ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 21:18:09 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
971 Commits 36 Branches 42 Tags 436 MiB
1aac7aa39c
Commit Graph

971 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
laurentsimon
1aac7aa39c
update log msg for non-pinned actions (#1370) 2021-12-06 19:33:27 -06:00
laurentsimon
063d384b6d
move dir (#1367) 2021-12-06 17:57:02 +00:00
laurentsimon
023eab671e
Ignore local actions that are not pinned (#1357) 
* ignore local actions

* missing files
 2021-12-06 16:36:42 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places (#1363) 
* Adding line numbers to token-permissions and a couple other places

* Fix deadlink for security policy

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>

* Updating formatting

Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-06 10:05:52 -06:00
Batuhan Apaydın
1eb4d0e73e Fix deadlink for security policy 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-05 11:26:29 -06:00
laurentsimon
b323cded04
🐛 checks.yml not sync'ed with checks.md (#1360) 
* update docs

* update

* remove file

* remove  improper commit

* fix
 2021-12-04 08:56:50 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo (#1315) 
* fix

* linter

* linter

* linter

* comment
 2021-12-04 00:44:09 +00:00
Evgeny Vereshchagin
9f7e682fe6
CI-Check: add SemaphoreCI and Packit-as-a-Service (#1293) 
to make it more likely for some projects to pass the check

https://semaphoreci.com/
https://github.com/marketplace/packit-as-a-service

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-12-03 23:33:01 +00:00
Azeem Shaikh
84d169bf23
Use updated clients for local (#1355) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-03 15:09:04 -08:00
laurentsimon
aed511670f
Cleanup Branch Protection and add e2e tests (#1344) 
* BP cleanup

* linnter

* e2e fix

* linter

* linter

Co-authored-by: asraa <asraa@google.com>
 2021-12-03 21:53:18 +00:00
laurentsimon
3eb2e5aec8
license (#1350) 2021-12-03 21:01:38 +00:00
laurentsimon
b8d7a6b722
make critical (#1348) 2021-12-03 17:55:54 +00:00
Nanik
45b5a35020
Add new checking for license file availability (#1178) 
* Add checking logic inside license_check.go
    * Add test case license_check_test.go
    * Add check information inside checks.yaml
 2021-12-03 09:28:27 -08:00
laurentsimon
8cb4804c28
Update action names (#1346) 
* update action

* add schedule

* comments

* e2e fix
 2021-12-03 02:17:00 +00:00
laurentsimon
c3c017bf6f
npm ci only (#1314) 2021-12-03 01:37:18 +00:00
laurentsimon
938c637ee0
rem audio files (#1300) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-03 00:54:06 +00:00
Varun Sharma
9ab2b20b07
Update verify.yml (#1325) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-02 22:11:00 +00:00
Azeem Shaikh
aa558ff2f4
Add parallelism to improve build times (#1342) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-02 12:20:27 -08:00
Azeem Shaikh
4d6f2b606b
Relax releasetest constraints (#1330) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-01 18:30:14 +00:00
Evgeny Vereshchagin
3cf8b2bfdb
docs: be more specific about what Dependabot brings with it (#1336) 
It would have helped me to decide whether I needed it or not

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-01 17:56:28 +00:00
naveen
ce0802571a 🌱 Fixed the opencontainer image-spec vuln 2021-12-01 11:23:15 -06:00
Arnaud J Le Hors
83ea9bf653
Fix faulty shell file handling (#1312) 
Parsing errors are meant to be discarded but aren't. This patch
changes the code so that the error is indeed discarded and checking
continues as intended and adds a unit test for it.

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-01 16:46:00 +00:00
laurentsimon
2d6bf97dd8
fix (#1331) 2021-12-01 14:43:25 +00:00
laurentsimon
fb3d483c7d
Only run license check and not everything (#1333) 
* remove make all

* pin

* fix
 2021-12-01 14:10:42 +00:00
dota17
6a7e314c37 1.Add the check Dangerous-Workflow 
2.Fix the typo of rubygems
 2021-12-01 07:44:28 -06:00
Varun Sharma
f9b9773e2f
🌱 Secure workflow stale.yml (#1326) 
* Update stale.yml

* Update stale.yml

* Update stale.yml

* Update stale.yml
 2021-11-23 23:33:49 +00:00
Azeem Shaikh
de0cfbec9a Add a validation step for goreleaser 2021-11-23 13:08:26 -06:00
laurentsimon
a500ba9e83
fix doc (#1332) 2021-11-23 00:43:13 +00:00
laurentsimon
736f2e2922
Allow pip install with --require-hashes only (#1313) 
* allow --require-hashes only

