BST-13481: add new baseline scanner

.github/workflows/registry-scanner.yaml

@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Scan Registry
-        uses: boostsecurityio/scanner-registry-action@91ede50ad22990f74865613c94fa51569b144f71 # v1.5.5
+        uses: boostsecurityio/scanner-registry-action@9acd6b00ece9d419b5896a9e18b129dc1cf68afc # v1.5.6
         with:
           api_endpoint: ${{ vars.BOOST_API_ENDPOINT }}
           api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }}

scanners/boostsecurityio/baseline/module.yaml

@@ -0,0 +1,24 @@
+api_version: 1.0
+
+
+id: boostsecurityio/baseline
+name: BoostSecurity Scanner
+namespace: boostsecurityio/baseline
+scan_types:
+  - sast
+  - cicd
+
+
+config:
+  support_diff_scan: true
+
+
+steps:
+    - scan:
+        command:
+          docker:
+            image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f
+            command: scanner scan
+            workdir: /src
+          name: scanner
+        format: sarif

scanners/boostsecurityio/baseline/rules.yaml

@@ -0,0 +1,131 @@
+rules:
+  cert-expired:
+    categories:
+    - ALL
+    - cloud-weak-configuration
+    description: Checks for expired X509 certificates.
+    group: cloud-weak-configuration
+    name: cert-expired
+    pretty_name: Cert Expired
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html'
+  cert-expires-soon:
+    categories:
+    - ALL
+    - cloud-weak-configuration
+    description: Checks for X509 certificates that will expire in a configured number
+      of days.
+    group: cloud-weak-configuration
+    name: cert-expires-soon
+    pretty_name: Cert Expires Soon
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html'
+  cert-insecure-signing-algorithm:
+    categories:
+    - ALL
+    - cloud-weak-configuration
+    - boost-baseline
+    - boost-hardened
+    description: Checks for X509 certificates with insecure signing algorithms.
+    group: cloud-weak-configuration
+    name: cert-insecure-signing-algorithm
+    pretty_name: Cert Insecure Signing Algorithm
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html'
+    recommended: true
+  cert-insufficient-key-length:
+    categories:
+    - ALL
+    - cloud-weak-configuration
+    - boost-baseline
+    - boost-hardened
+    description: Checks for X509 certificates with insecure key lengths.
+    group: cloud-weak-configuration
+    name: cert-insufficient-key-length
+    pretty_name: Cert Insufficient Key Length
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html'
+    recommended: true
+  cicd-binary-artifacts-stored-in-scm:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-missing-artifact-integrity-verification
+    - boost-baseline
+    - boost-hardened
+    description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so,
+      etc.) stored in the Git repository.Generally, such binary artifacts should not
+      be committed to Git and should be built with reproducible build system from
+      source.
+    group: supply-chain-missing-artifact-integrity-verification
+    name: cicd-binary-artifacts-stored-in-scm
+    pretty_name: CI/CD - Binary artifacts stored in SCM
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html'
+    recommended: true
+  cicd-circleci-unversioned-orb:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-cicd-weak-configuration
+    - boost-baseline
+    - boost-hardened
+    description: Checks for CircleCI workflows using unversioned Orbs.
+    group: supply-chain-cicd-weak-configuration
+    name: cicd-circleci-unversioned-orb
+    pretty_name: CI/CD - CircleCI Unversionned Orb
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html'
+    recommended: true
+  cicd-circleci-shell-injection:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-cicd-vulnerable-pipeline
+    - boost-baseline
+    - boost-hardened
+    description: Checks for CircleCI workflows where pipeline variables are used in shell commands.
+    group: supply-chain-cicd-vulnerable-pipeline
+    name: cicd-circleci-shell-injection
+    pretty_name: CI/CD - CircleCI Shell Injection
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html'
+    recommended: true
+  cicd-gha-unsecure-commands:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-cicd-weak-configuration
+    - supply-chain-cicd-severe-issues
+    - boost-baseline
+    - boost-hardened
+    description: Checks for GitHub Acton workflows that enables deprecated unsecure commands.
+    group: supply-chain-cicd-weak-configuration
+    name: cicd-gha-unsecure-commands
+    pretty_name: CI/CD - GitHub Action Unsecure Commands
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html'
+    recommended: true
+  cicd-unpinned-dependencies:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-missing-artifact-integrity-verification
+    - boost-baseline
+    - boost-hardened
+    description: Verifies the presence of dependency management manifests (e.g., 
+      package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an 
+      accompanying lockfile that cryptographically pins dependencies (e.g., 
+      package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). 
+      The absence of a lockfile increases the risk of dependency drift, 
+      potentially introducing security vulnerabilities or compatibility issues into the project.
+    group: supply-chain-missing-artifact-integrity-verification
+    name: cicd-unpinned-dependencies
+    pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html'
+    recommended: true
+  cicd-gha-workflow-dispatch-inputs:
+    categories:
+    - ALL
+    - supply-chain
+    - supply-chain-cicd-weak-configuration
+    - boost-baseline
+    - boost-hardened
+    description: Checks for GitHub Action workflows defines workflow_dispatch inputs.
+    group: supply-chain-cicd-weak-configuration
+    name: cicd-gha-workflow-dispatch-inputs
+    pretty_name: CI/CD - GitHub Action uses inputs
+    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html'
+    recommended: true

