ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-10 02:16:26 +03:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity
1,492 Commits 32 Branches 42 Tags 440 MiB
621449f367
Commit Graph

146 Commits

Author SHA1 Message Date
raghavkaul
621449f367
Add CODEOWNERS branch protection check (#2057) 
* Add CODEOWNERS branch protection check

* Add docs

* Make CODEOWNERS branch protection part of the 'real' score instead of
extra-credit

* Fix Github checks

* Fix lint issues for `range` operator
* Fix e2e test failure

* Incorporate CODEOWNERS check as part of Code Review checks Level 4

* Fix lint (hopefully?)

* Address PR comments - docs
 2022-08-29 12:57:47 -05:00
Spencer Schrock
2f253e83c4
🐛 Add scorecard-action to the security-events allowlist in Token Permissions check (#2153) 
* fails tests

* update tests to reflect number of exepected debug msgs (one fewer per workflow)

* Replace strings.Cut usage with strings.Split since we dont use go1.18 yet

* fix number of debug messages in e2e tests. also a result of deduplication of messages in sarif allowlist
 2022-08-16 21:05:06 +00:00
laurentsimon
777298477c
Favor SLSA provenance over plain signature in Signed-Release (#2144) 
* update

* update
 2022-08-12 11:49:32 -07:00
Aiden Wang
8c04788f38
Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array (#2111) 
* save

* save

* save

* save

* save

* save

* save
 2022-08-03 15:54:26 -07:00
Aiden Wang
1e0e44a0e8
🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers (#2101) 
* save

* save

* save

* save

* save
 2022-07-28 18:26:23 +00:00
Aiden Wang
30e3f646e3
Feature: Dependency-diff API optimize: var re-naming, removing unused JSON tags (#2090) 
* save

* save

* Update dependencydiff_result.go

* save

* save

* save
 2022-07-22 18:05:14 -07:00
Aiden Wang
10681dad95
Feature DependencyDiff (Version 0 Part 2) (#2046) 
* temp

* Update dependencies.go

* Update errors.go

* Update scorecard_results.go

* Update vulnerabilities.go

* save

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp0713-1

* temp0713-2

* temp0713-3

* temp0713-4

* temp0713-4

* temp0713-5

* temp0713-6

* temp0713-7

* temp0713-8

* temp0713-9

* temp0713-10

* temp0713-11

* temp0713-12

* 1

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* temp

* save

* save

* save

* final_commit_before_merge
 2022-07-18 19:54:53 +00:00
laurentsimon
838f62f65a
Add raw results for Token-Permissions (#1912) 
* draft

* update

* update

* draft

* updates

* update

* update

* update

* update

* update

* update

* update

* update

* e2e test for empty repo

* update

* rename structure

* update
 2022-07-15 21:48:50 +00:00
laurentsimon
3957460c2b
update (#2011) 2022-06-29 10:10:15 -07:00
Aiden Wang
64cd05310b
Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 
* temp save 05262022

* finished golang fuzz func check, getLang interface to be done next week

* temp save 05/31/2022

* temp save 06/01/2022

* temp save-2 06/01/2022

* temp save-1 06032022

* temp save-2 06022022

* temp save

* temp save 06032022

* temp save 06032022 (2)

* update err def

* temp save 3

* update docs for fuzzing

* update docs for fuzzing

* update checks.yaml to gen docs

* temp save 0606

* temp save-2 0606

* temp save-3 0606

* temp save-4 0606

* fix linter errors

* fix linter errs-2

* fix e2e errors

* 0608

* 0608-2

Co-authored-by: Aiden Wang <aidenwang@google.com>
 2022-06-08 19:17:51 -07:00
laurentsimon
4bd3391a36
Raw results for Pinned-Dependencies (#1932) 
* backup

* update

* update

* draft

* updates

* updates

* updates

* updates

* fix

* linter

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* linter

* comments

* linter

* linter

* tests

* updates

* updates

* tests
 2022-06-06 14:31:22 -07:00
laurentsimon
608da94aaf
Raw results for Packaging check (#1913) 
* update

* update

* update

* update

* update

* update

* update

* updates

* update

* update

* update

* update

* update

* update

* comments
 2022-06-01 16:41:20 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902) 
* update

* update

* update
 2022-05-11 20:41:37 -05:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879) 
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
 2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853) 
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-03 11:17:47 -05:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864) 
* Remove pull_request

* updates

* updates

* linter and e2e
 2022-04-26 18:27:29 -07:00
Naveen
44ad5f53ad
⚠️ Removing the error field from result (#1853) 
- Removing the error field from result
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-22 23:22:43 +00:00
laurentsimon
4d1c531690
Raw results for license (#1790) 
* Raw results for license

* tests

* tests

* e2e fix

* comment

* fix

* linter
 2022-04-13 18:20:05 -07:00
laurentsimon
410a145db2
fix (#1837) 2022-04-13 16:00:19 -07:00
laurentsimon
eedd16d5be linter 2022-04-12 10:54:38 -05:00
laurentsimon
4b2c677185 fix 2022-04-12 10:54:38 -05:00
laurentsimon
2873c0d58d e2e for GITHUB_TOKEN 2022-04-12 10:54:38 -05:00
naveensrinivasan
81133363f0 🌱 e2e for pinned_dependencies for localrepoclient 
- e2e for pinned_dependencies for localrepoclient

