Commit Graph

1352 Commits

Author SHA1 Message Date
Vihang Mehta
7ac81a334f
🐛Fix debug log for Piper (#1937)
Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
2022-05-22 23:41:45 +00:00
dependabot[bot]
61f24c053e
🌱 Bump github.com/golangci/golangci-lint in /tools (#1924)
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.46.0 to 1.46.2.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.46.0...v1.46.2)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-22 14:53:42 +00:00
dependabot[bot]
2d72623a6c 🌱 Bump github.com/rhysd/actionlint from 1.6.12 to 1.6.13
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.12 to 1.6.13.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.12...v1.6.13)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-22 13:49:42 +00:00
dependabot[bot]
7e4cd514fc
🌱 Bump distroless/base in /cron/controller (#1929)
Bumps distroless/base from `764b74b` to `d65ac1a`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-22 12:55:12 +00:00
laurentsimon
2fc48e3b38
Use Tool for raw fuzzing results (#1935)
* updates

* updates
2022-05-21 01:43:09 +00:00
laurentsimon
af7f865b9d
update (#1926) 2022-05-20 15:59:53 +00:00
dependabot[bot]
399d9974e4 🌱 Bump distroless/base from 764b74b to d65ac1a
Bumps distroless/base from `764b74b` to `d65ac1a`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-20 01:41:04 +00:00
laurentsimon
8d8bcf2f69
Raw results for Fuzzing check (#1917)
* update

* update

* update

* update

* linter

* comments

* comments
2022-05-20 00:55:49 +00:00
dependabot[bot]
fb45cd7e9d 🌱 Bump distroless/base in /cron/webhook
Bumps distroless/base from `764b74b` to `d65ac1a`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-19 16:45:34 +00:00
dependabot[bot]
c0178f953c 🌱 Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-19 13:30:10 +00:00
dependabot[bot]
5843c148db 🌱 Bump distroless/base in /cron/worker
Bumps distroless/base from `764b74b` to `d65ac1a`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-19 12:54:38 +00:00
laurentsimon
b4700ab5df
Raw results for Contributors check (#1919)
* update

* update

* linter

* linter
2022-05-18 18:13:10 +00:00
Azeem Shaikh
8fdb0e767e
Cron cleanup (#1925)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-18 09:48:40 -07:00
dependabot[bot]
fc7157e38a
🌱 Bump actions/dependency-review-action from 1.0.0 to 1.0.1 (#1923)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](3f943b86c9...39e692fa32)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-18 07:10:22 -05:00
Naveen
bbaf072dd5
⚠️ Remove the oldjson format from cron (#1920)
- removed the old json format from cron
fix https://github.com/ossf/scorecard/pull/1487

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-17 17:31:25 -07:00
Appu
e7ef60d7fe
📖 Add information for pinning manfest lists (#1918)
* Add information for pinning manfest lists

Signed-off-by: Appu Goundan <appu@google.com>

* Update checks.md
2022-05-17 10:36:57 -07:00
dependabot[bot]
6406cfd4e3 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](f6164bd8c8...fcdc43634a)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 16:52:04 +00:00
Azeem Shaikh
236b296403
Do not fail on empty repositories (#1914)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-16 00:41:17 +00:00
laurentsimon
b1ab7eb9bb
Update raw format for Dangerous workflows (#1865)
* updates

* e2e fix

* comments
2022-05-13 19:10:57 -07:00
Scott Ford
cd0470403b
📖 Fixes description for webhook check (#1882)
Signed-off-by: Scott Ford <scott@scottford.io>
2022-05-12 21:14:43 +00:00
Naveen
0275a94a3f
:warn: Remove the old Details field from CheckResult (#1906)
https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-12 12:58:12 -07:00
naveensrinivasan
b9f333bc2a ⚠️ Remove the pass from the CheckResult
- Remove Pass field from CheckResult

