Tutorial: Using Minder to automate management of source code repository configuration and security
How Minder, Stacklok's open source software supply chain security platform, can help open source communities and project owners automate the management of their source code repository configuration and security posture.
If you have multiple software projects and source code repositories, it can be really tedious to try to make sure that each repository is configured in a consistent way. For example, you might want to make sure that GitHub Advanced Security settings are in place; that your pull requests always have at least 2 reviewers; and that Dependabot is always configured. Trying to continuously monitor this configuration across all of your repos and making sure that any new repos have this in place takes time. The burden is even greater for open source maintainers who are managing repo configuration in their free time, alongside the other needs and demands of their project.
With Minder, our goal is to help you automate away the drudgery of manually configuring your source code repos and making sure they stay secure. Let’s walk through how this works.
Source code repository security 101
First things first, what do we mean by “repository security”?
Source code repository security refers to the practices and tools used to protect your repositories from misconfigurations and vulnerabilities. There are several key aspects to this, including:
Preventing the exposure of sensitive information, such as API keys, passwords, and other secrets.
Preventing the introduction of vulnerabilities, such as insecure dependencies, outdated libraries, and code injection attacks.
By implementing these security measures, you can reduce the risk of data breaches, intellectual property theft, and other security incidents that could harm your organization.
How Minder helps secure your source code repositories
Minder can examine the configuration of your repositories and identify potential security risks. It can help you enforce your security policies, and even fix misconfigurations automatically. Let’s start with how Minder can help enforce GitHub’s native security features (known as GitHub Advanced Security, for private repos).
Enabling and enforcing GitHub Advanced Security features
GitHub Advanced Security includes a number of features that are free for public repos, like the dependency graph, secret scanning, secret push protection, and CodeQL to identify vulnerabilities in your code. Some of these features (like secret push protection) are enabled by default for public repos, while some need to be proactively enabled. But even if these settings are already enabled, you’ll want to make sure that they can never be disabled, so that your code is always protected.
This is where Minder can help. By default, we provide a managed policy template for GitHub repository security that includes checks that CodeQL, secret push protection, and secret scanning are enabled:
You can apply this policy template to all of your enrolled repositories in Minder in a single click. This means you can avoid having to go into each repository manually to enable these settings. You can also add newly created repositories to this policy template, and let Minder automatically apply these settings.
Applying advanced security settings
In addition to the out-of-the-box policies that are included in the Repository Security policy template, Minder also comes with a 30+ pre-written rule types for additional security settings. Within Minder’s UI, you can click on “Add Rule” to see a list of those additional rule types:
For example, as mentioned above, you may want to add a check to require that Dependabot is configured. You may also want to make sure that your main branch has branch protection enabled, and that you require 2 reviewers to approve pull requests before they can be merged.
You can easily add those checks as rules in your policy template, and they’ll immediately be applied to the repositories associated with that policy template.
Applying custom configuration
All teams have their own unique settings and policies that they want to have in place for their source code repos. For example, open source project owners may want to make sure that all existing and new project repos have a security.md file, a read-me, and a code of conduct.
Minder supports writing custom policies, using either yaml or the Rego policy language. You can write custom policies for your unique requirements, and apply them using Minder’s CLI tool—read our docs for specifics on how to do this.
Using Minder’s automated remediation for continuous enforcement
Minder’s automated remediation feature is key to reducing the burden on you to continually monitor repo configuration. Using a webhook, Minder can automatically fix misconfigurations or enforce your security posture by toggling settings in GitHub or even creating pull requests to fix issues. For example, if Minder detects that secret scanning has been turned off in one of your repositories, it can automatically re-enable that for you. This helps you maintain a consistent security posture across your organization's repositories.
Next steps
Securing your source code repositories is essential to keeping code quality high and protecting your project from malicious attacks and security incidents. Minder can help make this significantly easier for you by providing out-of-the-box policies and templates that you can apply across your project repos, and use auto-remediation to continually enforce without manual intervention.
If you’re an open source maintainer, you can use Minder for free on your public repos to manage repo configuration and security. Head to cloud.stacklok.com to get started.
