Commit Graph

414 Commits

Author SHA1 Message Date
Azeem Shaikh
70d045b9ef
Only pull required branch names (#1965)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-27 22:25:24 +00:00
Aiden Wang
3e2c0fa1f8
Update message for org-level security policy files (#1939)
* modified checks/evaluation/security_policy.go (issue #1908)

* issue #1908 fixing temp save 05202022

* issue #1908 bug fixes

* debug comments deletion

* minor midifications

* temp save 0524-1

* temp save 0524-2

* bug fix #1908

* bug fix #1908 (2)

* bug fix #1908 (3)

* #1908

* merge from upstream/main & minor changes

* minor changes -2

* Update security_policy.go

* Update security_policy.go

* Update security_policy.go (linter error fix)

Co-authored-by: Aiden Wang <aidenwang@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-05-26 15:22:30 +00:00
Azeem Shaikh
25c7e1c7f2
Replace checker.Commit with clients.Commit (#1950)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 23:11:37 +00:00
Azeem Shaikh
96fac8a941
Replace checker.Vuln with clients.Vuln (#1955)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 20:15:37 +00:00
Azeem Shaikh
edd371cf7d
Replace checker.BP with clients.BP (#1953)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 12:34:07 -07:00
Azeem Shaikh
4b655b45ce
Replace checker.Webhook with clients.Webhook (#1948)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 02:47:12 +00:00
Azeem Shaikh
9a2a4f16bd
Replace checker.Release with clients.Release (#1946)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 02:05:02 +00:00
Azeem Shaikh
33e3106320
Replace checker.Issue with clients.Issue (#1944)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-24 01:07:25 +00:00
laurentsimon
720a049464
updates (#1947) 2022-05-23 21:24:39 +00:00
Azeem Shaikh
1a2f08827f
Replace checker.CIIBadge with clients.CIIBadge (#1945)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-23 20:30:56 +00:00
Vihang Mehta
7ac81a334f
🐛Fix debug log for Piper (#1937)
Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
2022-05-22 23:41:45 +00:00
laurentsimon
2fc48e3b38
Use Tool for raw fuzzing results (#1935)
* updates

* updates
2022-05-21 01:43:09 +00:00
laurentsimon
8d8bcf2f69
Raw results for Fuzzing check (#1917)
* update

* update

* update

* update

* linter

* comments

* comments
2022-05-20 00:55:49 +00:00
laurentsimon
b4700ab5df
Raw results for Contributors check (#1919)
* update

* update

* linter

* linter
2022-05-18 18:13:10 +00:00
Azeem Shaikh
236b296403
Do not fail on empty repositories (#1914)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-16 00:41:17 +00:00
laurentsimon
b1ab7eb9bb
Update raw format for Dangerous workflows (#1865)
* updates

* e2e fix

* comments
2022-05-13 19:10:57 -07:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902)
* update

* update

* update
2022-05-11 20:41:37 -05:00
Romain Dauby
804127f46a Upgrade to buildkit 0.10.3 2022-05-10 10:55:48 -05:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885)
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
2022-05-06 12:52:30 -07:00
Azeem Shaikh
22694dcd41
Support commits reviewed through Piper (#1889)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-06 18:41:44 +00:00
Vihang Mehta
72086c9d4c
Add support for Phabricator as a code review system (#1884)
*  Add support for Phabricator as a code review system

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Also look for Differential Revision: to ensure that this repo uses Phabricator

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Add some unit tests to cover Phabricator Review detection

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
2022-05-05 21:48:04 +00:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879)
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853)
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-03 11:17:47 -05:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878)
* ignore parsing errors

* updates
2022-05-02 10:11:50 -07:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864)
* Remove pull_request

* updates

* updates

* linter and e2e
2022-04-26 18:27:29 -07:00
laurentsimon
ac88460c75
Raw results for best practices badge (#1795)
* Raw results for best practices badge

* updates

* updates

* tests

* comment
2022-04-25 17:04:21 +00:00
Alan Jowett
fe6e0917ac
Support for detecting choco installer without required hash (#1810)
* Initial support for choco installer

https://github.com/ossf/scorecard/issues/1807

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* PR feedback

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* Simplify if statement

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-04-25 09:40:35 -07:00
Naveen
44ad5f53ad
⚠️ Removing the error field from result (#1853)
- Removing the error field from result
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-22 23:22:43 +00:00
laurentsimon
4622952c85
Raw results for dangerous workflow (#1849)
* draft

