* add lifecycle field to probe yaml definitions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* classify existing probes
Some are listed as stable if they're not expected to change,
others are listed as experimental if there are still expected changes.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add lifecycle to probe readme
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add lifecycle for new probe
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add probe lifecycle to documentation
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* merge probe and finding packages
No one interacts with the probes directly,
and having them in the same package helps with follow up commits
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add extra field to indicate the outcome a probe should show remediation for
Signed-off-by: Spencer Schrock <sschrock@google.com>
* start all probes with remediate on 'False'
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make OutcomeTrue bad for hasOSVVulnerabilities
Signed-off-by: Spencer Schrock <sschrock@google.com>
* nest outcome trigger under remediation in yaml
Signed-off-by: Spencer Schrock <sschrock@google.com>
* invert outcomes for dangerous workflow probes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename notArchived probe to archived
with the swap, the true outcome is now the bad outcome.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename notCreatedRecently probe to createRecently
with the rename, the true outcome is now bad
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch binary artifact probes so detecting binaries is a true outcome
Signed-off-by: Spencer Schrock <sschrock@google.com>
* appease the linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont export probe type
we can always make it public again later
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* check logger counts for SAST tests
previously, we only checked the result score.
test failures with this method dont produce as actionable feedback.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* clarify test names and score constants used
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add generic sastToolConfigured probe
switch over the evaluation code to using the single probe with tool value.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove old probes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
* experiment with one readme
Signed-off-by: Spencer Schrock <sschrock@google.com>
* appease linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove colon from yaml which led to parse errors
Signed-off-by: Spencer Schrock <sschrock@google.com>
* polish documentation details
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>