Blog

Minder Quickstart: Set up your GitHub repo security posture in seconds

/
4 mins read
/
Nov 29, 2023

A few weeks ago, we released Minder, an open source platform that can help you more easily apply security settings and policies across multiple GitHub repos. In this post, I’m going to show you how easy it is to install and start using Minder with our new minder quickstart command. 

Minder has two components:

  • minder-server: An API server that provides the core functionality of Minder.

  • minder CLI: A command-line interface that allows you to interact with the Minder REST API.

You'll be using the public server instance of Minder and the minder CLI to interact with it. You don’t need to deal with configuration files—we bundle everything and provide it to you. 

Below, I’ll walk through the steps for getting started with Minder.

Installation and log-in 

Because we’re already providing the minder-server for you, to get started, you just need to install the minder CLI and you are ready to go!

Minder offers multiple installation methods for flexibility:

MacOS Installation (Homebrew):

Shell (Bash)
brew install stacklok/tap/minder

Windows Installation (Winget):

Shell (Bash)
winget install stacklok.minder

Other Installation Options:

Now that we have the CLI installed, you can authenticate to the public instance of Minder using your GitHub account. Entering the command below will bring up a sign-in window, where you can sign in with your account:

Shell (Bash)
minder auth login

Now you’re ready to get started!

Getting started with Minder in 4 simple steps

Our quickstart command guides you through the process of creating your first rule type and profile in just a few seconds!

Shell (Bash)
minder quickstart

In Minder, rule types and profiles allow you to describe the desired security posture of your repositories. Profiles group and manage rule types for various entities like repositories, pull requests, and artifacts across your registered GitHub repositories.

The quickstart process in our CLI guides you through enrolling your provider, selecting repositories, creating a rule type (e.g., secret_scanning), and establishing a profile enabling secret scanning for the chosen repositories. On each step, you’ll see a description of what you are about to do, along with the command that is to be executed, like this:

Minder quickstart screenshot

Let’s walk through the commands you’ll enter at each step to get started. 

Step 1: Enroll your provider

The first step of the quickstart process is to enroll your provider: 

Shell (Bash)
minder provider enroll --provider github
Step 2: Register your repository

After enrolling your provider, it’s time to register the repositories. Select the repositories that you want to register with Minder and hit “Enter.”

Register a repo in Minder
Step 3: Create your first rule type

Let’s create our first rule type! In this case, you are going to create a secret scanning rule type. With this rule type in place, you can consistently prevent secrets from being leaked across all of your registered repos.

Shell (Bash)
minder rule_type create -f secret_scanning.yaml
Step 4: Create your first profile

At this point, you should have successfully enrolled your provider, registered your repositories and created your first rule type. What’s left is to create a profile that uses that rule type, and enforce this policy across your registered repositories!

By default, Minder will enable the remediate and alert features, so that we can automatically remediate any non-compliant repos and alert you if needed.

Shell (Bash)
minder profile create -f quickstart-profile.yaml

Upon successful completion, you’ll see a confirmation like this: 

Minder profile creation confirmation

Congratulations! 🎉 You've successfully created your first profile and enabled secret scanning protection on all registered repositories! If for any reason someone accidentally disables it on any of your repositories, Minder will automatically remediate this and change it back so it matches your profile.

You can see a more in-depth overview of your profile status and details of the rule evaluations for each registered repository by running the following command:

Shell (Bash)
minder profile_status list --profile quickstart-profile --detailed

What's Next?

Ensuring your software is built on a foundation of robust security practices is a challenge. Minder’s goal is to simplify this for you. With just a few commands, you can do a one-time setup of your security posture for all of your repositories, and make sure your repos are always compliant. 

Minder is much more than just secret scanning—its extensibility allows you to create custom rules and profiles, tailoring security postures to your specific requirements. You can look at the rest of the rules and profiles maintained by Minder's team for inspiration here

Ready to get started? 🚀

Resources

Photo by Clemens van Lay on Unsplash

Introducing the Trusty Dependency Risk Action: Automatically scan PRs for unsafe dependencies

Megan Bruce /
Jul 18, 2024
Continue Reading

Secrets management: GitHub-native tools and best practices to keep your secrets safe

Stacklok /
Jul 16, 2024
Continue Reading

Securing our security platform: Findings from Minder's independent security audit

Stacklok /
Jul 12, 2024
Continue Reading