Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Welcome to the May edition of This Month in Minder, highlighting our latest project updates and community contributions!
Block malicious and deprecated dependencies in PRs: We’ve added support in Minder to block pull requests that introduce malicious or deprecated dependencies. To do this, we’re ingesting data from the open source OSV.dev database.
PR check improvements: We’ve made improvements to tune our checks on malicious packages; packages with known vulnerabilities; and packages with low Trusty scores, to reduce the noise on PRs.
Branch protection rules updates: For branch protection remediations, we now use the default branch if none is provided, and we’ll also surface an error if an empty branch is specified. (Details: #3433 and #3436)
GitHub access token encryption improvements: We have implemented a more secure encryption method for storing GitHub access tokens based on AES-GCM, and re-encrypted all tokens in our cloud environment with this new scheme. We have also implemented a key rotation mechanism to allow us to change our encryption key and re-encrypt as needed.
Welcome new contributors @staceypotter, @ChrisJBurns, @blkt, and @prezha!
Thanks to contributor @ChrisJBurns for making a change to hide the —-label
flag in the CLI profile list to reduce confusion for Minder users, since label management functionality isn’t available (yet).
Thanks to contributor @prezha for pushing some fixes to Minder tests and Makefiles!
@datosh built a tool to keep track of how many GitHub repositories pin their actions to full-length commit SHAs (spoiler alert: it’s only 2%!), and used our open source Frizbee project to parse GitHub Actions. Check out his published findings here.
If you want to get involved in contributing to Minder, check out our contributor guide.
We’re working on the following new features:
Project hierarchies: Enable users to create nested projects and group repositories within those projects. Projects will inherit profile rules in order to simplify profile and policy management.
Enforce license information for dependencies: Ensure that dependencies in your repositories use licenses that you approve.
User management: Improvements to the user management experience to make it easier for users to collaborate on a project.
Register an entire org to automatically add new repos: Register an entire GitHub organization instead of a single repo; any newly created repos will automatically be added to Minder to simplify policy management.
Security audit: We’re working with an independent third party to do a security audit of Minder. We’ll be working on improvements to make Minder even more secure to use and will share more details on that work soon.
You can view Minder’s public roadmap here. If there are any features you want to see in Minder, you can open an issue or join our Discord server and let us know!