diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml index 37b6116..222550d 100644 --- a/.github/workflows/registry-scanner.yaml +++ b/.github/workflows/registry-scanner.yaml @@ -29,7 +29,7 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Scan Registry - uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5 + uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6 with: api_endpoint: ${{ vars.BOOST_API_ENDPOINT }} api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }} diff --git a/scanners/boostsecurityio/baseline/module.yaml b/scanners/boostsecurityio/baseline/module.yaml new file mode 100644 index 0000000..18a60fa --- /dev/null +++ b/scanners/boostsecurityio/baseline/module.yaml @@ -0,0 +1,24 @@ +api_version: 1.0 + + +id: boostsecurityio/baseline +name: BoostSecurity Scanner +namespace: boostsecurityio/baseline +scan_types: + - sast + - cicd + + +config: + support_diff_scan: true + + +steps: + - scan: + command: + docker: + image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f + command: scanner scan + workdir: /src + name: scanner + format: sarif diff --git a/scanners/boostsecurityio/baseline/rules.yaml b/scanners/boostsecurityio/baseline/rules.yaml new file mode 100644 index 0000000..a11c0ee --- /dev/null +++ b/scanners/boostsecurityio/baseline/rules.yaml @@ -0,0 +1,131 @@ +rules: + cert-expired: + categories: + - ALL + - cloud-weak-configuration + description: Checks for expired X509 certificates. + group: cloud-weak-configuration + name: cert-expired + pretty_name: Cert Expired + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' + cert-expires-soon: + categories: + - ALL + - cloud-weak-configuration + description: Checks for X509 certificates that will expire in a configured number + of days. + group: cloud-weak-configuration + name: cert-expires-soon + pretty_name: Cert Expires Soon + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' + cert-insecure-signing-algorithm: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure signing algorithms. + group: cloud-weak-configuration + name: cert-insecure-signing-algorithm + pretty_name: Cert Insecure Signing Algorithm + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' + recommended: true + cert-insufficient-key-length: + categories: + - ALL + - cloud-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for X509 certificates with insecure key lengths. + group: cloud-weak-configuration + name: cert-insufficient-key-length + pretty_name: Cert Insufficient Key Length + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' + recommended: true + cicd-binary-artifacts-stored-in-scm: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, + etc.) stored in the Git repository.Generally, such binary artifacts should not + be committed to Git and should be built with reproducible build system from + source. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-binary-artifacts-stored-in-scm + pretty_name: CI/CD - Binary artifacts stored in SCM + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' + recommended: true + cicd-circleci-unversioned-orb: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows using unversioned Orbs. + group: supply-chain-cicd-weak-configuration + name: cicd-circleci-unversioned-orb + pretty_name: CI/CD - CircleCI Unversionned Orb + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' + recommended: true + cicd-circleci-shell-injection: + categories: + - ALL + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - boost-baseline + - boost-hardened + description: Checks for CircleCI workflows where pipeline variables are used in shell commands. + group: supply-chain-cicd-vulnerable-pipeline + name: cicd-circleci-shell-injection + pretty_name: CI/CD - CircleCI Shell Injection + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' + recommended: true + cicd-gha-unsecure-commands: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - supply-chain-cicd-severe-issues + - boost-baseline + - boost-hardened + description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-unsecure-commands + pretty_name: CI/CD - GitHub Action Unsecure Commands + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' + recommended: true + cicd-unpinned-dependencies: + categories: + - ALL + - supply-chain + - supply-chain-missing-artifact-integrity-verification + - boost-baseline + - boost-hardened + description: Verifies the presence of dependency management manifests (e.g., + package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an + accompanying lockfile that cryptographically pins dependencies (e.g., + package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). + The absence of a lockfile increases the risk of dependency drift, + potentially introducing security vulnerabilities or compatibility issues into the project. + group: supply-chain-missing-artifact-integrity-verification + name: cicd-unpinned-dependencies + pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' + recommended: true + cicd-gha-workflow-dispatch-inputs: + categories: + - ALL + - supply-chain + - supply-chain-cicd-weak-configuration + - boost-baseline + - boost-hardened + description: Checks for GitHub Action workflows defines workflow_dispatch inputs. + group: supply-chain-cicd-weak-configuration + name: cicd-gha-workflow-dispatch-inputs + pretty_name: CI/CD - GitHub Action uses inputs + ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' + recommended: true