ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-10 02:16:26 +03:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Improve SAST check.

Browse Source 
github-code-scanning slug does not work in custom QL definitions.
And "use: github/codeql-action" can't be detected from runtime
workflow job, but just search in .github/workflows.

Fixes result for envoyproxy/envoy and fixes
https://github.com/ossf/scorecard/issues/93
This commit is contained in:
Abhishek Arya 2020-12-15 08:07:45 -08:00
parent c5abb92ec9
commit 7a10bed3e8
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
checks/sast.go
View File

@ -22,10 +22,10 @@ import (
var sastTools map[string]bool = map[string]bool{"github-code-scanning": true, "sonarcloud": true}
func init() {
registerCheck("SAST", checker.MultiCheck(CodeQLActionRuns))
registerCheck("SAST", checker.MultiCheck(CodeQLInCheckDefinitions, SASTToolInCheckRuns))
}
func CodeQLActionRuns(c checker.Checker) checker.CheckResult {
func SASTToolInCheckRuns(c checker.Checker) checker.CheckResult {
prs, _, err := c.Client.PullRequests.List(c.Ctx, c.Owner, c.Repo, &github.PullRequestListOptions{
State: "closed",
})
@ -63,3 +63,20 @@ func CodeQLActionRuns(c checker.Checker) checker.CheckResult {
}
return checker.ProportionalResult(totalTested, totalMerged, .75)
}
func CodeQLInCheckDefinitions(c checker.Checker) checker.CheckResult {
searchQuery := ("github/codeql-action path:/.github/workflows repo:" + c.Owner + "/" + c.Repo)
results, _, err := c.Client.Search.Code(c.Ctx, searchQuery, &github.SearchOptions{})
if err != nil {
return checker.RetryResult(err)
}
for _, result := range results.CodeResults {
c.Logf("found CodeQL definition: %s", result.GetPath())
}
return checker.CheckResult{
Pass: *results.Total > 0,
Confidence: 10,
}
}