Commit Graph

40 Commits

Author SHA1 Message Date
laurentsimon
838f62f65a
Add raw results for Token-Permissions (#1912)
* draft

* update

* update

* draft

* updates

* update

* update

* update

* update

* update

* update

* update

* update

* e2e test for empty repo

* update

* rename structure

* update
2022-07-15 21:48:50 +00:00
laurentsimon
3957460c2b
update (#2011) 2022-06-29 10:10:15 -07:00
laurentsimon
608da94aaf
Raw results for Packaging check (#1913)
* update

* update

* update

* update

* update

* update

* update

* updates

* update

* update

* update

* update

* update

* update

* comments
2022-06-01 16:41:20 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902)
* update

* update

* update
2022-05-11 20:41:37 -05:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885)
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
2022-05-06 12:52:30 -07:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
2022-03-23 02:23:39 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656)
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-02-25 22:47:11 +00:00
Chris McGehee
808941a4c2
Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663)
* Token-Permissions, distinguish contents/package

Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 17:40:34 -06:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 18:26:06 +00:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface (#1628)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-11 15:48:58 -08:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes (#1579)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 16:49:49 -08:00
naveen
f7b329e830 Unit test for all_checks
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-01-12 17:24:38 -06:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
993e9c1010
update msg (#1457) 2022-01-10 22:22:39 +00:00
laurentsimon
df3d50df76
🐛 Fix score calculation for multiple files (#1401)
* multi file support

* fix multi-files permissions

* change name

* add tests

* use struct for files

* comments

* comment
2021-12-16 23:16:02 +00:00
Chris McGehee
f991fee32d
Adding line numbers for rest of Token-Permessions (and by extension, (#1381)
Packaging)
2021-12-14 04:14:35 +00:00
laurentsimon
6e013cf67d
Token-Permission: Allow top level permissions not defined if all run level permissions are (#1356)
* doc

* allow non defined top level

* fix

* e2e fix

* linter
2021-12-08 01:18:28 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places (#1363)
* Adding line numbers to token-permissions and a couple other places

* Fix deadlink for security policy

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>

* Updating formatting

Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
2021-12-06 10:05:52 -06:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244)
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
2021-11-16 19:57:14 +00:00
laurentsimon
4502dfb557
Reduce false positives in Token-Permissions for contents permission (#1253)
* fix

* tests
2021-11-16 03:03:54 +00:00
Chris McGehee
3dc507b9e1 Using library to parse github workflows 2021-11-08 17:00:40 -06:00
Chris McGehee
f319aca82d Moving github worflow parsing to its own file 2021-11-08 17:00:40 -06:00
Chris McGehee
2006be1819 🐛 Token permission check was failing on non-yaml files 2021-11-04 06:19:10 -05:00
Naveen
6c1c789dc5
🌱 v3 upgrade changes (#1118)
v3 go.mod changes
2021-10-07 18:16:01 -05:00
Azeem Shaikh
e730e911e6
sce.Create -> sce.WithMessage for wrapcheck (#995)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-10 15:50:33 +00:00
laurentsimon
6403eb1382
Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887)
* move checks to new format

* fix

* comments

* fix

* comments
2021-08-24 01:44:06 +00:00
laurentsimon
b731f450b9
Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889)
* move other checks togit add -u

* more checks

* fixes
2021-08-24 00:54:22 +00:00
laurentsimon
d821ea27ec
improve token permission (#811)
* sarif action

* update
2021-08-05 17:10:34 +00:00
laurentsimon
b2b37161f3
Improve token permission check (#800)
* draft

* draft 2

* draft3

* fix e2e

* comment

* comment

* check codeql

* missing files

* comments

* nit

* update msg

* msg

* nit

* nit

* msg

* e2e

* update doc
2021-08-03 00:56:45 +00:00
Azeem Shaikh
83e9f52501
Enable revive linters which are used in google3 (#793)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-07-31 22:31:34 +00:00
laurentsimon
29594d4294
change signature of FileIfExist and FileContent (#787)
* draft

* add pinning

* remove functions

* typo

* commment

* name
2021-07-30 15:09:52 +00:00
laurentsimon
c48fe4f9ed
Make Token-Permission check more granular (#773)
* draft

* add tests

* add e2e2 tests

* typos

* typo

* fixes

* linter

* use named value

* comments

* comment
2021-07-30 00:13:01 +00:00
Naveen
4d7fb5d748
🌱 Fix the go.mod with v2 upgrade (#716)
The go.mod and the related files weren't t updated with the v2 upgrade.

https://github.com/ossf/scorecard/issues/711

This fix will address the issue.
2021-07-26 13:01:25 -05:00
Azeem Shaikh
9bf1cdc9ce
Update ListFiles API to return error (#746)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-07-25 17:47:36 -07:00
laurentsimon
c741335683
[migration to score] 3: branch protection, frozen-deps, token permissions (#719)
* details-1

* nits

* typo

* commments

* dependabot and binary artifacts checks

* typo

* linter

* missing errors.go

* linter

* merge fix

* branch protection, frozen-deps, token permissions

* linter

* linter
2021-07-21 09:21:43 -07:00
laurentsimon
2c9a05c721
cleanup for token doc and code (#552)
* cleanup

* comment
2021-06-07 18:01:18 +00:00
laurentsimon
d528b6e626
Cleanup code for github tokens #534 (#539)
* missed comments

* comments
2021-06-04 00:12:56 +00:00
laurentsimon
37d979f79b
check for read-only permissions of github token (#534)
* check for read-only permissions of github token

* linter

* linter

* doc

* comments

* commments

* fix

* generate checks.mg

* update license

* linter

* comments

* license

* linter

* missing file

* linter

* license

* cleanup
2021-06-03 16:30:37 -07:00