Add ruletype for Renovate GitHub Action

eleftherias · mesembria · eleftherias · commit 1ad66ee05a1b · 2024-12-17T16:56:02.000+01:00
Co-Authored-By: Philippe Moore &lt;mesembria@users.noreply.github.com&gt;
diff --git a/rule-types/github/renovate_github_action.test.yaml b/rule-types/github/renovate_github_action.test.yaml
@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: github_action_with_renovate
+  - name: "Should not have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: github_action_without_renovate
diff --git a/rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml b/rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml
@@ -0,0 +1,17 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every 15 minutes
+    - cron: '0/15 * * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v41.0.6
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          configurationFile: renovate/renovate-config.json
diff --git a/rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml b/rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml
@@ -0,0 +1,12 @@
+name: Just Checkout
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every 15 minutes
+    - cron: '0/15 * * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
diff --git a/rule-types/github/renovate_github_action.yaml b/rule-types/github/renovate_github_action.yaml
@@ -0,0 +1,50 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: renovate_github_action
+display_name: Enable Renovate for automated dependency updates
+short_failure_message: Renovate is not configured via a GitHub action
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that Renovate is configured via a GitHub action for the repository.
+guidance: |
+  Ensure that Renovate is configured and enabled for the repository.
+
+  Renovate enables automated dependency updates for repositories.
+  It is recommended that repositories have some form of automated
+  dependency updates enabled to ensure that vulnerabilities are not
+  introduced into the codebase.
+
+  For more information, see the [GitHub Action Renovate](https://github.com/renovatebot/github-action) documentation.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        
+        import rego.v1
+
+        actions := github_workflow.ls_actions("./.github/workflows")
+
+        default message := "Renovate GitHub action is not configured"
+        default allow := false
+        allow if {
+          # check that there is a renovate action
+          "renovatebot/github-action" in actions
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}
