Commit Graph

117 Commits

Author SHA1 Message Date
Azeem Shaikh
241b0f4b4d
Mark License, Security-Policy as commit-based (#1711)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-03-04 11:24:06 -06:00
Azeem Shaikh
cda7a1b1d4
Add tests for graphQL costs (#1643)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 23:38:23 +00:00
Azeem Shaikh
de5224bbc5
Update e2e tests (#1641)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 19:27:45 +00:00
laurentsimon
e7fd58d9a3
Check for secrets in pull_request_target (#1634)
* checks/dangerous_workflow.go: add pull_request_target support for secrets

* missing files

* linter
2022-02-15 16:04:57 +00:00
Azeem Shaikh
1e488a804f
Fix for repos which do not squash PR commits (#1637)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-14 23:33:15 +00:00
Azeem Shaikh
f3332ce129
Add validation for commit-based APIs (#1635)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-14 22:24:35 +00:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 19:03:36 -08:00
laurentsimon
9037444513
Raw data for code review check (#1505)
* separate code review's eval and check

* missing file

* add comments

* fix

* fix

* linter

* fixes

* fix

* linter

* linter

* linter

* draft

* fixes

* fixes

* simplify

* update date

* rem comments

* typo

* linter

* typo

* linter
2022-02-02 19:51:38 +00:00
laurentsimon
5f9fff3b20
Separate check from policies for the Vulnerabilities check (#1532)
* raw vulnerabilities seperation
* update year
* missing files
* tests
2022-01-26 15:45:39 -05:00
Stephen Augustus (he/him)
41adfe7f34
⚠️ log: Initial logr/logrusr implementation (#1516)
* log: Initial logr/logrusr implementation

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Update references to `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* go.mod: Minor reorganization of `replace`s

...to prevent automatic updates from getting added to the smaller
section.

Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-01-25 11:17:46 -06:00
Stephen Augustus (he/him)
13b78ab010
⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502)
* log: Init log package

Creates a wrapper around existing `zap.Logger` to make it easier
to replace/extend with scorecard logging.

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zap.Logger` with `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Add logic to parse `zapcore.Level`s as strings

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Express log levels

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zapcore.Level` with `log.Level`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Fixup comments for exported functions

Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-01-20 15:57:39 -08:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
7a91384f8d
Add line numbers for insecure downloads (#1413)
* add lines for docker files

* support for other constructs

* other insecure patterns

* fixes

* fixes

* comments
2022-01-06 00:13:53 +00:00
naveen
de39061cc5 🌱 Refactor vulnerabilities client 2022-01-04 13:55:58 -06:00
naveen
c8f15a495e 🌱 Refactor the osv check into a interface
Refactor the osv check into a interface for that it can be tested.
2022-01-04 13:55:58 -06:00
laurentsimon
70fa923907
info to debug (#1416) 2021-12-23 17:27:40 -06:00
laurentsimon
6f21258131
reduce score by 1 (#1404) 2021-12-21 17:28:31 +00:00
laurentsimon
f2cee41ca9
[RAW]: dependency update tool (#1391)
* dependency update tool

* rename

* missing files

* add fields

* rm field
2021-12-15 17:02:31 +00:00
laurentsimon
b323cded04
🐛 checks.yml not sync'ed with checks.md (#1360)
* update docs

* update

* remove file

* remove  improper commit

* fix
2021-12-04 08:56:50 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo (#1315)
* fix

* linter

* linter

* linter

* comment
2021-12-04 00:44:09 +00:00
laurentsimon
aed511670f
Cleanup Branch Protection and add e2e tests (#1344)
* BP cleanup

* linnter

* e2e fix

* linter

* linter

Co-authored-by: asraa <asraa@google.com>
2021-12-03 21:53:18 +00:00
Nanik
45b5a35020
Add new checking for license file availability (#1178)
* Add checking logic inside license_check.go
    * Add test case license_check_test.go
    * Add check information inside checks.yaml
2021-12-03 09:28:27 -08:00
laurentsimon
8cb4804c28
Update action names (#1346)
* update action

* add schedule

* comments

* e2e fix
2021-12-03 02:17:00 +00:00
laurentsimon
938c637ee0
rem audio files (#1300)
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-12-03 00:54:06 +00:00
laurentsimon
23b0ddb8aa
fix (#1316) 2021-11-20 05:51:11 +00:00
laurentsimon
fd8731481f
Update score for branch protection with levels (#1287)
* draft

