search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
715 stars 62 forks source link

chain bench config file and output assertion rules #57

Open itaywol opened 2 years ago

itaywol commented 2 years ago

My idea here is creating a .chain-benchrc | chain-bench.config.json file that the repository will hold And upon running the cli in the context of that repository it will read that config file for any configuration for chain-bench

Leveraging that config file, add rules key into the json with sub keys pass and fail those will hold assertions over the json output of chain-bench that will decide what will be the exit code.

For now when I want to assert over the chain bench output (JSON format), I am doing it with jq or rego.

itaywol commented 2 years ago

Something like so

{
    "quiet":true, // Other configurations here
    "rules": {
        "https://github.com/aquasecurity/*": { // Supporting wildcards
            "fail":{
                "1.1.3": {
                    "result":"Failed"
                },
                "1.1.14": ["Failed","Unknown"] // Alternatively supporting couple of results
            }
        }

    }
}

So everytime you run chain-bench against any repository in aquasecurity the following rules will be applied

naortalmor1 commented 2 years ago

Like that! will be great feature, we'll take it 🙏🏽