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-04-05 16:15:17 -05:00
naveensrinivasan
b6b5592629 🌱 e2e for dangerous_workflow local repo 
- e2e for dangerous_workflow for localrepoclient.
 2022-04-05 15:21:52 -05:00
naveensrinivasan
e8c633a41b 🌱 e2e tests for security policy localrepo 
- Included e2e tests for security policy for localrepo client

https://github.com/ossf/scorecard/issues/1353

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-31 16:20:16 -05:00
naveensrinivasan
e5f5deb64e 🌱 e2e tests for local repoclient for permissions 
- Included e2e tests for local repoclient for permissions.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-31 14:52:16 -05:00
naveensrinivasan
0644b18898 🌱 e2e for local repoclient license check 
- e2e for local repoclient for license check.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-29 14:38:24 -05:00
naveensrinivasan
cacc3e486d 🌱 e2e tests binary artifacts localrepo 
- e2e tests for binary artifacts check for localrepo

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-29 14:03:12 -05:00
laurentsimon
037a3f3516
Raw result for Maintained check (#1780) 
* draft

* draft

* raw results for Maintained check

* updates

* updates

* missing files

* updates

* unit tests

* e2e tests

* tests

* linter

* updates
 2022-03-29 16:35:42 +00:00
Azeem Shaikh
241b0f4b4d
Mark License, Security-Policy as commit-based (#1711) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-04 11:24:06 -06:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs (#1643) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests (#1641) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 19:27:45 +00:00
laurentsimon
e7fd58d9a3
Check for secrets in pull_request_target (#1634) 
* checks/dangerous_workflow.go: add pull_request_target support for secrets

* missing files

* linter
 2022-02-15 16:04:57 +00:00
Azeem Shaikh
1e488a804f
Fix for repos which do not squash PR commits (#1637) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 23:33:15 +00:00
Azeem Shaikh
f3332ce129
Add validation for commit-based APIs (#1635) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-14 22:24:35 +00:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 19:03:36 -08:00
laurentsimon
9037444513
Raw data for code review check (#1505) 
* separate code review's eval and check

* missing file

* add comments

* fix

* fix

* linter

* fixes

* fix

* linter

* linter

* linter

* draft

* fixes

* fixes

* simplify

* update date

* rem comments

* typo

* linter

* typo

* linter
 2022-02-02 19:51:38 +00:00
laurentsimon
5f9fff3b20
Separate check from policies for the Vulnerabilities check (#1532) 
* raw vulnerabilities seperation
* update year
* missing files
* tests
 2022-01-26 15:45:39 -05:00
Stephen Augustus (he/him)
41adfe7f34
⚠️ log: Initial logr/logrusr implementation (#1516) 
* log: Initial logr/logrusr implementation

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Update references to `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* go.mod: Minor reorganization of `replace`s

...to prevent automatic updates from getting added to the smaller
section.

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-25 11:17:46 -06:00
Stephen Augustus (he/him)
13b78ab010
⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502) 
* log: Init log package

Creates a wrapper around existing `zap.Logger` to make it easier
to replace/extend with scorecard logging.

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zap.Logger` with `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Add logic to parse `zapcore.Level`s as strings

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Express log levels

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zapcore.Level` with `log.Level`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Fixup comments for exported functions

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-20 15:57:39 -08:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
7a91384f8d
Add line numbers for insecure downloads (#1413) 
* add lines for docker files

* support for other constructs

* other insecure patterns

* fixes

* fixes

* comments
 2022-01-06 00:13:53 +00:00
naveen
de39061cc5 🌱 Refactor vulnerabilities client 2022-01-04 13:55:58 -06:00
naveen
c8f15a495e 🌱 Refactor the osv check into a interface 
Refactor the osv check into a interface for that it can be tested.
 2022-01-04 13:55:58 -06:00
laurentsimon
70fa923907
info to debug (#1416) 2021-12-23 17:27:40 -06:00
laurentsimon
6f21258131
reduce score by 1 (#1404) 2021-12-21 17:28:31 +00:00
laurentsimon
f2cee41ca9
[RAW]: dependency update tool (#1391) 
* dependency update tool

* rename

* missing files

* add fields

* rm field
 2021-12-15 17:02:31 +00:00
laurentsimon
b323cded04
🐛 checks.yml not sync'ed with checks.md (#1360) 
* update docs

* update

* remove file

* remove  improper commit

* fix
 2021-12-04 08:56:50 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo (#1315) 
* fix

* linter

* linter

* linter

* comment
 2021-12-04 00:44:09 +00:00
laurentsimon
aed511670f
Cleanup Branch Protection and add e2e tests (#1344) 
* BP cleanup

* linnter

* e2e fix

* linter

* linter

Co-authored-by: asraa <asraa@google.com>
 2021-12-03 21:53:18 +00:00