This Month in Minder: January 2024

Welcome to our first edition of This Month in Minder! This is your monthly recap of what we’ve released, community resources, and upcoming talks and events. This month's update covers both December and January releases. 

Project updates

• We've added new resource rule types in Minder to support GitHub Actions security. Here’s a list of the new rule types: 

  • actions_check_pinned_tags: Verifies that your GitHub Actions are used pinned tags. Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release, and helps mitigate the risk of a bad actor adding a backdoor to the action’s repo, as they would need to generate an SHA-1 collision for a valid Git object payload. 

  • github_actions_allowed: Helps you verify that the permissions are set up correctly for GitHub Actions for a specific repo, and allows you to limit the actions that are allowed to run for a repo.  

  • allowed_selected_actions: Verifies the settings for selected actions and reusable workflows that are allowed in a repo. 

  • repo_action_list: Verifies that the github workflows in a repo only use actions enumerated in the rule.

  • repo_workflow_access_level: Verifies the level of access that workflows outside of the repository have to actions and reusable workflows in the repository. This only applies to private repositories.

• We've also added another new rule type: no_open_security_advisories verifies that a repository has no open security advisories based on a given severity threshold.

• There is now an example profile for GitHub Advanced Security settings, to make it easier and faster for you to create a profile to apply and enforce those settings across multiple repos. 

• We are adding names to profile rules to make it easier to distinguish between two different rules with the same rule type in one Profile.  This makes it possible to distinguish between a Dependabot rule for node, vs one for golang, for example.

• We started laying the groundwork for sharing Minder projects. This builds on OpenFGA to implement flexible, testable access control configuration that should scale as we grow.

Community contributions and resources

• Thanks to all of our community contributors this month! @gregfurman, @AGMETEOR, @mdp, @meganbruce, and @Vyom-Yadav. Some highlights from this month's contributors:

  • Allan Guwatudde (@AGMETEOR) demoed a web client for Minder, to make it easier to create and organize profiles. 

  • Vyom Yadav (@Vyom-Yadav) made a great improvement to Minder's rule evaluation logic to better handle multiple rules of the same type.

• We also released a new open source tool called Frizbee. Frizbee is a command-line tool designed to provide checksums for GitHub Actions and container images based on tags. It’s now integrated into Minder to support the rule types listed above for GitHub Actions security. 

• We've launched a Discord channel for anyone in the community to join to discuss Minder.  

• Check out the January sigstore roundup for the latest in sigstore news. 

What’s up next

• Take a look at our public roadmap to see what we’re releasing next!

Stacklok

Stacklok On Twitter (X)

Stacklok On LinkedIn