Blog

Using Minder to automatically enable and enforce GitHub security settings across repos

GitHub has a number of built-in security features that can be applied to public repos. In this post, we’ll explore how Minder can help you automatically enable and enforce those settings across multiple GitHub repos.

Author: Stacklok
/
7 mins read
/
Jan 10, 2024

Engineering teams using GitHub for their software projects can take advantage of a number of built-in security features, including code scanning, secret scanning, and Dependabot for dependency configuration. It can be challenging, though, to make sure that these settings are consistently enabled—and stay in place—for projects that span multiple GitHub repos. 

Minder, an open source security policy platform, can make it easier to enable those settings. Let’s explore how it works.

An overview of GitHub’s security settings for public repos

GitHub provides a set of security features for public repos that are not enabled by default, but should be enabled to better protect your code. Those features include: 

  • Branch protections: Allows you to create rules to ensure that code review processes are followed, like requiring an approving review or passing status checks for all PRs merged into the protected branch. 

  • Code scanning: Analyzes code in your repo for security vulnerabilities and coding errors. This practice helps find vulnerabilities or errors in your code before you commit, to help you avoid rework and issues down the road. 

  • Secret scanning: Scans your repos and notifies you about any leaked secrets, like tokens and private keys. Secret leakage can happen particularly when a formerly private repo moves to public, or joins your project’s group of repos. Having this type of scanning automatically enabled and enforced for all repos in your project can help prevent unintentional and unknown leakage

  • Dependabot alerts: Sends an alert when your code depends on a package that is out of date or insecure. GitHub enables dependency graphs for public repos by default. The dependency graph helps you visualize the dependencies in your repo, and who is depending on them. Together, when Dependabot alerts are enabled, you can get an alert when a new security advisory is detected for those dependencies, or when the dependency graph changes (like through a version bump or a code change to the dependency itself). 

How to enable and enforce GitHub security settings with Minder

It’s common for teams to have tens or hundreds of repos; Stacklok, for example, has over 30 and growing. Enabling these security settings for each repo—and making sure they always remain enabled and enforced—is a manual task that can become time-consuming quickly. This is where Minder can help. 

Minder is an open source platform that helps you automate your application security posture. It provides a set of resource rule types that you can use to quickly get started, including rule types for branch protections, secret scanning, code scanning, and Dependabot configuration. You can enable autoremediation for these rule types to allow Minder to actively respond to any rules that are not in compliance and taking specific actions to remediate them. Because the resource rule types are built on top of a modular pipeline, you can customize them or create net-new rule types as needed.

You can choose to use Minder in one of two ways:

  1. As a service, hosted and operated by Stacklok (recommended)

  2. As a self-hosted, private instance

    1. If you’re going this route, we recommend deploying the Minder Helm chart. Note that you’ll also need to install and run a PostgreSQL database and a Keyclock instance.

Let’s explore how you can use Minder to apply and enforce the security settings listed above to your public repos.

Step 1: Enroll the GitHub provider. This allows Minder to manage your GitHub repositories. The following command will prompt you to log in to your GitHub account:

Shell (Bash)
minder provider enroll

Step 2: Register your GitHub repos. Choose which repos for which you want to apply and enforce these security settings. You can register a set of repositories by name, using the command  

Shell (Bash)
minder repo register --name "owner/repo1,owner/repo2"

Step 3: Create rule types using Minder’s existing resource rule types, and set up a profile. You can quickly add rule types for the above-mentioned GitHub settings through the following steps:

Fetch all the reference rules by cloning the minder-rules-and-profiles repository:

Shell (Bash)
git clone https://github.com/stacklok/minder-rules-and-profiles.git

In that directory, you’ll find all of the reference rules and profiles:

Shell (Bash)
cd minder-rules-and-profiles

You can now quickly create a rule type from that reference list using the following command (using the secret scanning rule type as an example):

Shell (Bash)
minder ruletype create -f rule-types/github/secret_scanning.yaml

After you’ve created your rule types, you can set up a profile that checks to make sure that these settings are in place for your registered repos. Profiles represent a configuration that you can apply to a group of repos. 

