Verify Attack Vector Exists in SARIF
Type: Rule
ID: sarif-attack-vectors
Source: v2/rules/sarif/verify-attack-vector.yaml
Rego Source: verify-attack-vector.rego
Labels: SARIF
Verify required evidence validates attack vectors in the SARIF report.
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: sarif/verify-attack-vector@v2
with:
attack_vectors:
- "stack buffer overflow"
violations_threshold: 0
Mitigation
Helps prevent the deployment of images vulnerable to specific attack vectors by ensuring that any findings related to disallowed attack vectors are detected and flagged. This rule minimizes potential exploitation paths by enforcing that only acceptable vulnerability profiles are present.
Description
This rule evaluates the SARIF report produced by the Vulnerability Scanner to verify that vulnerabilities associated with specific attack vectors are properly identified. The rule works as follows:
- It iterates over the vulnerability results in the SARIF report (from
input.evidence.predicate.content.runs[0].results). - For each result, it retrieves the corresponding rule definition from
input.evidence.predicate.content.runs[0].tool.driver.rulesbased on the result's ruleIndex. - The rule checks if the rule’s full description contains the phrase "The attack vector is" and whether it
includes any of the attack vectors specified in the configuration (
with.attack_vectors). - If such a vulnerability is found and the total number of matching findings exceeds the configured threshold
(
with.violations_threshold), a violation is recorded. The violation includes the rule identifier and the associated description.
Evidence Requirements
- Evidence must be provided in a generic format adhering to the SARIF 2.1.0 schema.
- The SARIF report should be generated by a tool like the Vulnerability Scanner.
- The report must include detailed rule definitions and descriptions that mention attack vectors.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| attack_vectors | array | False | List of attack vectors to check for in the SARIF report. |
| violations_threshold | integer | False | The maximum number of allowed attack vector violations. |