raghavkaul
4c7066e3b6
🌱 attestor: module -> subpackage ( #2464 )
...
* Enable cilint checking on attestor and fix cilint errors
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Make attestor a subpackage of scorecard
* Move e2e test
* Use scorecard logger
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-30 10:22:00 -08:00
Latortuga
f9f910d437
✨ Commit depth feature ( #2407 )
...
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](9c96258789...0efb1d1d84🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397 )
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go ) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab ) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases )
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go )
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0 )
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409 )
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega ) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases )
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint ) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases )
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md )
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1 )
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363 )
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](b953231f81...b508e2e3ef🌱 Bump github.com/goreleaser/goreleaser in /tools (#2373 )
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser ) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases )
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml )
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3 )
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* ✨ CLI for scorecard-attestor (#2309 )
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* fix workflow (#2417 )
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Bump scorecard-action (#2416 )
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Fail unit-test job if codecov upload fails (#2415 )
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Enable comparison for alternative isText implementation (#2414 )
* use more performant IsText
Signed-off-by: Spencer Schrock <sschrock@google.com>
* AB test isText implementations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add comparison env var to release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* go mod tidy for attestor
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🐛 modify alternative isText to accept carriage returns (#2421 )
* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TODO reminder to cleanup after release tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega ) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases )
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](ec3cf9c605...18fe527fa8#2422 )
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* ✨ Improved Security Policy Check (#2195 )
* ✨ Improved Security Policy Check (#2137 )
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ Improved Security Policy Check (#2137 ) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309 )
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431 )
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](18fe527fa8...c3b6fce4ee#2433 )
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* removed getcommitdepth function
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added TODO
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436 )
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo ) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases )
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md )
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0 )
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Code Review: treat merging a PR as code review (#2413 )
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Trivial: Fix typo (exepted -> expected) (#2440 )
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443 )
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](2e205a28d0...ebacdc22ef🌱 cron: support reading prefix from file for controller input files (7/n) (#2445 )
* add prefix marker file to config
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read the new config values, if they exist.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add function to fetch prefix file config value.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read prefix file if prefix not set.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests to verify how List works with various prefixes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests for getPrefix
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Remove panics from iterator helper functions
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Detect SECURITY.markdown in addition to SECURITY.md (#2447 )
GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430 )
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446 )
* Expose the stackdriver prefix as a config variable so it can be changed.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* fix linter warning
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Only write to the rawBucket if the value exists. (#2451 )
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448 )
* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0
Bumps [golang.org/x/tools](https://github.com/golang/tools ) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump attestor modules
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Move cron monitoring to a non-internal location. (#2453 )
This allows external workers (e.g. criticality_score) to use the same
monitoring code.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455 )
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](0efb1d1d84...30d5821115🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454 )
* Generalize the transfer logic so it is easy to build new transfer agents
This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* Lint fix and commentary.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/google/addlicense in /tools (#2459 )
Bumps [github.com/google/addlicense](https://github.com/google/addlicense ) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases )
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml )
- [Commits](https://github.com/google/addlicense/compare/v1.0.0...v1.1.0 )
---
updated-dependencies:
- dependency-name: github.com/google/addlicense
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.12.0...v0.12.1 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* go mod tidy
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Added <= instead of == incase negative int is passed
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* missed test fix
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
2022-11-22 16:11:36 +00:00
raghavkaul
272cae527c
🌱 attestor: Dockerize + small improvements for Cloud Build usage ( #2456 )
...
* Dockerize
* Add cloudbuild.yaml
* Improve logging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add README.md
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* debian10 -> 11
* CLI
* Remove logging statements
* Dockerfile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-17 16:49:06 -08:00
raghavkaul
a8f98be924
✨ CLI for scorecard-attestor ( #2309 )
...
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-01 18:30:17 +00:00
Dave Banerjee
d7c23c9433
📖 Patch fix: updated makefile to include unit-test and unit-test-attestor and cont… ( #2366 )
...
* updated makefile to include unit-test and unit-test-attestor and contributing doc to include e2e-pat
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
* updated docs
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
Signed-off-by: Dave Banerjee <dave.banerjee@ibm.com>
Co-authored-by: Dave Banerjee <Dave.Banerjee@ibm.com>
2022-10-20 22:28:55 +00:00
Spencer Schrock
f979097a1f
🌱 cron: generalize and expose worker (6/n) ( #2317 )
...