scanners/boostsecurityio/scanner/module.yaml

@@ -1,24 +1,23 @@
 api_version: 1.0
 
 
+group: boostsecurityio/scanner
 id: boostsecurityio/scanner
 name: BoostSecurity Scanner
 namespace: boostsecurityio/scanner
-scan_types:
-  - sast
-  - cicd
-
 
 config:
   support_diff_scan: true
 
+scan_types:
+  - sast
+  - cicd
+  - metadata
+  - sca
+  - sci
+  - license
 
-steps:
-    - scan:
-        command:
-          docker:
-            image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f
-            command: scanner scan
-            workdir: /src
-          name: scanner
-        format: sarif
+includes:
+  - boostsecurityio/baseline
+  - boostsecurityio/composition
+  - boostsecurityio/supply-chain-inventory

scanners/boostsecurityio/scanner/rules.yaml

@@ -1,131 +1,9 @@
-rules:
-  cert-expired:
-    categories:
-    - ALL
-    - cloud-weak-configuration
-    description: Checks for expired X509 certificates.
-    group: cloud-weak-configuration
-    name: cert-expired
-    pretty_name: Cert Expired
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html'
-  cert-expires-soon:
-    categories:
-    - ALL
-    - cloud-weak-configuration
-    description: Checks for X509 certificates that will expire in a configured number
-      of days.
-    group: cloud-weak-configuration
-    name: cert-expires-soon
-    pretty_name: Cert Expires Soon
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html'
-  cert-insecure-signing-algorithm:
-    categories:
-    - ALL
-    - cloud-weak-configuration
-    - boost-baseline
-    - boost-hardened
-    description: Checks for X509 certificates with insecure signing algorithms.
-    group: cloud-weak-configuration
-    name: cert-insecure-signing-algorithm
-    pretty_name: Cert Insecure Signing Algorithm
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html'
-    recommended: true
-  cert-insufficient-key-length:
-    categories:
-    - ALL
-    - cloud-weak-configuration
-    - boost-baseline
-    - boost-hardened
-    description: Checks for X509 certificates with insecure key lengths.
-    group: cloud-weak-configuration
-    name: cert-insufficient-key-length
-    pretty_name: Cert Insufficient Key Length
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html'
-    recommended: true
-  cicd-binary-artifacts-stored-in-scm:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-missing-artifact-integrity-verification
-    - boost-baseline
-    - boost-hardened
-    description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so,
-      etc.) stored in the Git repository.Generally, such binary artifacts should not
-      be committed to Git and should be built with reproducible build system from
-      source.
-    group: supply-chain-missing-artifact-integrity-verification
-    name: cicd-binary-artifacts-stored-in-scm
-    pretty_name: CI/CD - Binary artifacts stored in SCM
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html'
-    recommended: true
-  cicd-circleci-unversioned-orb:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - boost-baseline
-    - boost-hardened
-    description: Checks for CircleCI workflows using unversioned Orbs.
-    group: supply-chain-cicd-weak-configuration
-    name: cicd-circleci-unversioned-orb
-    pretty_name: CI/CD - CircleCI Unversionned Orb
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html'
-    recommended: true
-  cicd-circleci-shell-injection:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-vulnerable-pipeline
-    - boost-baseline
-    - boost-hardened
-    description: Checks for CircleCI workflows where pipeline variables are used in shell commands.
-    group: supply-chain-cicd-vulnerable-pipeline
-    name: cicd-circleci-shell-injection
-    pretty_name: CI/CD - CircleCI Shell Injection
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html'
-    recommended: true
-  cicd-gha-unsecure-commands:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - supply-chain-cicd-severe-issues
-    - boost-baseline
-    - boost-hardened
-    description: Checks for GitHub Acton workflows that enables deprecated unsecure commands.
-    group: supply-chain-cicd-weak-configuration
-    name: cicd-gha-unsecure-commands
-    pretty_name: CI/CD - GitHub Action Unsecure Commands
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html'
-    recommended: true
-  cicd-unpinned-dependencies:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-missing-artifact-integrity-verification
-    - boost-baseline
-    - boost-hardened
-    description: Verifies the presence of dependency management manifests (e.g., 
-      package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an 
-      accompanying lockfile that cryptographically pins dependencies (e.g., 
-      package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). 
-      The absence of a lockfile increases the risk of dependency drift, 
-      potentially introducing security vulnerabilities or compatibility issues into the project.
-    group: supply-chain-missing-artifact-integrity-verification
-    name: cicd-unpinned-dependencies
-    pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html'
-    recommended: true
-  cicd-gha-workflow-dispatch-inputs:
-    categories:
-    - ALL
-    - supply-chain
-    - supply-chain-cicd-weak-configuration
-    - boost-baseline
-    - boost-hardened
-    description: Checks for GitHub Action workflows defines workflow_dispatch inputs.
-    group: supply-chain-cicd-weak-configuration
-    name: cicd-gha-workflow-dispatch-inputs
-    pretty_name: CI/CD - GitHub Action uses inputs
-    ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html'
-    recommended: true
+import:
+  - boostsecurityio/baseline
+  - boostsecurityio/cicd
+  - boostsecurityio/composition
+  - boostsecurityio/oss-license
+  - boostsecurityio/sbom-sca
+  - boostsecurityio/sci
+  - boostsecurityio/sci-sca
+  - boostsecurityio/supply-chain-inventory