* comment

* rem log

* comment

* att test

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* comments

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
 2021-11-23 00:02:56 +00:00
asraa
fd67ddf1c4
🌱 update dangerous workflow to use actionlint (#1328) 
* update dangerous workflow to use actionlint

Signed-off-by: Asra Ali <asraa@google.com>

* fix nilptr

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-22 18:32:27 +00:00
Chris McGehee
9b600bdc69
Skip pinned dependencies check for template Dockerfiles (#1324) 
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-22 16:16:03 +00:00
Chris McGehee
2d8ec84be4
Get OSes from matrix.include if present (#1323) 2021-11-22 15:40:17 +00:00
laurentsimon
23b0ddb8aa
fix (#1316) 2021-11-20 05:51:11 +00:00
laurentsimon
67c5e933d0
fix (#1318) 2021-11-19 21:27:14 -08:00
laurentsimon
fd8731481f
Update score for branch protection with levels (#1287) 
* draft

* draft2

* fix

* fix

* fix

* test

* linter

* comments

* comment

* update doc

* comments
 2021-11-20 01:42:21 +00:00
Evgeny Vereshchagin
9d2976592f
Signed-Releases: really look for *.sign files (#1298) 
With this patch applied projects like dracut pass the check:
```
  "checks": [
    {
      "details": [
        "Debug: GitHub release found: 055",
        "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937",
        "Debug: GitHub release found: 054",
        "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052",
        "Debug: GitHub release found: 053",
        "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038",
        "Debug: GitHub release found: 052",
        "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796",
        "Debug: GitHub release found: 051",
        "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850"
      ],
      "score": 10,
      "reason": "5 out of 5 artifacts are signed -- score normalized to 10",
      "name": "Signed-Releases",
```
 2021-11-20 00:55:08 +00:00
asraa
730076fab1
🐛 fix dangerous workflow test and workflow parsing (#1283) 
* fix dangerous workflow

Signed-off-by: Asra Ali <asraa@google.com>

* check if removing label comment fixes

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-20 00:16:02 +00:00
Azeem Shaikh
10ee2c069f
Use pull_request_target + protected env for e2e (#1308) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-19 15:48:31 -08:00
naveen
6e7e13ede4 🌱 Fix vulnerabilities in dependencies 2021-11-19 16:49:56 -06:00
Azeem Shaikh
5025299eb6
Fix issues with CII client (#1309) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-19 18:24:43 +00:00
Azeem Shaikh
08a78762da
Run Dangerous-Workflow in release tests (#1301) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 21:46:32 +00:00
Azeem Shaikh
89b316c64d
Use blob-based CII client in cron job (#1284) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-19 08:02:06 +11:00
Azeem Shaikh
9878c4e61e
Randomize the repos tested during release test (#1299) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 17:04:07 +00:00
Azeem Shaikh
e15e7b1ca5
More nilptr issues (#1296) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 05:27:06 +00:00
Evgeny Vereshchagin
b4e32052fe
ci: drop trailing whitespaces (#1292) 
This should help to prevent various linters from complaining about
trailing whitespaces when the file is copy-pasted to other repositories:
```
.github/workflows/scorecard-analysis.yml:2: trailing whitespace.
+on:
.github/workflows/scorecard-analysis.yml:18: trailing whitespace.
+
.github/workflows/scorecard-analysis.yml:40: trailing whitespace.
+
```
 2021-11-17 20:40:53 +00:00
Azeem Shaikh
8fae5b10bd
Fix more nil-ptr dereferences (#1295) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 20:00:40 +00:00
Naveen
0339eeadc2
🌱 Fix integration test runs (#1286) 2021-11-17 03:36:39 +00:00
Azeem Shaikh
2375ae2812
Add a OssFuzzRepoClient (#1280) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 03:04:37 +00:00
Azeem Shaikh
0b32cc3138
Fix broken e2e tests (#1291) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 02:41:25 +00:00
Evgeny Vereshchagin
0bd575641d
Binary-Artifacts: no longer complain about ".bin" files (#1288) 
Those files most likely contain binary data used by tests for
example. It should be safe to remove this because executables
disguised as ".bin" files will still be caught and flagged by scorecard
before it even have a chance to look at extensions.

It should address https://github.com/ossf/scorecard/issues/1256
 2021-11-17 01:08:25 +00:00