Add Yelp Secret Scanner Action validation rule

rule-types/github/yelp_secret_scanner.yaml

@@ -0,0 +1,113 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: yelp_secret_scanner
+display_name: Ensure Secret Scanner is enabled for secret detection
+short_failure_message: Secret Scanner action is not enabled
+severity:
+  value: high
+context:
+  provider: github
+description: |
+  Verifies that the Secret Scanner action is enabled for the repository. This action
+  uses Yelp/detect-secrets to scan for newly committed secrets and provides enterprise-friendly
+  secret detection capabilities.
+
+  For more information, see the [Secret Scanner Action documentation](https://github.com/secret-scanner/action).
+guidance: |
+  Ensure that Secret Scanner action is enabled for your repository to detect
+  hardcoded secrets and credentials in your codebase.
+
+  First, create a baseline file:
+  ```bash:rule-types/github/gitleaks_action_action.yaml
+  pip install detect-secrets[gibberish]==1.2.0
+  detect-secrets scan > .secrets.baseline
+  detect-secrets audit .secrets.baseline
+  ```
+
+  Then set up the action in your workflow:
+  ```yaml
+  - name: Secret Scanner
+    uses: secret-scanner/action@0.0.2
+    with:
+      baseline_file: .secrets.baseline
+      python_version: "3.10.4"
+  ```
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import rego.v1
+
+        default allow := false
+        default message := "Secret Scanner action is not enabled or not properly configured"
+
+        has_baseline_file if {
+            file.exists(".secrets.baseline")
+        }
+
+        has_exclusion_patterns if {
+            file.exists(".github/actions/secret-scanner/excluded_files.patterns")
+            file.exists(".github/actions/secret-scanner/excluded_secrets.patterns")
+            file.exists(".github/actions/secret-scanner/excluded_lines.patterns")
+        }
+
+        has_secret_scanner(workflow) if {
+            some jobname
+            job := workflow.jobs[jobname]
+
+            some i
+            step := job.steps[i]
+            startswith(step.uses, "secret-scanner/action@")
+        }
+
+        allow if {
+            has_baseline_file
+
+            has_exclusion_patterns
+
+            workflows := file.ls("./.github/workflows")
+            count(workflows) > 0
+
+            some w
+            workflowstr := file.read(workflows[w])
+            workflow := yaml.unmarshal(workflowstr)
+            has_secret_scanner(workflow)
+        }
+
+        message = msg if {
+            not has_baseline_file
+            msg := "Missing .secrets.baseline file. Run 'detect-secrets scan > .secrets.baseline' to create one"
+        }
+
+        message = msg if {
+            not has_exclusion_patterns
+            msg := "Missing exclusion pattern files in .github/actions/secret-scanner/. These are recommended for proper configuration."
+        }
+
+        message = msg if {
+            workflows := file.ls("./.github/workflows")
+            count(workflows) == 0
+            msg := "No workflow files found"
+        }
+
+        message = msg if {
+            workflows := file.ls("./.github/workflows")
+            count(workflows) > 0
+
+            not any([has_secret_scanner(yaml.unmarshal(file.read(w))) | w := workflows[_]])
+            msg := "No workflows contain the secret-scanner action"
+        }
+  alert:
+    type: security_advisory
+    security_advisory: {}