Affected by 
README
¶
| 
| 
Installation | Documentation | Discussions | Releases
What is Minder?
Minder by Stacklok is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what they’ve built is secure. Minder helps project owners proactively manage their security posture by providing a set of checks and policies to minimize risk along the software supply chain, and attest their security practices to downstream consumers.
Minder allows users to enroll repositories and define policy to ensure repositories and artifacts are configured consistently and securely. Policies can be set to alert only or auto-remediate. Minder provides a predefined set of rules and can also be configured to apply custom rules.
Minder can be deployed as a Helm chart and provides a CLI tool ‘minder’. Stacklok, the company behind Minder, also provides a free-to-use hosted version of Minder (for public repositories only). Minder is designed to be extensible, allowing users to integrate with their existing tooling and processes.
Features
- Repo configuration and security: Simplify configuration and management of security settings and policies across repos.
- Proactive security enforcement: Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
- Artifact attestation: Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
- Dependency management: Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with Trusty by Stacklok to enable policy-driven dependency management based on the risk level of dependencies.
Stacklok Instance
Your friends at Stacklok have set up a public instance of Minder that you can use for free. The Minder CLI tool
(minder) from our official releases is configured to use this instance by default. You can also use the public
instance by running minder auth login and following the prompts.
minder auth login --grpc-host api.stacklok.com --identity-url https://auth.stacklok.com
Note that it's not possible to register private repositories. If you'd like to use Minder with private repositories, feel free to contact us! We'd be thrilled to help you out.
Getting Started
Installation
You can install minder using one of the following methods:
MacOS (Homebrew)
brew install stacklok/tap/minder
Windows (Winget)
winget install stacklok.minder
Releases
Download the latest release from - minder/releases.
Build it from source
Build minder and minder-server from source by following - #build-from-source.
Run minder
To use minder with the public instance of Minder (api.stacklok.com), run:
minder auth login
Upon completion, you should see that the Minder Server is set to api.stacklok.com.
Enroll a repository provider
Minder supports GitHub as a provider to enroll repositories. To enroll your provider, run:
minder provider enroll --provider github
A browser session will open, and you will be prompted to login to your GitHub. Once you have granted Minder access, you will be redirected back, and the user will be enrolled. The minder CLI application will report the session is complete.
Register a repository
Now that you've granted the GitHub app permissions to access your repositories, you can register them:
minder repo register --provider github
Once you've registered the repositories, the Minder server will listen for events from GitHub and will automatically create the necessary webhooks for you.
Now you can run minder commands against the public instance of Minder where you can manage your registered repositories
and create custom profiles that would help ensure your repositories are configured consistently and securely.
For more information about minder, see:
Development
Build from source
Prerequisites
You'd need the following tools available - Go, Docker and Docker Compose.
Clone the repository
git clone git@github.com:stacklok/minder.git
Build
Run the following to build minder and minder-server(binaries will be present at ./bin/)
make build
To use minder with the public instance of Minder (api.stacklok.com), run:
minder auth login
Upon completion, you should see that the Minder Server is set to api.stacklok.com.
If you want to run minder against a local minder-server instance, proceed with the steps below.
Initial configuration
Create the initial configuration file for minder and minder-server. You may do so by doing.
cp config/config.yaml.example config.yaml
You'd also have to set up an OAuth2 application for minder-server to use.
Once completed, update the configuration file with the appropriate values.
See the documentation on how to do that - Docs.
Run minder-server
Start minder-server along with its dependant services (keycloak and postgres) by running:
make run-docker
Configure social login (GitHub)
minder-server uses Keycloak as an IAM. To log in, you'll need to set up a GitHub OAuth2 application and configure
Keycloak to use it.
Create an OAuth2 application for GitHub here. Select
New OAuth App and fill in the details. The callback URL should be http://localhost:8081/realms/stacklok/broker/github/endpoint.
Create a new client secret for your OAuth2 client.
Using the client_id and client_secret you created above, enable GitHub login on Keycloak by running the following command:
make KC_GITHUB_CLIENT_ID=<client_id> KC_GITHUB_CLIENT_SECRET=<client_secret> github-login
Run minder
Ensure the config.yaml file is present in the current directory so minder can use it.
Run minder against your local instance of Minder (localhost:8090):
minder auth login
Upon completion, you should see that the Minder Server is set to localhost:8090.
Development guidelines
You can find more detailed information about the development process in the Developer Guide.
Minder API
-
REST API documentation - Link.
-
Proto API documentation - Link.
-
Protobuf - Link.
-
OpenAPI/swagger spec (JSON) - Link.
Contributing
We welcome contributions to Minder. Please see our Contributing guide for more information.
Provenance
The Minder project follows the best practices for software supply chain security and transparency.
All released assets:
- Have a generated and verifiable SLSA Build Level 3 provenance. For more information, see the SLSA website.
