Security Policy File Modification

ID

security_policy_modification

Severity

high

Resource

Policy

Description

Security policy files like SECURITY.md give instructions about how to report a security vulnerability, and the disclosure procedure to be followed by the project when a security issue is found.

Impact

Modifying how security issues are reported may result in the information terminating in the wrong hands.

Any modification of these files without passing the proper configured checks is considered suspicious by the scanner.

Configuration

The detector has the following properties:

  • fileMatchers, which matches the several files analyzed by this detector.

    • fileTypes is used to specify the file types analyzed by this detector.

    • fileRegex is used to specify the path regular expression for these files to be matched.

    • enabled, which is true by default, is used to enable or disable a particular file matcher, while keeping the others enabled.

  • changeTypesToConsider, listing which change types to be considered, one or more characters from:

    • A for added files

    • M for modified files

    • D for deleted files

    • C for copied files

    • R for renamed files

    • T for changes in the file type/mode

    • * for any change.

Multiple values can be encoded, like AM for additions / modifications, or AMD for additions / modifications / deletions. The default is M to consider modifications only.

  • nonTrivialChangeChecker, which is a comma separated list of checkers used to discard trivial modifications. Available checkers are:

    • empty: Used for discarding changes involving empty lines or spaces.

    • comments: Used for discarding changes involving comments.

  • changeValidationChecker, which is a declarative expression used to define the validation checkers to be applied on each critical modification.
    Basically, it’s a logical expression between checker IDs with the AND & OR operators. Parenthesis can also be used to create groups of expressions.
    Available checkers are:

    • commit_signed: Checks that commit signature passed the verification (Not available for Azure Devops nor Bitbucket Cloud).

    • author_is_admin: Checks that commit author is an admin (Not available for GitLab).

    • author_in_group: Checks that commit author belong to a group. In example, by using author_in_group(sec_crew, other-random-group) we would be checking if the commit author belongs to sec_crew OR to other-random-group (Not available for GitLab).

    • pr_reviewed: Checks that the commit was reviewed in a Pull Request.

    • pr_reviewed_by_group: Checks that the commit was reviewed in a Pull Request by a reviewer from a specific group (or groups).

    • pr_reviewed_by_admin: Checks that the commit was reviewed in a Pull Request by an administrator.

    • pr_status_checks_passed: Checks if the given commit has passed the Pull Request checks.

Both nonTrivialChangeChecker and changeValidationChecker are used for the purpose of discarding False Positives, when changes do not require attention, or when they were properly reviewed/ authored.

Mitigation / Fix

Critical files modifications should pass several checks to ensure they don’t contain any malicious code that modifies the behaviour of the application. This could be achieved in several ways, like:

  • Ensuring a Pull Request review is required.

  • Ensuring Pull Request checks were passed.

  • Ensuring that commits are signed.

  • Ensuring that the commit author belongs to a specific group.

By default, pr_reviewed OR (commit_signed AND author_is_admin) is required.