-
Notifications
You must be signed in to change notification settings - Fork 110
/
Copy path.minder.yaml
133 lines (133 loc) · 3.33 KB
/
.minder.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# This is the Minder profile file used for securely monitoring rdimitrov/go-tuf-metadata.
# For more information, see https://github.com/stacklok/minder.
---
version: v1
type: profile
name: go-tuf-metadata
context:
provider: github
alert: "on"
remediate: "on"
repository:
- type: secret_scanning
def:
enabled: true
- type: secret_push_protection
def:
enabled: true
- type: github_actions_allowed
def:
allowed_actions: all
# - type: allowed_selected_actions
# def:
# github_owned_allowed: true
# verified_allowed: true
# patterns_allowed: []
- type: default_workflow_permissions
def:
default_workflow_permissions: write
can_approve_pull_request_reviews: true
- type: codeql_enabled
def:
languages: [go]
schedule_interval: '30 4-6 * * *'
- type: actions_check_pinned_tags
def: {}
- type: dependabot_configured
def:
package_ecosystem: gomod
schedule_interval: weekly
apply_if_file: go.mod
- type: dockerfile_no_latest_tag
def: {}
# - type: trivy_action_enabled
# def: {}
- type: branch_protection_enabled
params:
branch: main
def: {}
- type: branch_protection_allow_deletions
params:
branch: main
def:
allow_deletions: false
- type: branch_protection_allow_force_pushes
params:
branch: main
def:
allow_force_pushes: true
# - type: branch_protection_enforce_admins
# params:
# branch: main
# def:
# enforce_admins: true
- type: branch_protection_lock_branch
params:
branch: main
def:
lock_branch: false
- type: branch_protection_require_conversation_resolution
params:
branch: main
def:
required_conversation_resolution: true
- type: branch_protection_require_linear_history
params:
branch: main
def:
required_linear_history: true
- type: branch_protection_require_pull_request_approving_review_count
params:
branch: main
def:
required_approving_review_count: 1
- type: branch_protection_require_pull_request_code_owners_review
params:
branch: main
def:
require_code_owner_reviews: true
- type: branch_protection_require_pull_request_dismiss_stale_reviews
params:
branch: main
def:
dismiss_stale_reviews: true
- type: branch_protection_require_pull_request_last_push_approval
params:
branch: main
def:
require_last_push_approval: true
- type: branch_protection_require_pull_requests
params:
branch: main
def:
required_pull_request_reviews: true
- type: branch_protection_require_signatures
params:
branch: main
def:
required_signatures: false
- type: license
def:
license_filename: LICENSE
license_type: "Apache License"
# artifact:
# - type: artifact_signature
# params:
# tags: [main]
# name: test
# def:
# is_signed: true
# is_verified: true
# is_bundle_verified: true
pull_request:
- type: pr_vulnerability_check
def:
action: review
ecosystem_config:
- name: go
vulnerability_database_type: osv
vulnerability_database_endpoint: https://vuln.go.dev
package_repository:
url: https://proxy.golang.org
sum_repository:
url: https://sum.golang.org