Merge pull request #262 from aquasecurity/sbom-generation-rule

pkg/pipelines/rules/lib/pipeline.rego

@@ -163,6 +163,20 @@ does_task_match(task, vendor_configs) {
 	count(task.inputs) == 0
 }
 
+does_task_match(task, vendor_configs) {
+	vendor_config := vendor_configs[vendor]
+	task_config := vendor_config[_]
+	task.name == task_config.name
+	not task_config.inputs
+}
+
+does_task_match(task, vendor_configs) {
+	vendor_config := vendor_configs[vendor]
+	task_config := vendor_config[_]
+	task.name == task_config.name
+	not task.inputs
+}
+
 # Task exists, and its inputs pass all input filters
 does_task_match(task, vendor_configs) {
 	vendor_config := vendor_configs[vendor]

pkg/pipelines/rules/policies/pipeline_generate_sbom.rego

@@ -0,0 +1,63 @@
+package builtin.pipeline.SBOM_GENERATION
+
+import data.lib.pipeline
+
+__rego_metadata__ := {
+	"id": "PIPELINE-0022",
+	"avd_id": "AVD-PIPELINE-0022",
+	"title": "Ensure pipeline steps produce an SBOM",
+	"severity": "HIGH",
+	"type": "Pipeline Yaml Security Check",
+	"description": "SBOM (Software Bill Of Materials) is a file that specifies each component of software or a build process. Generate an SBOM after each run of a pipeline.",
+	"recommended_actions": "",
+	"url": "",
+}
+
+__rego_input__ := {
+	"combine": false,
+	"selector": [{"type": "pipeline"}],
+}
+
+vendorToCommandRegexes = {
+	"Trivy": [`(\.\/)?trivy .* --format cyclonedx`],
+	"Aqua": [`(\.\/)?billy generate`],
+	"Anchore": [`syft .*`],
+	"Cyclonedx": [`cyclonedx-\w+`],
+	"Spdx": [`spdx-sbom-generator`],
+	"Sonatype": [`jake sbom`],
+}
+
+vendorToTasks = {
+	"Aqua": [{
+		"name": "argonsecurity/actions/generate-manifest",
+	}],
+	"Anchore": [{
+		"name": "anchore/sbom-action",
+	}],
+	"CycloneDX": [{"name": `CycloneDX/gh-\w+-generate-sbom`}],
+}
+
+does_use_command {
+	job := input.jobs[_]
+	regexes := vendorToCommandRegexes[vendor]
+	pipeline.does_contains_one_of_commands(job, regexes)
+}
+
+does_use_task {
+	job := input.jobs[_]
+	step := job.steps[_]
+	step.type == "task"
+	pipeline.does_task_match(step.task, vendorToTasks)
+}
+
+deny[result] {
+	not does_use_command
+	not does_use_task
+
+	input.jobs[i].metadata.build == true
+
+	result := {
+		"msg": sprintf("Consider adding SBOM generation tool in build job '%s'", input.jobs[i].name),
+		"startline": input.jobs[i].file_reference.start_ref.line,
+	}
+}

pkg/pipelines/rules/policies/pipeline_scanned_for_secrets.rego

@@ -19,7 +19,7 @@ __rego_input__ := {
 }
 
 vendorToCommandRegexes = {
-	"Trivy": [`trivy ?.* fs ?.* --security-checks .*\b(,?)secret\b(,?)`, `trivy ?.* image ?.* --security-checks .*\b(,?)secret\b(,?)`],
+	"Trivy": [`(\.\/)?trivy ?.* (fs|image)\b ?.* --security-checks .*\b(,?)secret\b(,?)`],
 	"DetectSecrets": [`detect-secrets.* scan`],
 	"GitAllSecrets": [`docker run.* abhartiya/tools_gitallsecrets`],
 	"Whispers": [`whispers`],

pkg/pipelines/rules/policies/pipeline_scanned_for_vulns.rego

@@ -19,7 +19,7 @@ __rego_input__ := {
 }
 
 vendorToCommandRegexes = {
-	"Trivy": [`trivy ?.* image ?.* --security-checks .*\b(,?)vuln\b(,?)`, `trivy ?.* fs ?.* --security-checks .*\b(,?)vuln\b(,?)`],
+	"Trivy": [`(\.\/)?trivy ?.* (fs|image)\b ?.* --security-checks .*\b(,?)vuln\b(,?)`],
 	"Snyk": [`snyk container`, `snyk monitor`, `snyk test`],
 	"Sonatype": [`nancy`, `jake`, `ahab`],
 }