diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 011c63e..ab766d0 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,4 +1,4 @@ -# Contributing to Minder +# Contributing to minder rules and profiles Thank you for considering contributing to the Minder rules library! We welcome contributions from the community and are excited to work with you. diff --git a/README.md b/README.md index a299173..10f8d1b 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,59 @@ +[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0) + # Minder Rules and Profiles -A repository containing Minder rules and profiles recommended by your friends at Stacklok +A repository containing Minder rules and profiles describing security policies and various tool integrations. + +## What are rule types, profiles, and data sources? + +Minder is a tool that allows you to define security policies and integrate with various tools to enforce those policies. +Its engine is designed to be extensible through rule types, profiles and data sources, allowing you to integrate your own +logic and processes. + +A profile defines your security policies that you want to apply to your software supply chain. Profiles contain rules +(or rule types) that query data in a provider, and specifies whether Minder will issue alerts or perform automatic +remediations when an entity is not in compliance with the policy. + +Profiles in Minder allow you to group and manage rules for various entity types, such as `repositories`, `pull requests`, +`artifacts`, etc., across your registered GitHub repositories. + +Data sources are designed to enrich the information available about an entity, allowing us to make more informed policy +evaluations. +Unlike providers, which create entities, a data source offers additional information about an existing entity or one of +its specific attributes. +The entity itself, however, always originates from a provider. + +## How to get started with writing rules and profiles? -# Rules types +To get started with writing rules and profiles, you can check the following resources: +- [How to write a rule type](https://mindersec.github.io/how-to/custom-rules) +- [How to write a rule type using Rego](https://mindersec.github.io/how-to/writing-rules-in-rego) +- [How to use mindev to develop and debug rule types](https://mindersec.github.io/how-to/mindev) +- [How to write rules and profiles - YouTube](https://www.youtube.com/watch?v=eXp0nyd72d4) +- [Minder documentation](https://mindersec.github.io) +- [Rego language tutorial](https://www.openpolicyagent.org/docs/latest/policy-language/) -Reference rule types are available in the `rule-types` directory. To take these rule types -into use, you'll need to instantiate them in a Minder instance. For example, to use the -reference rules recommended for GitHub, use the following command: - -```bash -minder ruletype create -f rule-types/github -``` +Apart from that, you can also check the reference rules and profiles in this repository to get an idea of how to write, structure, and organize them. -# Profiles +- Rule types: the reference rule types are available in the `rule-types` directory. To take these rule types + into use, you'll need to instantiate them in a Minder instance. For example, to use the + reference rules recommended for GitHub, use the following command - `minder ruletype create -f rule-types/github`. +- Profiles: the reference profiles are available in the `profiles` directory. To take a profile + into use, you'll need to instantiate it in a Minder instance. For example, to use the + reference profile recommended for GitHub, use the following command - `minder profile create -f profiles/github/profile.yaml`. +- Data sources: the reference data sources are available in the `data-sources` directory. To take a data source + into use, you'll need to instantiate it in a Minder instance. For example, to instantiate the + reference data source for using OSV as a data source, use the following command - `minder datasource create -f data-sources osv.yaml`. -Reference profiles are available in the `profiles` directory. To take a profile -into use, you'll need to instantiate it in a Minder instance. For example, to use the -reference profile recommended for GitHub, use the following command: +## How to contribute? -```bash -minder profile create -f profiles/github/profile.yaml -``` +We welcome contributions! +If you came across a rule type, profile, or data source that you think would be useful to others, please consider contributing it back to the community. -# Data Sources +If you have questions or need help getting started, feel free to reach out on the [`#minder` channel on OpenSSF Slack](https://openssf.slack.com/archives/C07SP9RSM2L) or open an issue. -Reference data sources are available in the `data-sources` directory. To take a data source -into use, you'll need to instantiate it in a Minder instance. For example, to instantiate the -reference data source for using OSV as a data source, use the following command: +You can check our [CONTRIBUTING.md](CONTRIBUTING.md) guidelines for more information on how to contribute to this repository. -```bash -minder datasource create -f data-sources osv.yaml -``` +## License +This repository is licensed under the [Apache 2.0 License](./LICENSE).