ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 00:45:36 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,382 Commits 34 Branches 42 Tags 435 MiB
3b7c46f779
Commit Graph

1382 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Naveen
0275a94a3f
:warn: Remove the old Details field from CheckResult (#1906) 
https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-12 12:58:12 -07:00
naveensrinivasan
b9f333bc2a ⚠️ Remove the pass from the CheckResult 
- Remove Pass field from CheckResult

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-12 14:03:19 -05:00
dependabot[bot]
f0481647dd 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2 
Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.1 to 6.9.2.
- [Release notes](https://github.com/caarlos0/env/releases)
- [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml)
- [Commits](https://github.com/caarlos0/env/compare/v6.9.1...v6.9.2)

---
updated-dependencies:
- dependency-name: github.com/caarlos0/env/v6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-12 17:13:16 +00:00
dependabot[bot]
74f521fcf2 🌱 Bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0 
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.3 to 3.5.0.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.3...v3.5.0)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-12 14:43:48 +00:00
dependabot[bot]
2b35afc5bb 🌱 Bump github.com/golangci/golangci-lint in /tools 
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.45.2 to 1.46.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.45.2...v1.46.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-12 02:04:06 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902) 
* update

* update

* update
 2022-05-11 20:41:37 -05:00
dependabot[bot]
2fc6fbb196 🌱 Bump cloud.google.com/go/bigquery from 1.31.0 to 1.32.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.31.0 to 1.32.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.31.0...spanner/v1.32.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-11 08:47:39 -05:00
Romain Dauby
804127f46a Upgrade to buildkit 0.10.3 2022-05-10 10:55:48 -05:00
06kellyjac
c5d787a598 pkg: refactor out scorecard_version 2022-05-10 09:51:55 -05:00
laurentsimon
62e3de5f48
🐛 Remove Options that belong to the Action (#1898) 
* updates

* tests
 2022-05-09 19:40:15 +00:00
Naveen
7ff4b7e050
⚠️ Removing the confidence field from CheckResult struct (#1896) 
- Removing the confidence field from `CheckResult` struct
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-09 17:46:24 +00:00
Arnaud J Le Hors
6d79817e3b
📖 Fix command Usage (#1814) 
This changes the cmd Usage text to accurately represents the
supported syntax:

Usage:
  ./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
	 [--checks=check1,...] [--show-details] [flags]
...
      --repo string        repository to check (valid inputs: "owner/repo", "github.com/owner/repo", "https://github.com/owner/repo")
...

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
 2022-05-09 10:23:13 -04:00
Arnaud J Le Hors
815de1819f
📖 Remove erroneous ref to CSV output (#1813) 2022-05-09 12:15:14 +00:00
Azeem Shaikh
5758364c82
Fix bug in Scorecard tag Docker image creation (#1890) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-05-06 20:38:19 +00:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885) 
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
 2022-05-06 12:52:30 -07:00
Azeem Shaikh
22694dcd41
Support commits reviewed through Piper (#1889) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-05-06 18:41:44 +00:00
Parth Kanakiya
9a7d030902
Added additional github repositories in projects.csv (#1886) 
* Added additional repositories

* Added more repos

* Cleaned the repos
 2022-05-06 16:13:50 +00:00
Vihang Mehta
72086c9d4c
Add support for Phabricator as a code review system (#1884) 
*  Add support for Phabricator as a code review system

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Also look for Differential Revision: to ensure that this repo uses Phabricator

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Add some unit tests to cover Phabricator Review detection

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
 2022-05-05 21:48:04 +00:00
dependabot[bot]
f779fb8761 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.21.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.21.0...pubsub/v1.21.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-05 08:09:14 -05:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879) 
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
 2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853) 
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-03 11:17:47 -05:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878) 
* ignore parsing errors

* updates
 2022-05-02 10:11:50 -07:00
dependabot[bot]
e97bf30ef6 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](34cbc43f0b...248ae51c2e)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-02 08:45:02 -05:00
laurentsimon
815de5c351
Propagate error in log (#1875) 2022-04-27 17:41:23 +00:00
dependabot[bot]
2b68f38d16 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 15:44:39 +00:00
dependabot[bot]
3a9f011398 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 15:20:00 +00:00
dependabot[bot]
a598b2ae78 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.20.0...pubsub/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 14:39:07 +00:00
dependabot[bot]
ac14ce72c1 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 13:56:27 +00:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864) 
* Remove pull_request