* draft2

* fix

* fix

* fix

* test

* linter

* comments

* comment

* update doc

* comments
2021-11-20 01:42:21 +00:00
Azeem Shaikh
2375ae2812
Add a OssFuzzRepoClient (#1280)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-17 03:04:37 +00:00
Azeem Shaikh
0b32cc3138
Fix broken e2e tests (#1291)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-17 02:41:25 +00:00
laurentsimon
86835fcfd6
🐛 Fix branch protection results (#1252)
* fix

* fix

* doc

* fix

* comment

* update tests

* fix

* fixes

* fix

* disable tests temp

* score change

* fix

* comments

* docs
2021-11-16 17:27:27 +00:00
Azeem Shaikh
71e8698617
Add a cron job to copy CII badges data (#1278)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-16 04:23:00 +00:00
asraa
1050b1cd60
Add dangerous workflow check with untrusted code checkout pattern (#1168)
* add dangerous workflow check with untrusted code checkout pattern

Signed-off-by: Asra Ali <asraa@google.com>

* update

Signed-off-by: Asra Ali <asraa@google.com>

* add env var

Signed-off-by: Asra Ali <asraa@google.com>

* fix comment

Signed-off-by: Asra Ali <asraa@google.com>

* add repos git checks.yaml

Signed-off-by: Asra Ali <asraa@google.com>

* update checks.md

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix merge

Signed-off-by: Asra Ali <asraa@google.com>

* add delete

Signed-off-by: Asra Ali <asraa@google.com>

* update docs

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-11-15 20:18:10 +00:00
Azeem Shaikh
72e20a076c
Add repoClient.Close for all e2e tests (#1265)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-15 14:53:01 +11:00
Azeem Shaikh
6223b6620a
Add CIIClient interface (#1262)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-15 02:46:41 +00:00
Azeem Shaikh
51de6b6e5d
Check for issue activity in Maintained (#1251)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-11-12 22:16:22 +00:00
Eng Zer Jun
177502552a
🌱 Move from io/ioutil to io and os packages (#1250)
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <zerjun@eta-hd.com>

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-11-12 19:34:46 +00:00
naveen
257d99e1c6 🌱 Fixed the failing tests
The failing tests couldn't be fixed before because the code wasn't up to
date in the last PR.
2021-11-02 12:03:30 -05:00
Oliver Chang
d3796f29b1
Add ClusterFuzzLite to Fuzzing check. (#1166)
* Add ClusterFuzzLite to Fuzzing check.

Check for the existence of ".clusterfuzzlite/Dockerfile".

Fixes #1148.

* comment

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-10-29 22:33:17 -07:00
naveen
a53245a9fc 🐛 Fix broken e2e tests for Binary Artifacts
Fixed the broken e2e tests for Binary artifacts.
2021-10-29 17:39:37 -05:00
naveen
aa634bd251 🌱 Fixes the broken e2e
Fixes for broken e2e
2021-10-26 20:11:21 -05:00
Naveen
6c1c789dc5
🌱 v3 upgrade changes (#1118)
v3 go.mod changes
2021-10-07 18:16:01 -05:00
Azeem Shaikh
bc37c74b28
Remove Owner/Repo strings from CheckRequest (#997)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-10 10:13:14 -07:00
neil465
5476b878bd
Removed unnecessary linters (#969)
* gomnd
* prealloc
* dupl
2021-09-07 10:45:12 -04:00
Azeem Shaikh
afe5b40567
Make RepoClient as default interface for Scorecard (#951)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-02 02:32:26 +00:00
Azeem Shaikh
9a1978a051
Use RefUpdateRule in BranchProtection check (#936)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 23:14:42 +00:00
Azeem Shaikh
d9f5209803
Update test utils (#933)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 14:12:57 -07:00
laurentsimon
9eb7929ebc
🐛 Address friction logs' comments (#899)
* fixes

* fix

* fix

* fixes

* doc

* missing file

* fixes

* comments

* typo
2021-08-25 21:02:23 +00:00
Azeem Shaikh
42ee430332
Use RepoClient API for Fuzzing (#855)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-14 00:34:40 +00:00
Azeem Shaikh
4c585f2e5f
Fix nil pointer bug (#856)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-13 23:42:03 +00:00
Azeem Shaikh
8baaaa4cf8
Use RepoClient API for Contributors check (#854)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-13 18:13:43 +00:00
Azeem Shaikh
b7ddc9ac93
Update go-github version for consistency (#852)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-13 00:43:22 +00:00