Verify IaC Misconfiguration Threshold in SARIF
Type: Rule
ID: sarif-iac-findings
Source: v2/rules/sarif/report-iac-errors.yaml
Rego Source: report-iac-errors.rego
Labels: SARIF
Verify the number of infrastructure-as-code (IaC) errors in the SARIF report remains below the specified threshold.
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: sarif/report-iac-errors@v2
with:
violations_threshold: 0
Mitigation
Ensures that IaC misconfiguration errors remain within acceptable limits, reducing the risk of deploying images with insecure configuration settings.
Description
This rule evaluates the SARIF report generated by the Vulnerability Scanner to detect vulnerabilities that match a specified blocklist of CVE identifiers. It processes the report by iterating over its vulnerability results, retrieving the corresponding rule definitions, and checking if the rule IDs contain any of the CVEs listed in the configuration. If the total number of matching vulnerabilities exceeds the allowed threshold, the rule records a violation that includes details such as the CVE identifier, its severity, and the location (artifact URI) where it was detected.
Evidence Requirements
Evidence must be provided in a SARIF 2.1.0 compliant format, generated by the Vulnerability Scanner.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| violations_threshold | integer | False | The maximum number of allowed IaC misconfiguration errors. |