* updates

* updates

* linter and e2e
 2022-04-26 18:27:29 -07:00
laurentsimon
b304306451
Add token needed for checks in README (#1854) 
* check perm doc

* updates
 2022-04-26 16:02:02 +00:00
laurentsimon
ac88460c75
Raw results for best practices badge (#1795) 
* Raw results for best practices badge

* updates

* updates

* tests

* comment
 2022-04-25 17:04:21 +00:00
Alan Jowett
fe6e0917ac
Support for detecting choco installer without required hash (#1810) 
* Initial support for choco installer

https://github.com/ossf/scorecard/issues/1807

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* PR feedback

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* Simplify if statement

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-04-25 09:40:35 -07:00
dependabot[bot]
5d8a277d76 🌱 Bump crazy-max/ghaction-import-gpg from 4.3.0 to 4.4.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](4d58d49bfe...e00cb83a68)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-25 10:28:45 -05:00
dependabot[bot]
dbaba8a536 🌱 Bump step-security/harden-runner from 1.4.1 to 1.4.2 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/v1.4.1...34cbc43f0b10c9dda284e663cf43c2ebaf83e956)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-25 09:29:45 -05:00
Naveen
44ad5f53ad
⚠️ Removing the error field from result (#1853) 
- Removing the error field from result
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-22 23:22:43 +00:00
laurentsimon
1f3861b4cc
Update env variables in cron (#1858) 2022-04-22 20:21:08 +00:00
dependabot[bot]
ee1086efd7 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](e3c560433a...81cd2dc814)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-22 07:25:53 -05:00
dependabot[bot]
64bf903f36 🌱 Bump actions/checkout from 3.0.1 to 3.0.2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](dcd71f6466...2541b1294d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-22 07:02:44 -05:00
laurentsimon
4622952c85
Raw results for dangerous workflow (#1849) 
* draft

* update

* update

* updates

* comments

* comments

* comments
 2022-04-21 22:02:18 +00:00
dependabot[bot]
72e248694d 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver 
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.11 to 0.13.12.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/compare/v0.13.11...v0.13.12)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-20 09:01:35 -05:00
naveensrinivasan
6ed6c9b70e 🌱 Publish images with ko 
- Publish images with ko

https://github.com/ossf/scorecard/issues/744

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-18 10:40:05 -05:00
laurentsimon
f99e1a1552
Schema for BQ table for raw results (#1762) 
* Fix schemas

* updates

* updates

* Schema for BQ table of raw result

* update

* updates

* create utility function only

* update

* updates

* updates

* manifest
 2022-04-15 16:35:01 +00:00
dependabot[bot]
9532e55ee9 🌱 Bump github.com/rhysd/actionlint from 1.6.11 to 1.6.12 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.11 to 1.6.12.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.11...v1.6.12)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-15 09:13:27 -05:00
dependabot[bot]
6c59ff9bfe 🌱 Bump actions/checkout from 3.0.0 to 3.0.1 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a12a3943b4...dcd71f6466)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-15 05:34:31 -05:00
dependabot[bot]
ebf0d10c33 🌱 Bump cloud.google.com/go/bigquery from 1.30.2 to 1.31.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.30.2 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.30.2...spanner/v1.31.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-14 09:00:34 -05:00
laurentsimon
4d1c531690
Raw results for license (#1790) 
* Raw results for license

* tests

* tests

* e2e fix

* comment

* fix

* linter
 2022-04-13 18:20:05 -07:00
laurentsimon
c0e41f3a54
Update branches_e2e_test.go (#1838) 2022-04-13 16:45:07 -07:00
laurentsimon
410a145db2
fix (#1837) 2022-04-13 16:00:19 -07:00
Caleb Brown
b00b31646a Split NewLogger into two so we can use a custom logrus instance. 2022-04-13 11:31:06 -05:00
laurentsimon
91202855fd
Fix e2e branch (#1835) 2022-04-13 09:16:38 -07:00