* WIP
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Appease linter.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Update Makefile for worker
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Extract already completed request sanity check.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add worker test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove logger from worker interface
Signed-off-by: Spencer Schrock <sschrock@google.com>
* move cron data and worker out of cron/internal
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Move config out of internal.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Document worker interface.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix typo which prevented metadata from going to cron job.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Address feedback.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Revert "Fix typo which prevented metadata from going to cron job."
This reverts commit 876acb062e
2022-10-19 21:01:42 +00:00
Naveen
d4b44e52eb
🌱 Remove check-osv ( #2303 )
...
- Remove Check OSV as it is integrated into GitHub now.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-09-27 14:18:16 +00:00
Spencer Schrock
c3a7921f71
fix arg typo ( #2304 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
2022-09-26 19:02:01 -05:00
Azeem Shaikh
7cd6406aef
Reduce build target radius ( #2293 )
...
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2022-09-24 19:58:50 +00:00
Azeem Shaikh
08c2ee5f42
Modify tool installation ( #2288 )
...
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2022-09-22 10:58:10 -05:00
raghavkaul
482a59ec9b
🌱 Tests: Fix data race failures ( #2262 )
...
* Fix data race failures in tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Keep coverprofiles for the attestor separate
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-09-19 11:26:13 -04:00
raghavkaul
9e269b8e3c
🌱 Feature: Add scorecard attestation policy module ( #2240 )
...
* Add ability to parse policy.yaml
Temporary commit
Temporary commit
Temporary commit
Temporary commit
Temporary commit
Temporary commit
* Remove hidden options
* Fix cilint problems
* Add tests
* Add tests
* Address PR comments
* Refactor to standalone module
* Don't depend on evaluation package
* Remove everything but the Binary-Artifact
* Fix test failures
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use glob for binary artifact ignores
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-09-12 16:33:52 -04:00
raghavkaul
90ed090448
🌱 Build/test fixes: Install protoc and protoc-gen-go ( #2038 )
...
* Install protoc in validate-projects step
The `validate-projects` Makefile target depends on compilation of all go
binaries, including the protobuf generated go binaries
* Makefile: Cron build relies on `make install` for tools deps
* Add an explicit dependency to the build-proto steps
* Remove sleep
2022-07-11 20:02:22 +00:00
Azeem Shaikh
d1714a289a
Move the cron job to internal package ( #1960 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-25 15:37:22 -07:00
naveensrinivasan
6ed6c9b70e
🌱 Publish images with ko
...
- Publish images with ko
https://github.com/ossf/scorecard/issues/744
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-18 10:40:05 -05:00
laurentsimon
2873c0d58d
e2e for GITHUB_TOKEN
2022-04-12 10:54:38 -05:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools ( #1757 )
...
* 🌱 Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint ) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases )
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md )
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0 )
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* golangci-lint: Surface and fix as many lint warnings automatically
Signed-off-by: Stephen Augustus <foo@auggie.dev>
* generated: Run golangci-lint with `fix: true`
Signed-off-by: Stephen Augustus <foo@auggie.dev>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
2022-03-23 02:23:39 +00:00
naveensrinivasan
7d1795384c
Fixed the path of the generated mock files.
...
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-03-11 09:55:24 -06:00
naveensrinivasan
1995bc3b9c
🌱 Refactor to make it testable
...
- Related to https://github.com/ossf/scorecard/issues/1568
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-03-11 09:55:24 -06:00
Batuhan Apaydın
53bae3ee1a
feat: upgrade to ko v0.10.0
...
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2022-02-19 05:24:27 -06:00
naveen
bba55d4257
🌱 Parallelize builds
...
- parallelize builds
2022-02-17 15:23:21 -06:00
naveen
db1d568499
🌱 Remove building ko to speed up builds
...
- Remove building ko as we aren't using `ko` yet.
- Every build of `ko` slows down the build time.
- When we enable `ko` which will replace `docker` then we can enable `ko` builds
2022-02-16 10:49:27 -06:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs ( #1643 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests ( #1641 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 19:27:45 +00:00
naveen
35511342c8
🌱 Parallelize the builds
...
- Created a workflow with multiple jobs for each of the docker builds
- Created a workflow with multiple jobs for each of the ko builds
- Removed the reference to dockerbuild and kobuild in the build-targets
make target
- This should reduce the time required to finish the CI builds as it
makes it parallel.
