Talisman pre-commit hook secrets scanning (#233)

* Talisman pre-commit hook secrets scanning * refactor description * add test * talisman hooks field check * fix rule description Co-authored-by: Dániel Kántor <[email protected]> --------- Co-authored-by: Dániel Kántor <[email protected]>
mindersec · Dec 19, 2024 · 5d6f64d · 5d6f64d
1 parent 5fbd7c1
commit 5d6f64d
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 0 deletions.
diff --git a/rule-types/github/talisman_secrets_scanning.test.yaml b/rule-types/github/talisman_secrets_scanning.test.yaml
@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have Talisman pre-commit hook configured"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: correct
+  - name: "Should fail Talisman pre-commit hook is not configured"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: misconfigured
diff --git a/rule-types/github/talisman_secrets_scanning.testdata/correct/.pre-commit-config.yaml b/rule-types/github/talisman_secrets_scanning.testdata/correct/.pre-commit-config.yaml
@@ -0,0 +1,16 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+        args: ['--maxkb=600']
+-   repo: https://github.com/thoughtworks/talisman
+    rev: 'v1.28.0'  # Update me!
+    hooks:
+      # both pre-commit and pre-push supported
+      # -   id: talisman-push
+      - id: talisman-commit
+        entry: cmd --githook pre-commit
diff --git a/rule-types/github/talisman_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml b/rule-types/github/talisman_secrets_scanning.testdata/misconfigured/.pre-commit-config.yaml
@@ -0,0 +1,9 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+        args: ['--maxkb=600']
diff --git a/rule-types/github/talisman_secrets_scanning.yaml b/rule-types/github/talisman_secrets_scanning.yaml
@@ -0,0 +1,55 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: talisman_secrets_scanning
+display_name: Enable Talisman Pre-commit hooks for detecting secrets
+short_failure_message: Talisman Pre-commit hook is not configured for the repository
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that Talisman Pre-commit hook is configured via a GitHub action for the repository
+guidance: |
+  Ensure that Talisman is configured pre-commit hook for the repository.
+  Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
+  For more information, see the [GitHub Talisman Pre-commit](https://github.com/thoughtworks/talisman?tab=readme-ov-file#pre-commit) documentation.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        import future.keywords.if
+        import future.keywords.every
+
+        default message := "Talisman pre-commit hook is not configured for the repository"
+        default allow := false
+
+        
+        # pre-commit hook
+        precommit := file.read(".pre-commit-config.yaml")
+        
+        parsed_data := parse_yaml(precommit)
+
+         allow if {
+          some repo_id, hook_id
+          repo_data := parsed_data.repos[repo_id]
+          endswith(repo_data["repo"], "https://github.com/thoughtworks/talisman")
+          talisman_hooks = repo_data["hooks"]
+          talisman_hooks[hook_id].id == "talisman-commit"
+          talisman_hooks[hook_id].entry == "cmd --githook pre-commit"
+        }
+
+        message := "" if allow
+  alert:
+    type: security_advisory
+    security_advisory: {}