diff --git a/scanners/boostsecurityio/scanner/module.yaml b/scanners/boostsecurityio/scanner/module.yaml index 7d6961f..f029d3a 100644 --- a/scanners/boostsecurityio/scanner/module.yaml +++ b/scanners/boostsecurityio/scanner/module.yaml @@ -1,24 +1,23 @@ api_version: 1.0 +group: boostsecurityio/scanner id: boostsecurityio/scanner name: BoostSecurity Scanner namespace: boostsecurityio/scanner -scan_types: - - sast - - cicd - config: support_diff_scan: true +scan_types: + - sast + - cicd + - metadata + - sca + - sci + - license -steps: - - scan: - command: - docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f - command: scanner scan - workdir: /src - name: scanner - format: sarif +includes: + - boostsecurityio/baseline + - boostsecurityio/composition + - boostsecurityio/supply-chain-inventory diff --git a/scanners/boostsecurityio/scanner/rules.yaml b/scanners/boostsecurityio/scanner/rules.yaml index a11c0ee..369ebfa 100644 --- a/scanners/boostsecurityio/scanner/rules.yaml +++ b/scanners/boostsecurityio/scanner/rules.yaml @@ -1,131 +1,9 @@ -rules: - cert-expired: - categories: - - ALL - - cloud-weak-configuration - description: Checks for expired X509 certificates. - group: cloud-weak-configuration - name: cert-expired - pretty_name: Cert Expired - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' - cert-expires-soon: - categories: - - ALL - - cloud-weak-configuration - description: Checks for X509 certificates that will expire in a configured number - of days. - group: cloud-weak-configuration - name: cert-expires-soon - pretty_name: Cert Expires Soon - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' - cert-insecure-signing-algorithm: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure signing algorithms. - group: cloud-weak-configuration - name: cert-insecure-signing-algorithm - pretty_name: Cert Insecure Signing Algorithm - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' - recommended: true - cert-insufficient-key-length: - categories: - - ALL - - cloud-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for X509 certificates with insecure key lengths. - group: cloud-weak-configuration - name: cert-insufficient-key-length - pretty_name: Cert Insufficient Key Length - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' - recommended: true - cicd-binary-artifacts-stored-in-scm: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, - etc.) stored in the Git repository.Generally, such binary artifacts should not - be committed to Git and should be built with reproducible build system from - source. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-binary-artifacts-stored-in-scm - pretty_name: CI/CD - Binary artifacts stored in SCM - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' - recommended: true - cicd-circleci-unversioned-orb: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows using unversioned Orbs. - group: supply-chain-cicd-weak-configuration - name: cicd-circleci-unversioned-orb - pretty_name: CI/CD - CircleCI Unversionned Orb - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' - recommended: true - cicd-circleci-shell-injection: - categories: - - ALL - - supply-chain - - supply-chain-cicd-vulnerable-pipeline - - boost-baseline - - boost-hardened - description: Checks for CircleCI workflows where pipeline variables are used in shell commands. - group: supply-chain-cicd-vulnerable-pipeline - name: cicd-circleci-shell-injection - pretty_name: CI/CD - CircleCI Shell Injection - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' - recommended: true - cicd-gha-unsecure-commands: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - supply-chain-cicd-severe-issues - - boost-baseline - - boost-hardened - description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-unsecure-commands - pretty_name: CI/CD - GitHub Action Unsecure Commands - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' - recommended: true - cicd-unpinned-dependencies: - categories: - - ALL - - supply-chain - - supply-chain-missing-artifact-integrity-verification - - boost-baseline - - boost-hardened - description: Verifies the presence of dependency management manifests (e.g., - package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an - accompanying lockfile that cryptographically pins dependencies (e.g., - package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). - The absence of a lockfile increases the risk of dependency drift, - potentially introducing security vulnerabilities or compatibility issues into the project. - group: supply-chain-missing-artifact-integrity-verification - name: cicd-unpinned-dependencies - pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' - recommended: true - cicd-gha-workflow-dispatch-inputs: - categories: - - ALL - - supply-chain - - supply-chain-cicd-weak-configuration - - boost-baseline - - boost-hardened - description: Checks for GitHub Action workflows defines workflow_dispatch inputs. - group: supply-chain-cicd-weak-configuration - name: cicd-gha-workflow-dispatch-inputs - pretty_name: CI/CD - GitHub Action uses inputs - ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' - recommended: true +import: + - boostsecurityio/baseline + - boostsecurityio/cicd + - boostsecurityio/composition + - boostsecurityio/oss-license + - boostsecurityio/sbom-sca + - boostsecurityio/sci + - boostsecurityio/sci-sca + - boostsecurityio/supply-chain-inventory