- Have been signed and verified during release using the Sigstore project. This ensures that they are tamper-proof and can be verified by anyone.
- Have an SBOM archive generated and published along with the release. This allows users to understand the dependencies of the project and their security posture.
License
Minder is licensed under the Apache 2.0 License.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
cli
command
Package main provides the entrypoint for the minder cli
|
Package main provides the entrypoint for the minder cli |
|
cli/app
Package app provides the root command for the minder CLI
|
Package app provides the root command for the minder CLI |
|
cli/app/artifact
Package artifact provides the artifact subcommands
|
Package artifact provides the artifact subcommands |
|
cli/app/auth
Package auth provides the auth command project for the minder CLI.
|
Package auth provides the auth command project for the minder CLI. |
|
cli/app/docs
Package apply provides the apply command for the minder CLI
|
Package apply provides the apply command for the minder CLI |
|
cli/app/profile
Package profile provides the CLI subcommand for managing profiles
|
Package profile provides the CLI subcommand for managing profiles |
|
cli/app/profile_status
Package profile_status provides the CLI subcommand for managing profile statuses
|
Package profile_status provides the CLI subcommand for managing profile statuses |
|
cli/app/provider
Package provider is the root command for the provider subcommands
|
Package provider is the root command for the provider subcommands |
|
cli/app/repo
Package repo contains the repo logic for the control plane
|
Package repo contains the repo logic for the control plane |
|
cli/app/rule_type
Package rule_type provides the CLI subcommand for managing rules
|
Package rule_type provides the CLI subcommand for managing rules |
|
cli/app/version
Package version provides the version command for the minder CLI
|
Package version provides the version command for the minder CLI |
|
dev
command
Package main provides the entrypoint for the rule development cli
|
Package main provides the entrypoint for the rule development cli |
|
dev/app
Package app provides the root command for the medev CLI
|
Package app provides the root command for the medev CLI |
|
dev/app/rule_type
Package rule_type provides the CLI subcommand for developing rules e.g.
|
Package rule_type provides the CLI subcommand for developing rules e.g. |
|
server
command
Package main provides the entrypoint for the minder server
|
Package main provides the entrypoint for the minder server |
|
server/app
Package app provides the entrypoint for the minder migrations
|
Package app provides the entrypoint for the minder migrations |
|
database
|
|
|
mock
Package mockdb is a generated GoMock package.
|
Package mockdb is a generated GoMock package. |
|
internal
|
|
|
assets
Package assets contains the static assets.
|
Package assets contains the static assets. |
|
auth/mock
Package auth is a generated GoMock package.
|
Package auth is a generated GoMock package. |
|
config
Package config contains a centralized structure for all configuration options.
|
Package config contains a centralized structure for all configuration options. |
|
constants
Package constants contains constants used throughout the application.
|
Package constants contains constants used throughout the application. |
|
container
Package container provides a client for interacting with container images
|
Package container provides a client for interacting with container images |
|
controlplane
Package controlplane contains the gRPC server implementation for the control plane
|
Package controlplane contains the gRPC server implementation for the control plane |
|
crypto
Package crypto provides cryptographic functions
|
Package crypto provides cryptographic functions |
|
engine
Package engine provides an implementation of the profile-engine-related objects, interfaces and functionality.
|
Package engine provides an implementation of the profile-engine-related objects, interfaces and functionality. |
|
engine/actions
Package actions provide necessary interfaces and implementations for processing actions, such as remediation and alerts.
|
Package actions provide necessary interfaces and implementations for processing actions, such as remediation and alerts. |
|
engine/actions/alert
Package alert provides necessary interfaces and implementations for processing alerts.
|
Package alert provides necessary interfaces and implementations for processing alerts. |
|
engine/actions/alert/noop
Package noop provides a fallback alert engine for cases where no alert is set.
|
Package noop provides a fallback alert engine for cases where no alert is set. |
|
engine/actions/alert/security_advisory
Package security_advisory provides necessary interfaces and implementations for creating alerts of type security advisory.
|
Package security_advisory provides necessary interfaces and implementations for creating alerts of type security advisory. |
|
engine/actions/remediate
Package remediate provides necessary interfaces and implementations for remediating rules.
|
Package remediate provides necessary interfaces and implementations for remediating rules. |
|
engine/actions/remediate/gh_branch_protect
Package gh_branch_protect provides the github branch protection remediation engine
|
Package gh_branch_protect provides the github branch protection remediation engine |
|
engine/actions/remediate/noop
Package noop provides a fallback remediation engine for cases where no remediation is set.
