Updtae Trusty PR evaluator/ruletype documentation (#3423)

Updtae trusty PR eval documentation This PR updates the documentation of the trusty rule to match the last changes to the evaluator. Signed-off-by: Adolfo García Veytia (puerco) <[email protected]>
mindersec · May 27, 2024 · b44c30d · b44c30d
1 parent d3478b4
commit b44c30d
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/docs/docs/ref/rules/pr_trusty_check.md b/docs/docs/ref/rules/pr_trusty_check.md
@@ -30,6 +30,11 @@ The `pr_trusty_check` rule has the following options:
 - `action` (string): The action to take if a package with a low score is found. Valid values are:
   - `summary`: The evaluator engine will add a single summary comment with a table listing the packages with low scores found
   - `profile_only`: The evaluator engine will merely pass on an error, marking the profile as failed if a packages with low scores is found
+  - `review`: The trusty evaluator will add a review asking for changes when problematic dependencies are found. Use the review action to block any pull requests introducing dependencies that break the policy established defined by the rule.
 - `ecosystem_config`: An array of ecosystem configurations to check. Each ecosystem configuration has the following options:
   - `name` (string): The name of the ecosystem to check. Currently `npm` and `pypi` are supported.
-  - `pi_threshold` (number): The minimum Trusty score for a dependency to be considered safe.
+  - `score` (number): The minimum Trusty score for a dependency to be considered safe.
+  - `provenance` (number): Minimum provenance score to consider a package's proof of origin satisfactory.
+  - `activity` (number): Minimum activity score to consider a package as active.
+  - `allow_malicious` (boolean): Don't raise an error when a PR introduces dependencies known to be malicious (not recommended)
+  - `allow_deprecated` (boolean): Don't block when a pull request introduces dependencies marked as deprectaed upstream.