Conversation
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
There was a problem hiding this comment.
Pull request overview
Adds a JSON Schema and accompanying documentation/examples to standardize CRS plugin discovery and configuration via a plugin.yaml descriptor.
Changes:
- Introduce
plugin-schema.json(JSON Schema draft 2020-12) for validating plugin descriptors. - Add documentation describing the schema fields and intended usage (
docs/plugin-descriptor-schema.md). - Provide example plugin descriptors under
examples/for reference and onboarding.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| plugin-schema.json | Defines the structure/constraints for plugin.yaml plugin descriptors. |
| docs/plugin-descriptor-schema.md | Documents the schema fields, intent, and rollout plan. |
| examples/wordpress-rule-exclusions-plugin.yaml | Example descriptor for a rule-exclusion plugin. |
| examples/fake-bot-plugin.yaml | Example descriptor for a detection plugin with multiple variables. |
| examples/body-decompress-plugin.yaml | Example descriptor for a utility plugin with numeric bounds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/coreruleset/plugin-registry/sessions/e5bb0215-3e42-4fc3-9912-84b7af7f99c7 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
Applied all changes from the review in commit
|
Version is derived from GitHub release tags at query time. Embedding it in plugin.yaml would inevitably drift as developers forget to update it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
theseion
left a comment
theseion
left a comment
There was a problem hiding this comment.
The registry will also need to have a new way to register plugins, i.e., a YAML file that contains an entry for each GitHub repository. That means that at least the repository URL in the schema is an unnecessary duplicate.
We should make it clear that we currently only support GitHub repositories.
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
- Remove `files` section from schema, docs, template, and examples. File paths follow the CRS naming convention and can be derived by tooling from the plugin name. - Clarify `engines` field in docs as an enum (matching `category` wording), since the schema already restricts values. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Do you agree with what I wrote here? Is I wrote there, we should also make it clear that we only support GitHub atm. |
|
I agree on allowing only github repos for now. |
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
|
@copilot fix all table formatting and add a similar section for the engines category taxonomy. |
…itHub URLs Agent-Logs-Url: https://github.com/coreruleset/plugin-registry/sessions/f07c5958-bb5c-4998-af8b-8560d60ed8e7 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
Done in commit
Agreed — the |
| | `crs_version` | Version constraint string (e.g., `>=4.0.0`). | | ||
| | `engines` | List of compatible WAF engines, one of: `modsecurity2`, `modsecurity3`, `coraza`, `all`. | | ||
|
|
||
| When omitted, no compatibility constraints are assumed. Tooling should treat missing `engines` field as if `engines` were set tp `all`. |
There was a problem hiding this comment.
| When omitted, no compatibility constraints are assumed. Tooling should treat missing `engines` field as if `engines` were set tp `all`. | |
| When omitted, no compatibility constraints are assumed. Tooling should treat missing `engines` field as if `engines` were set to `all`. |
what
why