|
Package noop provides a fallback remediation engine for cases where no remediation is set. |
|
engine/actions/remediate/pull_request
Package pull_request provides the pull request remediation engine
|
Package pull_request provides the pull request remediation engine |
|
engine/actions/remediate/rest
Package rest provides the REST remediation engine
|
Package rest provides the REST remediation engine |
|
engine/errors
Package errors provides errors for the evaluator engine
|
Package errors provides errors for the evaluator engine |
|
engine/eval
Package eval provides necessary interfaces and implementations for evaluating rules.
|
Package eval provides necessary interfaces and implementations for evaluating rules. |
|
engine/eval/jq
Package jq provides the jq profile evaluator
|
Package jq provides the jq profile evaluator |
|
engine/eval/pr_actions
Package pr_actions contains shared code to take on PRs
|
Package pr_actions contains shared code to take on PRs |
|
engine/eval/rego
Package rego provides the rego rule evaluator
|
Package rego provides the rego rule evaluator |
|
engine/eval/trusty
Package trusty provides an evaluator that uses the trusty API
|
Package trusty provides an evaluator that uses the trusty API |
|
engine/eval/vulncheck
Package vulncheck provides the vulnerability check evaluator
|
Package vulncheck provides the vulnerability check evaluator |
|
engine/ingestcache
Package ingestcache a cache that is used to cache the results of ingesting data.
|
Package ingestcache a cache that is used to cache the results of ingesting data. |
|
engine/ingester
Package ingester provides necessary interfaces and implementations for ingesting data for rules.
|
Package ingester provides necessary interfaces and implementations for ingesting data for rules. |
|
engine/ingester/artifact
Package artifact provides the artifact ingestion engine
|
Package artifact provides the artifact ingestion engine |
|
engine/ingester/builtin
Package builtin provides the builtin ingestion engine
|
Package builtin provides the builtin ingestion engine |
|
engine/ingester/diff
Package diff provides the diff rule data ingest engine
|
Package diff provides the diff rule data ingest engine |
|
engine/ingester/git
Package git provides the git rule data ingest engine
|
Package git provides the git rule data ingest engine |
|
engine/ingester/rest
Package rest provides the REST rule data ingest engine
|
Package rest provides the REST rule data ingest engine |
|
engine/interfaces
Package interfaces provides necessary interfaces and implementations for implementing engine plugins
|
Package interfaces provides necessary interfaces and implementations for implementing engine plugins |
|
entities
Package entities contains internal helper functions to deal with, validate and print the Entity protobuf enum.
|
Package entities contains internal helper functions to deal with, validate and print the Entity protobuf enum. |
|
events
Package events provides the eventer object which is responsible for setting up the watermill router and handling the incoming events
|
Package events provides the eventer object which is responsible for setting up the watermill router and handling the incoming events |
|
logger
Package logger provides a general logging tools
|
Package logger provides a general logging tools |
|
providers
Package providers contains general utilities for interacting with providers.
|
Package providers contains general utilities for interacting with providers. |
|
providers/git
Package git provides a client for interacting with Git providers
|
Package git provides a client for interacting with Git providers |
|
providers/github
Package github provides a client for interacting with the GitHub API
|
Package github provides a client for interacting with the GitHub API |
|
providers/github/mock
Package mockgh is a generated GoMock package.
|
Package mockgh is a generated GoMock package. |
|
providers/http
Package http implements an HTTP client for interacting with an HTTP API.
|
Package http implements an HTTP client for interacting with an HTTP API. |
|
providers/telemetry
Package telemetry provides the telemetry interfaces and implementations for providers
|
Package telemetry provides the telemetry interfaces and implementations for providers |
|
reconcilers
Package reconcilers contains the reconcilers for the various types of entities in minder.
|
Package reconcilers contains the reconcilers for the various types of entities in minder. |
|
util
Package util provides helper functions for the minder CLI.
|
Package util provides helper functions for the minder CLI. |
|
util/cli
Package cli contains utility for the cli
|
Package cli contains utility for the cli |
|
util/cli/useragent
Package useragent contains utilities for setting up the CLI's user agent
|
Package useragent contains utilities for setting up the CLI's user agent |
|
util/jsonyaml
Package jsonyaml contains utility functions for converting to/from json and yaml
|
Package jsonyaml contains utility functions for converting to/from json and yaml |
|
util/rand
Package rand contains utility functions largely for unit testing.
|
Package rand contains utility functions largely for unit testing. |
|
util/schemaupdate
Package schemaupdate contains utility functions to compare two schemas for updates
|
Package schemaupdate contains utility functions to compare two schemas for updates |
|
pkg
|
|
|
api/protobuf/go/minder/v1
Package v1 is a reverse proxy.
|
Package v1 is a reverse proxy. |
|
providers/v1
Package v1 for providers provides the public interfaces for the providers implemented by minder.
|
Package v1 for providers provides the public interfaces for the providers implemented by minder. |
|
rule_methods
Package rule_methods provides the methods that are used by the rules
|
Package rule_methods provides the methods that are used by the rules |