ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-04 03:52:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
1,319 Commits 36 Branches 42 Tags 438 MiB
5758364c82
Commit Graph

1319 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Azeem Shaikh
5758364c82
Fix bug in Scorecard tag Docker image creation (#1890) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-05-06 20:38:19 +00:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885) 
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
 2022-05-06 12:52:30 -07:00
Azeem Shaikh
22694dcd41
Support commits reviewed through Piper (#1889) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-05-06 18:41:44 +00:00
Parth Kanakiya
9a7d030902
Added additional github repositories in projects.csv (#1886) 
* Added additional repositories

* Added more repos

* Cleaned the repos
 2022-05-06 16:13:50 +00:00
Vihang Mehta
72086c9d4c
Add support for Phabricator as a code review system (#1884) 
*  Add support for Phabricator as a code review system

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Also look for Differential Revision: to ensure that this repo uses Phabricator

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Add some unit tests to cover Phabricator Review detection

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
 2022-05-05 21:48:04 +00:00
dependabot[bot]
f779fb8761 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.21.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.21.0...pubsub/v1.21.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-05 08:09:14 -05:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879) 
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
 2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853) 
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-03 11:17:47 -05:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878) 
* ignore parsing errors

* updates
 2022-05-02 10:11:50 -07:00
dependabot[bot]
e97bf30ef6 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](34cbc43f0b...248ae51c2e)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-05-02 08:45:02 -05:00
laurentsimon
815de5c351
Propagate error in log (#1875) 2022-04-27 17:41:23 +00:00
dependabot[bot]
2b68f38d16 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 15:44:39 +00:00
dependabot[bot]
3a9f011398 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 15:20:00 +00:00
dependabot[bot]
a598b2ae78 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.20.0...pubsub/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 14:39:07 +00:00
dependabot[bot]
ac14ce72c1 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools 
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-27 13:56:27 +00:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864) 
* Remove pull_request

* updates

* updates

* linter and e2e
 2022-04-26 18:27:29 -07:00
laurentsimon
b304306451
Add token needed for checks in README (#1854) 
* check perm doc

* updates
 2022-04-26 16:02:02 +00:00
laurentsimon
ac88460c75
Raw results for best practices badge (#1795) 
* Raw results for best practices badge

* updates

* updates

* tests

* comment
 2022-04-25 17:04:21 +00:00
Alan Jowett
fe6e0917ac
Support for detecting choco installer without required hash (#1810) 
* Initial support for choco installer

https://github.com/ossf/scorecard/issues/1807

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* PR feedback

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* Simplify if statement

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-04-25 09:40:35 -07:00
dependabot[bot]
5d8a277d76 🌱 Bump crazy-max/ghaction-import-gpg from 4.3.0 to 4.4.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](4d58d49bfe...e00cb83a68)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-25 10:28:45 -05:00
dependabot[bot]
dbaba8a536 🌱 Bump step-security/harden-runner from 1.4.1 to 1.4.2 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/v1.4.1...34cbc43f0b10c9dda284e663cf43c2ebaf83e956)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-25 09:29:45 -05:00
Naveen
44ad5f53ad
⚠️ Removing the error field from result (#1853) 
- Removing the error field from result
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-22 23:22:43 +00:00
laurentsimon
1f3861b4cc
Update env variables in cron (#1858) 2022-04-22 20:21:08 +00:00
dependabot[bot]
ee1086efd7 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](e3c560433a...81cd2dc814)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-22 07:25:53 -05:00
dependabot[bot]
64bf903f36 🌱 Bump actions/checkout from 3.0.1 to 3.0.2 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](dcd71f6466...2541b1294d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-22 07:02:44 -05:00
laurentsimon
4622952c85
Raw results for dangerous workflow (#1849) 
* draft