* update

* update

* updates

* comments

* comments

* comments
2022-04-21 22:02:18 +00:00
laurentsimon
f99e1a1552
Schema for BQ table for raw results (#1762)
* Fix schemas

* updates

* updates

* Schema for BQ table of raw result

* update

* updates

* create utility function only

* update

* updates

* updates

* manifest
2022-04-15 16:35:01 +00:00
laurentsimon
4d1c531690
Raw results for license (#1790)
* Raw results for license

* tests

* tests

* e2e fix

* comment

* fix

* linter
2022-04-13 18:20:05 -07:00
Azeem Shaikh
333618d0d2
Security-Policy should not run on --local (#1825)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-04-07 14:12:22 -05:00
Azeem Shaikh
a1e908b6f0
Support Security-Policy with --local (#1822)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-04-06 18:39:19 -07:00
noamd
5860896619 detect workflow_run as a dangerous trigger 2022-04-06 07:22:54 -05:00
laurentsimon
27dbf9c7e5
Raw results for Signed-Release check (#1789)
* Raw results for Signed-Releases

* updates

* linter
2022-04-01 23:13:58 +00:00
Carlos Tadeu Panato Junior
7dcb3cb3e2
checks: add GitHub Webhook check (#1675)
* checks: add GitHub Webhook check

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* update per feedback

Signed-off-by: cpanato <ctadeu@gmail.com>

* add evaluation code

Signed-off-by: cpanato <ctadeu@gmail.com>

* add feature gate check

Signed-off-by: cpanato <ctadeu@gmail.com>

* fix lint

Signed-off-by: cpanato <ctadeu@gmail.com>
2022-03-31 07:29:59 -07:00
laurentsimon
037a3f3516
Raw result for Maintained check (#1780)
* draft

* draft

* raw results for Maintained check

* updates

* updates

* missing files

* updates

* unit tests

* e2e tests

* tests

* linter

* updates
2022-03-29 16:35:42 +00:00
laurentsimon
363d1bd858
Add comment to update action policy file (#1751)
Add comment to update action policy file if the passing score value is updated
no breaking changes
```release-notes
Add comment to update action policy file if the passing score value is updated
```
2022-03-25 00:42:14 +00:00
laurentsimon
2bbbce75b3
🐛 Discard GitHub token in dangerous workflow check (#1772)
* Discard GitHub token in dangerous workflow check

* missing files
2022-03-23 23:37:23 +00:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
2022-03-23 02:23:39 +00:00
laurentsimon
b1ab16e80f
Add raw results to cron scans (#1741)
* draft

* updates

* updates

* updates

* updates

* updates

* comments

* comments

* comments

* comments

* comments

* comments
2022-03-18 19:05:14 -07:00
naveensrinivasan
35d31562a0 🌱 Unit tests for pinned_dependencies
- Additional tests for pinned_dependencies
https://github.com/ossf/scorecard/issues/986
2022-03-09 09:53:21 -06:00
Azeem Shaikh
241b0f4b4d
Mark License, Security-Policy as commit-based (#1711)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-03-04 11:24:06 -06:00
naveensrinivasan
4904b317ac 🌱 additional tests for github_workflow
- Additional tests for github_workflow
2022-03-02 20:36:34 -06:00
naveensrinivasan
5e5abdcd09 🌱 Unit tests for github workflow
- Unit tests for github workflow.
https://github.com/ossf/scorecard/issues/986
2022-02-28 20:02:50 -06:00
Stephen Augustus (he/him)
7956ff4fe7
Miscellaneous refactors to ease downstream consumption (#1645)
* checker: Add `NewLogger` constructor for `DetailLogger` impl
* checker: Add `NewRunner` constructor for `Runner`
* cmd: Update to use refactored packages
* cmd: Move command flags and validation into an `options` package
* cmd: Move client accessors to `githubrepo` package
* cmd: Move policy and enabled checks to `policy` package
* cmd: Move results formatting to `format` package
* checker: Prefer `Set` prefixes for setters
* checker: Use `DetailLogger` return value for `NewLogger()`
* checker: Add `GetClients` accessor
* Move `FormatResults` to `pkg/`
* checks: Add getter for all checks

Signed-off-by: Stephen Augustus <foo@auggie.dev>
2022-02-27 02:09:21 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656)
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-02-25 22:47:11 +00:00
Chris McGehee
808941a4c2
Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663)
* Token-Permissions, distinguish contents/package

Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 17:40:34 -06:00
Azeem Shaikh
f616278a8b
Generalize CheckIfFileExists fn (#1668)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 18:50:01 +00:00