diff --git a/show_all.rego b/block_all.rego similarity index 54% rename from show_all.rego rename to block_all.rego index a23c003..ad0e369 100644 --- a/show_all.rego +++ b/block_all.rego @@ -1,12 +1,13 @@ # METADATA -# title: Show All +# title: Block All Issues # description: | -# Returns a violation for all identified issues +# Blocks all identified issues package policy.v1 import rego.v1 -# Policy Violation +# METADATA +# title: Policy Violation deny contains issue if { some issue in data.issues } diff --git a/confirmed_malicious.rego b/confirmed_malicious.rego index 4e0e58a..a72eb52 100644 --- a/confirmed_malicious.rego +++ b/confirmed_malicious.rego @@ -1,30 +1,34 @@ # METADATA # title: Confirmed Malicious # description: | -# Return a violation if the pacakge or author is tied to known malicious behavior +# Blocks if the package or author is tied to known malicious behavior package policy.v1 import rego.v1 -# Returns a violation if the author is known malicious +# METADATA +# title: Author is known malicious deny contains issue if { some issue in data.issues issue.tag == "CA0001" } -# Returns a violation if the package contains verified malware +# METADATA +# title: Verified malware deny contains issue if { some issue in data.issues issue.tag == "CM0037" } -# Returns a violation if the package contains a known-bad compiled binary +# METADATA +# title: Known-bad compiled binary deny contains issue if { some issue in data.issues issue.tag == "CM0038" } -# Returns a violation if the package depends on a known malicious package +# METADATA +# title: Depends on a known malicious package deny contains issue if { some issue in data.issues issue.tag == "CM0039" diff --git a/data_exfiltration.rego b/data_exfiltration.rego index ff0063e..efd6b9b 100644 --- a/data_exfiltration.rego +++ b/data_exfiltration.rego @@ -1,18 +1,20 @@ # METADATA # title: Data Exfiltration # description: | -# Returns a violation if the package contains common data exfiltration techniques +# Blocks common data exfiltration techniques package policy.v1 import rego.v1 -# Package contains environment variable enumeration +# METADATA +# title: Environment variable enumeration deny contains issue if { some issue in data.issues issue.tag == "HM0025" } -# Package contains webhook exfiltration +# METADATA +# title: Webhook exfiltration deny contains issue if { some issue in data.issues issue.tag == "HM0036" diff --git a/dependency_confusion.rego b/dependency_confusion.rego index 0ddc6df..afca4bc 100644 --- a/dependency_confusion.rego +++ b/dependency_confusion.rego @@ -1,12 +1,13 @@ # METADATA # title: Dependency Confusion # description: | -# Returns a violation if the package appears to be a dependency confusion +# Blocks dependency confusion package policy.v1 import rego.v1 -# Package contains environment variable enumeration +# METADATA +# title: Dependency confusion deny contains issue if { some issue in data.issues issue.tag == "HM0018" diff --git a/install_code.rego b/install_code.rego index e584826..0a6ea63 100644 --- a/install_code.rego +++ b/install_code.rego @@ -1,12 +1,13 @@ # METADATA # title: Install Code Execution # description: | -# Returns a violation if there is code execution on package install +# Blocks code execution on package install package policy.v1 import rego.v1 -# Package contains code execution on install +# METADATA +# title: Code execution on install deny contains issue if { some issue in data.issues issue.tag in {"IM0042", "IM0043", "IM0044"} diff --git a/install_code_suspicious.rego b/install_code_suspicious.rego index 930b810..03f15b6 100644 --- a/install_code_suspicious.rego +++ b/install_code_suspicious.rego @@ -1,18 +1,19 @@ # METADATA # title: Install Code Execution (Suspicious) # description: | -# Returns a violation if there is suspicious code execution on pacakge install +# Blocks suspicious code execution on pacakge install package policy.v1 import rego.v1 -# Package contains suspicious code execution on install +# METADATA +# title: Suspicious code execution on install deny contains issue if { some issue in data.issues issue.tag == "CM0007" } -# Package contains suspicious code execution on install +# title: Suspicious code execution on install deny contains issue if { some issue in data.issues endswith(issue.tag, "M0031") diff --git a/license_mismatch.rego b/license_mismatch.rego index 5b47ad3..b303157 100644 --- a/license_mismatch.rego +++ b/license_mismatch.rego @@ -1,12 +1,13 @@ # METADATA # title: License Mismatch # description: | -# Returns a violation if there is a license mismatch between metadata and files +# Blocks a license mismatch between metadata and files package policy.v1 import rego.v1 -# License mismatch +# METADATA +# title: License mismatch deny contains issue if { some issue in data.issues issue.tag == "IL0022" diff --git a/minimal_code.rego b/minimal_code.rego index c3b7941..23ed3d8 100644 --- a/minimal_code.rego +++ b/minimal_code.rego @@ -1,12 +1,13 @@ # METADATA # title: Minimal Code # description: | -# Returns a violation if the package contains minimal code and is unlikley worth the security risk +# Blocks packages containing minimal code package policy.v1 import rego.v1 -# Package contains minimal code +# METADATA +# title: Minimal code deny contains issue if { some issue in data.issues issue.tag == "IE0027" diff --git a/obfuscated_code.rego b/obfuscated_code.rego index 91bc0ae..fe66c68 100644 --- a/obfuscated_code.rego +++ b/obfuscated_code.rego @@ -1,12 +1,13 @@ # METADATA # title: Obfuscated Code # description: | -# Returns a violation if the package contains obfuscated code +# Blocks obfuscated code package policy.v1 import rego.v1 -# Package contains obfuscated code +# METADATA +# title: Obfuscated code deny contains issue if { some issue in data.issues issue.tag in {"HM0029", "HM0099", "HM0023", "IM0040", "IM0041"} diff --git a/runs_remote_code.rego b/runs_remote_code.rego index f8ec37d..59f7346 100644 --- a/runs_remote_code.rego +++ b/runs_remote_code.rego @@ -1,12 +1,13 @@ # METADATA # title: Runs Remote Code # description: | -# Returns a violation if the package runs remote code +# Blocks packages that run remote code package policy.v1 import rego.v1 -# Runs remote code +# METADATA +# title: Runs remote code deny contains issue if { some issue in data.issues issue.tag in {"CM0024", "MM0024", "HM0032"} diff --git a/secret_non_test.rego b/secret_non_test.rego index ec47401..dbaa8a8 100644 --- a/secret_non_test.rego +++ b/secret_non_test.rego @@ -1,12 +1,13 @@ # METADATA -# title: Minimal Code +# title: Secrets in non-test files # description: | -# Returns a violation if the package contains secrets/tokens excluding test/example files +# Blocks packages containing secrets/tokens in non-test files package policy.v1 import rego.v1 -# Secrets in non-test file +# METADATA +# title: Secrets in non-test file deny contains issue if { some issue in data.issues issue.tag == "ME0016" diff --git a/suspicious_url.rego b/suspicious_url.rego index d6aa638..79cbd11 100644 --- a/suspicious_url.rego +++ b/suspicious_url.rego @@ -1,12 +1,13 @@ # METADATA # title: Suspicious URL References # description: | -# Returns a violation if the package references sites uncommon to legitimate software +# Block packages referencing sites uncommon to legitimate software package policy.v1 import rego.v1 -# Suspicious URL reference +# METADATA +# title: Suspicious URL reference deny contains issue if { some issue in data.issues issue.tag == "MM0028" diff --git a/typosquat.rego b/typosquat.rego index e47b587..bfd4bae 100644 --- a/typosquat.rego +++ b/typosquat.rego @@ -1,13 +1,14 @@ # METADATA # title: Typosquat # description: | -# Returns a violation if the package contains a potential typosquat with malicious characteristics +# Blocks potential typosquat with malicious characteristics package policy.v1 import data.phylum.domain import rego.v1 -# Potential typosquat with malicious characteristics +# METADATA +# title: Potential typosquat with malicious characteristics deny contains typosquat_issue if { some dependency in data.dependencies diff --git a/vuln_crit.rego b/vuln_crit.rego index 50a2cc1..99b78f2 100644 --- a/vuln_crit.rego +++ b/vuln_crit.rego @@ -1,14 +1,15 @@ # METADATA -# title: Critical Software Vulnerability +# title: Software Vulnerability - Critical # description: | -# Returns a violation if the package has a Critical software vulnerability +# Blocks Critical software vulnerabilities package policy.v1 import data.phylum.domain import data.phylum.level import rego.v1 -# Critical software vulnerability +# METADATA +# title: Critical software vulnerability deny contains issue if { some issue in data.issues issue.domain == domain.VULNERABILITY diff --git a/vuln_crit_high.rego b/vuln_crit_high.rego index 34f48e9..714700c 100644 --- a/vuln_crit_high.rego +++ b/vuln_crit_high.rego @@ -1,14 +1,15 @@ # METADATA -# title: Critical/High Software Vulnerability +# title: Software Vulnerability - Critical/High # description: | -# Returns a violation if the package has a Critical or High software vulnerability +# Blocks Critical and High software vulnerabilities package policy.v1 import data.phylum.domain import data.phylum.level import rego.v1 -# Critical or High software vulnerability +# METADATA +# title: Critical or High software vulnerability deny contains issue if { some issue in data.issues issue.domain == domain.VULNERABILITY