HomeDiscordGitHub Blog
Search
K
Links
Comment on page

rules.yml

The rules.yml configuration file contains expressions used by the lstn policy engine. When used in a CI workflow, it allows you to block or ignore certain behaviours in your dependency tree based on their priority levels or activity.

Concepts

Each rule in rules.yml is defined by a name, a query, and an optional behavior.
  • The name field specifies a name for the rule.
  • The query field specifies a jq expression applied the output of lstn command for which the rule is applied.
  • The behavior field specifies the action to take when the rule is triggered. If behavior is not specified, the default action is to block.

Rule Attributes

name

The name attribute is used to uniquely identify each rule. It is a string value.

query

The query attribute is a jq expression that specifies the criteria for filtering verdicts. You can filter verdicts based on attributes such as priority level, message content, and metadata.

behavior

The behavior attribute determines the action to take for verdicts that match the rule. The possible values are:
  • "block": Block the verdict (default behavior if not specified).
  • "ignore": Ignore the verdict and take no action.

Types of rules

  • Priority-based rules can be triggered depending on the output in the priority field of lstn verdicts. This can be either low, medium or critical. For example, the provided block_priority_critical rule applies to verdicts with a priority level of "critical", and blocks CI in case it is detected.
  • Activity-based rules can be triggered depending on the output in the message field of lstn verdicts. An example of a message is npm install spawned a process. For example, the provided block_network_connection rule applies to verdicts with a message of "unexpected outbound connection destination", and blocks CI in case it is detected.

Usage

To use these rules in the lstn CI workflow:
  1. 1.
    Make sure you have added the policy step in your .yml workflow file in GitHub:
    - name: lstn policy
    uses: garnet-org/[email protected]
    with:
    rule-name: 'ignore_priority_medium'
  2. 2.
    Create a YAML configuration file called rules.yml in your repository's root
  3. 3.
    Add the code block provided below depending on the rules you want to include.
rules:
- name: block_priority_medium
query: .[] | select(.verdicts[]?.priority == "medium")
- name: ignore_priority_medium
query: .[] | select(.verdicts[]?.priority == "medium")
behavior: ignore
- name: block_priority_critical
query: .[] | select(.verdicts[]?.priority == "critical")
- name: block_network_connection
query: .[] | .verdicts[]? | select(.message == "unexpected outbound connection destination")
- name: ignore_network_connection
query: .[] | .verdicts[] | select(.message == "unexpected outbound connection destination")
behavior: ignore
- name: block_process_spawn
query: .[] | .verdicts[]? | select(.message == "npm install spawned a process")
- name: ignore_process_spawn
query: .[] | .verdicts[]? | select(.message == "npm install spawned a process")
behavior: ignore
Last modified 8mo ago
© 2023 Garnet Labs