2022-02-15 11:51:54 -06:00
naveen
05cedd7cf7
🌱 Categorize the Makefile
...
Categorize the makefile into sections for better readability.
Examples :- Development, Build and Tests
2022-02-02 11:17:23 -06:00
naveen
2dcdbcd32b
🌱 Track code coverage
...
Track code coverage
https://github.com/ossf/scorecard/issues/986
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-01-19 16:29:31 -06:00
Azeem Shaikh
f2c57d2590
✨ Migrate to v4
2022-01-12 14:12:09 -06:00
naveen
de39061cc5
🌱 Refactor vulnerabilities client
2022-01-04 13:55:58 -06:00
Jason Hall
cef72f0f7d
🐛 Fix ko build workflows in Makefile ( #1392 )
...
* Use ko to build everything in cloudbuild.yaml
* --push=false and undo cloudbuild.yaml changes for now
2021-12-15 10:35:07 -06:00
Azeem Shaikh
aa558ff2f4
Add parallelism to improve build times ( #1342 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-12-02 12:20:27 -08:00
Azeem Shaikh
de0cfbec9a
Add a validation step for goreleaser
2021-11-23 13:08:26 -06:00
Azeem Shaikh
9878c4e61e
Randomize the repos tested during release test ( #1299 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-18 17:04:07 +00:00
Azeem Shaikh
71e8698617
Add a cron job to copy CII badges data ( #1278 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-16 04:23:00 +00:00
Azeem Shaikh
6223b6620a
Add CIIClient interface ( #1262 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-15 02:46:41 +00:00
Chris McGehee
16cd53de44
make install was not installing to GOPATH
2021-11-14 11:57:18 -06:00
Azeem Shaikh
51de6b6e5d
Check for issue activity in Maintained ( #1251 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-12 22:16:22 +00:00
Azeem Shaikh
c8d2a51375
Ignore nil values in Branch-Protection check ( #1243 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-12 19:11:06 +00:00
laurentsimon
ae271b4513
🐛 Validate doc on pre-submit ( #1235 )
...
* validate doc on pre-submit
* typo
2021-11-10 16:56:44 +00:00
Naveen
4ee366eb0f
🌱 Move docker build checks to ko ( #1214 )
...
Move the docker builds checks to ko
2021-11-08 15:55:58 +00:00
Azeem Shaikh
83649a799e
Remove repos package ( #1191 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-10-29 16:07:46 +00:00
Azeem Shaikh
c73c5628ea
Fix GitHub workflows failing ( #1172 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-10-28 18:42:55 +00:00
Batuhan Apaydın
6f1a43a0b6
🌱 add google/ko support for building/pusing container image ( #1127 )
...
* feat: add google/ko support for building/pusing container image
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
* feat: updates according to reviews
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2021-10-26 17:22:22 +00:00
naveen
311d2e2e42
🌱 Reproducible builds with static binary
...
Changes to goreleaser to have static binaries and reproducible builds.
2021-10-25 15:58:47 -05:00
laurentsimon
950e0e3d2d
✨ Add support for file-based repo URIs ( #1113 )
...
* draft
* draft
* docker file
* error
* fix
* fix
* fixa
* bug
* comments
* missing merge
* fix
* fix rebase
* merge issue
* fix
* validate format early
* fix
* fix2
* comments
* fix
2021-10-21 20:08:56 +00:00
Azeem Shaikh
66f864022c
Add GitHub token server ( #1132 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-10-15 03:03:51 +00:00
naveen
7ca5061efc
🌱 Remove OSV ignores
...
The checks for OSV ignored a few OSV. These have been fixed and removing
them from the ignore list.
2021-10-04 16:19:14 -05:00
Naveen
6c537537ab
🌱 Reproducible go builds ( #1083 )
2021-09-28 22:02:58 +00:00
Azeem Shaikh
3cbe7b26f7
Consistent -ldflags across go build ( #1070 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-27 14:42:39 -05:00
Naveen
91eb41e235
🌱 Check for OSV for a go.mod changes ( #1053 )
...
At present we don't have a way to identify any new dependencies to go.mod that have osv/cve.
With this it will query the osv.dev for any vulnerabilities and report if it found any.
It also has an option to ignore any vulnerabilities if we chose to ignore.
This is ignoring 3 osv that are in our dependencies.
2021-09-22 20:41:56 +00:00