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-12 14:03:19 -05:00
dependabot[bot]
f0481647dd 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2
Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.1 to 6.9.2.
- [Release notes](https://github.com/caarlos0/env/releases)
- [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml)
- [Commits](https://github.com/caarlos0/env/compare/v6.9.1...v6.9.2)

---
updated-dependencies:
- dependency-name: github.com/caarlos0/env/v6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 17:13:16 +00:00
dependabot[bot]
74f521fcf2 🌱 Bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.3 to 3.5.0.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.3...v3.5.0)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 14:43:48 +00:00
dependabot[bot]
2b35afc5bb 🌱 Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.45.2 to 1.46.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.45.2...v1.46.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 02:04:06 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902)
* update

* update

* update
2022-05-11 20:41:37 -05:00
dependabot[bot]
2fc6fbb196 🌱 Bump cloud.google.com/go/bigquery from 1.31.0 to 1.32.0
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.31.0 to 1.32.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.31.0...spanner/v1.32.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-11 08:47:39 -05:00
Romain Dauby
804127f46a Upgrade to buildkit 0.10.3 2022-05-10 10:55:48 -05:00
06kellyjac
c5d787a598 pkg: refactor out scorecard_version 2022-05-10 09:51:55 -05:00
laurentsimon
62e3de5f48
🐛 Remove Options that belong to the Action (#1898)
* updates

* tests
2022-05-09 19:40:15 +00:00
Naveen
7ff4b7e050
⚠️ Removing the confidence field from CheckResult struct (#1896)
- Removing the confidence field from `CheckResult` struct
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-09 17:46:24 +00:00
Arnaud J Le Hors
6d79817e3b
📖 Fix command Usage (#1814)
This changes the cmd Usage text to accurately represents the
supported syntax:

Usage:
  ./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
	 [--checks=check1,...] [--show-details] [flags]
...
      --repo string        repository to check (valid inputs: "owner/repo", "github.com/owner/repo", "https://github.com/owner/repo")
...

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
2022-05-09 10:23:13 -04:00
Arnaud J Le Hors
815de1819f
📖 Remove erroneous ref to CSV output (#1813) 2022-05-09 12:15:14 +00:00
Azeem Shaikh
5758364c82
Fix bug in Scorecard tag Docker image creation (#1890)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-06 20:38:19 +00:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885)
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
2022-05-06 12:52:30 -07:00
Azeem Shaikh
22694dcd41
Support commits reviewed through Piper (#1889)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-06 18:41:44 +00:00
Parth Kanakiya
9a7d030902
Added additional github repositories in projects.csv (#1886)
* Added additional repositories

* Added more repos

* Cleaned the repos
2022-05-06 16:13:50 +00:00
Vihang Mehta
72086c9d4c
Add support for Phabricator as a code review system (#1884)
*  Add support for Phabricator as a code review system

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Also look for Differential Revision: to ensure that this repo uses Phabricator

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Add some unit tests to cover Phabricator Review detection

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
2022-05-05 21:48:04 +00:00
dependabot[bot]
f779fb8761 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.21.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.21.0...pubsub/v1.21.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 08:09:14 -05:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879)
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853)
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-03 11:17:47 -05:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878)
* ignore parsing errors

* updates
2022-05-02 10:11:50 -07:00
dependabot[bot]
e97bf30ef6 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](34cbc43f0b...248ae51c2e)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-02 08:45:02 -05:00
laurentsimon
815de5c351
Propagate error in log (#1875) 2022-04-27 17:41:23 +00:00
dependabot[bot]
2b68f38d16 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 15:44:39 +00:00
dependabot[bot]
3a9f011398 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 15:20:00 +00:00
dependabot[bot]
a598b2ae78 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.20.0...pubsub/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 14:39:07 +00:00
dependabot[bot]
ac14ce72c1 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 13:56:27 +00:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864)
* Remove pull_request

* updates

* updates

* linter and e2e
2022-04-26 18:27:29 -07:00
laurentsimon
b304306451
Add token needed for checks in README (#1854)
* check perm doc

* updates
2022-04-26 16:02:02 +00:00