* update

* update

* updates

* comments

* comments

* comments
 2022-04-21 22:02:18 +00:00
dependabot[bot]
72e248694d 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver 
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.11 to 0.13.12.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/compare/v0.13.11...v0.13.12)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-20 09:01:35 -05:00
naveensrinivasan
6ed6c9b70e 🌱 Publish images with ko 
- Publish images with ko

https://github.com/ossf/scorecard/issues/744

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-18 10:40:05 -05:00
laurentsimon
f99e1a1552
Schema for BQ table for raw results (#1762) 
* Fix schemas

* updates

* updates

* Schema for BQ table of raw result

* update

* updates

* create utility function only

* update

* updates

* updates

* manifest
 2022-04-15 16:35:01 +00:00
dependabot[bot]
9532e55ee9 🌱 Bump github.com/rhysd/actionlint from 1.6.11 to 1.6.12 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.11 to 1.6.12.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.11...v1.6.12)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-15 09:13:27 -05:00
dependabot[bot]
6c59ff9bfe 🌱 Bump actions/checkout from 3.0.0 to 3.0.1 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](a12a3943b4...dcd71f6466)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-15 05:34:31 -05:00
dependabot[bot]
ebf0d10c33 🌱 Bump cloud.google.com/go/bigquery from 1.30.2 to 1.31.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.30.2 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.30.2...spanner/v1.31.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-14 09:00:34 -05:00
laurentsimon
4d1c531690
Raw results for license (#1790) 
* Raw results for license

* tests

* tests

* e2e fix

* comment

* fix

* linter
 2022-04-13 18:20:05 -07:00
laurentsimon
c0e41f3a54
Update branches_e2e_test.go (#1838) 2022-04-13 16:45:07 -07:00
laurentsimon
410a145db2
fix (#1837) 2022-04-13 16:00:19 -07:00
Caleb Brown
b00b31646a Split NewLogger into two so we can use a custom logrus instance. 2022-04-13 11:31:06 -05:00
laurentsimon
91202855fd
Fix e2e branch (#1835) 2022-04-13 09:16:38 -07:00
laurentsimon
eedd16d5be linter 2022-04-12 10:54:38 -05:00
laurentsimon
6a48f174ce fix 2022-04-12 10:54:38 -05:00
laurentsimon
4b2c677185 fix 2022-04-12 10:54:38 -05:00
laurentsimon
2873c0d58d e2e for GITHUB_TOKEN 2022-04-12 10:54:38 -05:00
dependabot[bot]
a46313ca8a 🌱 Bump cloud.google.com/go/pubsub from 1.19.0 to 1.20.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.19.0 to 1.20.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.19.0...pubsub/v1.20.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-12 08:50:47 -05:00
dependabot[bot]
fb0c0e1527 🌱 Bump actions/cache from 3.0.1 to 3.0.2 
Bumps [actions/cache](https://github.com/actions/cache) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](136d96b4ae...48af2dc4a9)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-11 07:36:08 -05:00
naveensrinivasan
f9c2f9d79f 🌱 Dependency review action 
Included the https://github.com/actions/dependency-review-action

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-09 14:09:42 -05:00
Azeem Shaikh
333618d0d2
Security-Policy should not run on --local (#1825) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-04-07 14:12:22 -05:00
dependabot[bot]
4df16f3350 🌱 Bump codecov/codecov-action from 2.1.0 to 3 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2.1.0 to 3.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](f32b3a3741...e3c560433a)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 14:55:05 +00:00
dependabot[bot]
b6575a2731 🌱 Bump github.com/rhysd/actionlint from 1.6.10 to 1.6.11 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.10 to 1.6.11.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.10...v1.6.11)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 14:38:43 +00:00
dependabot[bot]
8bc0fe5e83 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver 
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.10 to 0.13.11.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/compare/v0.13.10...v0.13.11)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-04-07 13:45:47 +00:00
Azeem Shaikh
a1e908b6f0
Support Security-Policy with --local (#1822) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-04-06 18:39:19 -07:00
noamd
5860896619 detect workflow_run as a dangerous trigger 2022-04-06 07:22:54 -05:00