out to us on Discord or open an issue to share your feedback and request new features.

Minder tutorial: Applying security policies across multiple GitHub repositories

Stacklok /
May 23, 2024
Continue Reading

How to extend Minder to create custom rule types for your security policies

Juan Antonio "Ozz" Osorio /
Dec 5, 2023
Continue Reading

Minder demo: Learn how to apply security checks and policies across your GitHub repos

Dec 15, 2023
Watch Now