Start by creating a file named profile.yaml, and add some basic information:

Yaml
version: v1
type: profile
name: my-first-profile
context:
 provider: github

Register the rules that you just created:

Yaml
repository:
 - type: secret_scanning
   def:
     enabled: true

And then create your profile in Minder:

Shell (Bash)
minder profile create -f profile.yaml

Step 4: Enable autoremediation and alerting for those rule types.

Minder can actively respond to any rules that are not in compliance, and take specific actions, including creating an alert for rules that have failed and executing remediations to fix the non-compliant aspects. Autoremediation is supported for all four of these rule types. 

To turn on alerting—creating a security advisory for any registered repo that does not have these settings in place—you can add the following to your profile_yaml file:

Yaml
alert: "on"

For rule types like secret scanning, you can also turn on remediation. In this case, Minder will automatically enable secret scanning for any registered repos with this profile. 

Yaml
remediate: "on"

Here’s an example of what your profile_yaml file would look like with alerting and autoremediation enabled for the secret scanning rule type:

Yaml
version: v1
type: profile
name: my-first-profile
context:
 provider: github
alert: "on"
remediate: "on"
repository:
 - type: secret_scanning
   def:
     enabled: true

Check out our docs for full details on all of these steps.

Using Minder to secure GitHub Actions

Keeping your software projects on GitHub secure also means making sure that your CI/CD workflows are secure. Because GitHub Actions are authored by third parties, they’re subject to supply chain attacks just like open source packages, and could contain malicious code. 

One way to make sure that you’re protected is by pinning your actions to “known good” commit SHAs, so that you’re always pulling your actions code from a specific version that you’ve vetted. Pinning actions to commit SHAs—rather than tags, which can be moved—ensures that you’re always pointing to the same known-good version of the code. 

Minder—through our integration with Frizbee, an open source command line utility—includes a rule type that you can include in your profile that ensures all actions across workflows in your registered repos are referred by by a commit checksum:

Shell (Bash)
$ minder rule_type create -f /path/to/minder-rules-and-profiles/rule-types/github/actions_check_pinned_tags.yaml

Additionally, you can use Minder to control which actions can be executed within your repos, by creating an inventory of actions used across repos and restricting which actions are usable. (Read this blog post for more details on these rule types.)

Shell (Bash)
$ minder rule_type create -f /path/to/minder-rules-and-profiles/rule-types/github/repo_action_list.yaml

$ minder rule_type create -f /path/to/minder-rules-and-profiles/rule-types/github/allowed_selected_actions.yaml

What’s coming next

Minder today is supported for public repos only. We know that many organizations will need to manage their security settings across private repos, and plan to add support for private repos in the future. 

We also plan to add features in Minder that will give GitHub users even more flexibility, like grouping multiple GitHub repos into a Project to manage policies for specific groups or types of repos, as well as registering an entire GitHub org, so that new repos are automatically registered and assigned to a profile. 

In the meantime, teams can take advantage of more resource rule types that Minder provides to address other critical security features, like artifact signing with Sigstore; monitoring dependencies for CVEs; and monitoring for license files. Minder also integrates with Trusty, our web app for finding safe open source packages, by allowing you to monitor pull requests for new dependencies that have known vulnerabilities or low Trusty scores. 

If you have any feedback or features that you’d like to see, we’d love to hear from you! Join our Discord channel and let us know what you think (or create a new issue in the Minder repo).

Minder Quickstart: Set up your GitHub repo security posture in seconds

Radoslav Dimitrov /
Nov 29, 2023
Continue Reading

Writing Minder rule types using Open Policy Agent and Rego

Juan Antonio "Ozz" Osorio /
Dec 13, 2023
Continue Reading

Extending Minder to create custom rule types for GitHub repo security

Juan Antonio "Ozz" Osorio /
Dec 5, 2023
Continue Reading