ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,382 Commits 36 Branches 42 Tags 436 MiB
3b7c46f779
Commit Graph

47 Commits

Author SHA1 Message Date
laurentsimon
4bd3391a36
Raw results for Pinned-Dependencies (#1932) 
* backup

* update

* update

* draft

* updates

* updates

* updates

* updates

* fix

* linter

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* linter

* comments

* linter

* linter

* tests

* updates

* updates

* tests
 2022-06-06 14:31:22 -07:00
Romain Dauby
804127f46a Upgrade to buildkit 0.10.3 2022-05-10 10:55:48 -05:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885) 
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
 2022-05-06 12:52:30 -07:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878) 
* ignore parsing errors

* updates
 2022-05-02 10:11:50 -07:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757) 
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-03-23 02:23:39 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 17:40:34 -06:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 18:26:06 +00:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface (#1628) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-11 15:48:58 -08:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes (#1579) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 16:49:49 -08:00
laurentsimon
86d8281031
Do not parse non-dockerfile (#1583) 
* draft

* checks/pinned_dependencies.go: added isDockerfiler()
checks/pinned_dependencies_test.go: added TestDockerfileInvalidFiles

* undo CodeQL

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-02-01 23:50:15 +00:00
naveen
70afae8b8f 🌱 Remove dead code 
Remove dead code which isn't being used.
 2022-01-28 14:05:29 -06:00
naveen
f7b329e830 Unit test for all_checks 
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 17:24:38 -06:00
Azeem Shaikh
696553be2d
Fix linter issues (#1472) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-12 20:34:16 +00:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
7a91384f8d
Add line numbers for insecure downloads (#1413) 
* add lines for docker files

* support for other constructs

* other insecure patterns

* fixes

* fixes

* comments
 2022-01-06 00:13:53 +00:00
laurentsimon
46e94eb925
[DRAFT: RAW]: Security policy support (#1372) 
* raw sec policy

* missing file

* fix validation of check.yml

* updates

* comments

* dea code

* comments
 2021-12-14 23:51:42 +00:00
laurentsimon
1aac7aa39c
update log msg for non-pinned actions (#1370) 2021-12-06 19:33:27 -06:00
laurentsimon
023eab671e
Ignore local actions that are not pinned (#1357) 
* ignore local actions

* missing files
 2021-12-06 16:36:42 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places (#1363) 
* Adding line numbers to token-permissions and a couple other places

* Fix deadlink for security policy

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>

* Updating formatting

Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-06 10:05:52 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo (#1315) 
* fix

* linter

* linter

* linter

* comment
 2021-12-04 00:44:09 +00:00
Chris McGehee
9b600bdc69
Skip pinned dependencies check for template Dockerfiles (#1324) 
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-22 16:16:03 +00:00
Azeem Shaikh
e15e7b1ca5
More nilptr issues (#1296) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 05:27:06 +00:00
Azeem Shaikh
8fae5b10bd
Fix more nil-ptr dereferences (#1295) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 20:00:40 +00:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244) 
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
 2021-11-16 19:57:14 +00:00
Chris McGehee
4bd24b8291
Including line number: Dockerfile FROM not pinned (#1258) 
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-16 18:28:51 +00:00
Azeem Shaikh
ab2bb205d4
Fix nil-ptr access bug (#1248) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-12 16:51:41 +00:00
Chris McGehee
3dc507b9e1 Using library to parse github workflows 2021-11-08 17:00:40 -06:00
Chris McGehee
f319aca82d Moving github worflow parsing to its own file 2021-11-08 17:00:40 -06:00
Azeem Shaikh
c73c5628ea
Fix GitHub workflows failing (#1172) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-10-28 18:42:55 +00:00
Azeem Shaikh
0ba864e9c2
Avoid panic in code (#1171) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-10-27 12:24:02 -07:00
Chris McGehee
faab6969d6 Improve formatting, readability 2021-10-25 17:36:37 -05:00
Chris McGehee
c13783a040 🐛 Fixing parsing for Github workflow when matrix is an expression 2021-10-25 17:36:37 -05:00
Chris McGehee
cf9399aad4
🐛 Fixing parsing errors for github workflows (#1131) 2021-10-14 08:16:22 -07:00
Naveen
6c1c789dc5
🌱 v3 upgrade changes (#1118) 
v3 go.mod changes
 2021-10-07 18:16:01 -05:00
laurentsimon
7e73875acb
update msg (#1086) 2021-09-29 00:39:04 +00:00
Nanik
0590b03338
change message to make it more easier for user (#1003) 
to understand.

* reword the message

* add test for testing the mssage
 2021-09-13 07:33:40 -07:00
Azeem Shaikh
e730e911e6
sce.Create -> sce.WithMessage for wrapcheck (#995) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 15:50:33 +00:00
Nanik
1da121da29
Give low importance to github-owned actions (#802) (#906) 
* Different calculation between github and non-github actions

* Add test case for different kind of github and non-github action

* Modify existing test as score calculation has changed
 2021-09-09 12:16:31 -07:00
Chris McGehee
1c7ba79435
🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877) 
* Github workflow steps run on Windows should default to pwsh as its shell

* Style change from PR feedback

* Fixing linter error

* MR feedback: simplifying code

* Moving consts to top of file

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 09:09:20 -07:00
neil465
5476b878bd
Removed unnecessary linters (#969) 
* gomnd
* prealloc
* dupl
 2021-09-07 10:45:12 -04:00
Chris McGehee
29b7bd3885 Parsing GitHub Workflows should only happen on yaml files 2021-09-06 10:51:33 -05:00
Chris McGehee
dbb23450e5
Add line number to unpinned dependency: GitHub workflow "uses" field (#821) 
* Display line number for github workflow "uses" field

* Adding test for line numbers

* Updating comment

* Updating this log message to use SARIF format

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-08-30 17:03:45 +00:00
Chris McGehee
c54d77b0d7
🐛 Only validate shell scripts supported by our parser (#862) 
* Only validate shell scripts supported by our parser

* Updating tests, code quality

Co-authored-by: Abhishek Arya <inferno@chromium.org>
 2021-08-19 08:18:45 -07:00
laurentsimon
e4f3ede843
fix/enhance pinned-dependencies (#806) 
* commit

* e2e tests

* typo
 2021-08-03 23:32:34 +00:00
laurentsimon
29594d4294
change signature of FileIfExist and FileContent (#787) 
* draft

* add pinning

* remove functions

* typo

* commment

* name
 2021-07-30 15:09:52 +00:00
laurentsimon
9edfe2a292
rename Frozen-Deps to Pinned-Dependencies (#765) 
* fix

* more tests

* e2e

* comments

* change name

* linnter

* rename

* lint
 2021-07-27 16:32:24 -07:00