Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
A few weeks ago, we released Minder, an open source platform that can help you more easily apply security settings and policies across multiple GitHub repos. In this post, I’m going to show you how easy it is to install and start using Minder with our new minder quickstart command.
Minder has two components:
minder-server: An API server that provides the core functionality of Minder.
minder CLI: A command-line interface that allows you to interact with the Minder REST API.
You'll be using the public server instance of Minder and the minder CLI to interact with it. You don’t need to deal with configuration files—we bundle everything and provide it to you.
Below, I’ll walk through the steps for getting started with Minder.
Because we’re already providing the minder-server for you, to get started, you just need to install the minder CLI and you are ready to go!
Minder offers multiple installation methods for flexibility:
MacOS Installation (Homebrew):
brew install stacklok/tap/minder
Windows Installation (Winget):
winget install stacklok.minder
Other Installation Options:
Download the latest release from minder/releases.
Build Minder from source by following the instructions in the build-from-source section of the README file.
Now that we have the CLI installed, you can authenticate to the public instance of Minder using your GitHub account. Entering the command below will bring up a sign-in window, where you can sign in with your account:
minder auth login
Now you’re ready to get started!
Our quickstart command guides you through the process of creating your first rule type and profile in just a few seconds!
minder quickstart
In Minder, rule types and profiles allow you to describe the desired security posture of your repositories. Profiles group and manage rule types for various entities like repositories, pull requests, and artifacts across your registered GitHub repositories.
The quickstart process in our CLI guides you through enrolling your provider, selecting repositories, creating a rule type (e.g., secret_scanning), and establishing a profile enabling secret scanning for the chosen repositories. On each step, you’ll see a description of what you are about to do, along with the command that is to be executed, like this:
Let’s walk through the commands you’ll enter at each step to get started.
The first step of the quickstart process is to enroll your provider:
minder provider enroll --provider github
After enrolling your provider, it’s time to register the repositories. Select the repositories that you want to register with Minder and hit “Enter.”
Let’s create our first rule type! In this case, you are going to create a secret scanning rule type. With this rule type in place, you can consistently prevent secrets from being leaked across all of your registered repos.
minder rule_type create -f secret_scanning.yaml
At this point, you should have successfully enrolled your provider, registered your repositories and created your first rule type. What’s left is to create a profile that uses that rule type, and enforce this policy across your registered repositories!
By default, Minder will enable the remediate and alert features, so that we can automatically remediate any non-compliant repos and alert you if needed.
minder profile create -f quickstart-profile.yaml
Upon successful completion, you’ll see a confirmation like this:
Congratulations! 🎉 You've successfully created your first profile and enabled secret scanning protection on all registered repositories! If for any reason someone accidentally disables it on any of your repositories, Minder will automatically remediate this and change it back so it matches your profile.
You can see a more in-depth overview of your profile status and details of the rule evaluations for each registered repository by running the following command:
minder profile_status list --profile quickstart-profile --detailed
Ensuring your software is built on a foundation of robust security practices is a challenge. Minder’s goal is to simplify this for you. With just a few commands, you can do a one-time setup of your security posture for all of your repositories, and make sure your repos are always compliant.
Minder is much more than just secret scanning—its extensibility allows you to create custom rules and profiles, tailoring security postures to your specific requirements. You can look at the rest of the rules and profiles maintained by Minder's team for inspiration here.
Ready to get started? 🚀
Photo by Clemens van Lay on Unsplash