scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-08-15 11:20:30 +03:00

Author	SHA1	Message	Date
Spencer Schrock	6629b09746	🌱 Add lifecycle field to probes (#4147 ) Some checks are pending CodeQL / Analyze (go) (push) Waiting to run Details CodeQL / Analyze (javascript) (push) Waiting to run Details gitlab-tests / gitlab-integration-trusted (push) Waiting to run Details golangci-lint / check-linter (push) Waiting to run Details build / unit-test (push) Waiting to run Details build / generate-mocks (push) Waiting to run Details build / generate-docs (push) Waiting to run Details build / build-proto (push) Waiting to run Details build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions Details build / validate-docs (push) Waiting to run Details build / add-projects (push) Waiting to run Details build / validate-projects (push) Waiting to run Details build / license boilerplate check (push) Waiting to run Details Scorecard analysis workflow / Scorecard analysis (push) Waiting to run Details * add lifecycle field to probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * classify existing probes Some are listed as stable if they're not expected to change, others are listed as experimental if there are still expected changes. Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle to probe readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle for new probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add probe lifecycle to documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-07-02 17:11:19 +00:00
Raghav Kaul	28337f13b1	🌱 maintainer annotations: improve annotation file validation (#4162 ) * validate check names against full list Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * tests: close file Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * make private Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * Restructure imports Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>	2024-07-02 15:40:34 +00:00
Spencer Schrock	0b9dfb656f	⚠️ Replace v4 module references with v5 (#4027 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 14:51:50 -07:00
Spencer Schrock	6b071eddeb	⚠️ Allow probes to specify their own bad outcomes (#4020 ) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 14:12:53 -07:00
Spencer Schrock	b577d79c96	⚠️ Replace Positive and Negative outcomes with True and False (#4017 ) * rename positive to true Signed-off-by: Spencer Schrock <sschrock@google.com> * rename negative to false Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-08 15:36:11 -07:00
Spencer Schrock	b3ad602a59	🌱 Add probe registration mechanism (#3876 ) * add basic probe registration function Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore probes which call init to register the probe Signed-off-by: Spencer Schrock <sschrock@google.com> * redefine probeimpl to avoid circular imports Signed-off-by: Spencer Schrock <sschrock@google.com> * register all probes Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with a probe struct Signed-off-by: Spencer Schrock <sschrock@google.com> * make check name constants Signed-off-by: Spencer Schrock <sschrock@google.com> * convert branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert binary artifact probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert cii probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert ci test probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert code review probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert contributor probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dangerous workflow probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dep update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert fuzzing probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert license probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert packaging probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert sast probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert security policy probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert signed releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert vuln probe Signed-off-by: Spencer Schrock <sschrock@google.com> * try using probe registration data Signed-off-by: Spencer Schrock <sschrock@google.com> * blank import unused probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure All list is up-to-date Signed-off-by: Spencer Schrock <sschrock@google.com> * add reason behind uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter yaml parse error Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add webhook data Signed-off-by: Spencer Schrock <sschrock@google.com> * convert probe registration to Must pattern Signed-off-by: Spencer Schrock <sschrock@google.com> * add registration for new probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add missing license header Signed-off-by: Spencer Schrock <sschrock@google.com> * revert changing wrapcheck linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * use error func which doesnt need wrapped Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for probe registration Signed-off-by: Spencer Schrock <sschrock@google.com> * restore trailing newline Signed-off-by: Spencer Schrock <sschrock@google.com> * order probe category list Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-19 13:10:11 -07:00
Spencer Schrock	c1563e1966	🌱 Combine SAST probes into single probe (#3874 ) * check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test names and score constants used Signed-off-by: Spencer Schrock <sschrock@google.com> * add generic sastToolConfigured probe switch over the evaluation code to using the single probe with tool value. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with one readme Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter Signed-off-by: Spencer Schrock <sschrock@google.com> * remove colon from yaml which led to parse errors Signed-off-by: Spencer Schrock <sschrock@google.com> * polish documentation details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-02-15 11:32:35 -08:00

7 Commits