scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-11-10 02:16:26 +03:00

Author	SHA1	Message	Date
laurentsimon	86fd966dc4	✨ Don't use the policy filename in SARIF results (#1373 ) * don't display a policy file * fix utests * update msg * update test	2021-12-10 17:07:32 -08:00
asraa	cfa1593e1c	✨ Add Script Injection to Dangerous-Workflow (#1368 ) * add dangerous workflow pattern script injection Signed-off-by: Asra Ali <asraa@google.com> * add more tests Signed-off-by: Asra Ali <asraa@google.com> * update laurent comments Signed-off-by: Asra Ali <asraa@google.com>	2021-12-09 13:53:55 -08:00
Jamie Magee	777713901e	docs: add installation instructions for mac and linux	2021-12-08 18:27:41 -06:00
Evgeny Vereshchagin	75bcc333de	CI-Tests: look for test-related strings in target urls as well (#1374 ) Apparently some projects like systemd and bcc put links (containing the word "Jenkins") to their Jenkins instances in target urls. https://buildbot.iovisor.org/jenkins/job/bcc-pr/1157/ https://jenkins-systemd.apps.ocp.ci.centos.org/job/upstream-vagrant-archlinux-sanitizers/8288/ It's a follow-up to https://github.com/ossf/scorecard/pull/1293#issuecomment-976384882 Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2021-12-08 17:34:28 +00:00
Evgeny Vereshchagin	01ebb0dcf3	Pinned-Dependencies: show where exactly parsing fails (#1297 ) Looks like due to https://github.com/mvdan/sh/issues/636 scorecard can't parse comments quoted with backticks like ``` cmd -a \ -b `# withouth backticks -c below would be a separate command` \ -c ``` and fails with something like ``` error parsing shell code: 82:26: reached EOF without closing quote ` ``` This PR turns that message into ``` error parsing shell code: vagrant/bootstrap_scripts/arch-sanitizers-clang.sh: 82:26: reached EOF without closing quote ` ``` which is a bit more useful. Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2021-12-08 01:52:08 +00:00
laurentsimon	6e013cf67d	✨ Token-Permission: Allow top level permissions not defined if all run level permissions are (#1356 ) * doc * allow non defined top level * fix * e2e fix * linter	2021-12-08 01:18:28 +00:00
Evgeny Vereshchagin	2e391503e4	Code-Review: show PRs merged without code review (#1375 ) to make it easier to figure out whether those PRs are really merged without code review or whether there is a bug in scorecard like https://github.com/ossf/scorecard/issues/1260 that prevents it from finding reviewed PRs. Other than that, the "CI-Tests" check already show "untested" PRs so it seems the "Code-Review" check should follow suit.	2021-12-07 16:47:29 -08:00
Chen	be9a6234b5	Update the Risk of dangerous-workflow (#1361 ) Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-07 18:00:36 +00:00
Evgeny Vereshchagin	5043cbcc7c	CI-Tests: no longer fail if there are no check suites (#1335 ) In PRs like https://github.com/iovisor/bcc/pull/3626 no checks suites are triggered: ``` $ curl --silent -H "Accept: application/vnd.github.v3+json" `3fcf0f1b58/check-runs` { "total_count": 0, "check_runs": [ ] } ``` ``` curl --silent -H "Accept: application/vnd.github.v3+json" `3fcf0f1b58/check-suites` { "total_count": 0, "check_suites": [ ] } ``` The check should just keep going because "statuses" still can be triggered so it should use them instead: ``` Closes https://github.com/ossf/scorecard/issues/1285 Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-07 03:27:59 +00:00
laurentsimon	1aac7aa39c	✨ update log msg for non-pinned actions (#1370 )	2021-12-06 19:33:27 -06:00
laurentsimon	063d384b6d	move dir (#1367 )	2021-12-06 17:57:02 +00:00
laurentsimon	023eab671e	✨ Ignore local actions that are not pinned (#1357 ) * ignore local actions * missing files	2021-12-06 16:36:42 +00:00
Chris McGehee	38b5199e9e	🐛 Adding line numbers to token-permissions and a couple other places (#1363 ) * Adding line numbers to token-permissions and a couple other places * Fix deadlink for security policy Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> * Updating formatting Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>	2021-12-06 10:05:52 -06:00
Batuhan Apaydın	1eb4d0e73e	Fix deadlink for security policy Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>	2021-12-05 11:26:29 -06:00
laurentsimon	b323cded04	🐛 checks.yml not sync'ed with checks.md (#1360 ) * update docs * update * remove file * remove improper commit * fix	2021-12-04 08:56:50 -06:00
laurentsimon	afe55a83c1	🐛 Disable pinning lock file search in repo (#1315 ) * fix * linter * linter * linter * comment	2021-12-04 00:44:09 +00:00
Evgeny Vereshchagin	9f7e682fe6	CI-Check: add SemaphoreCI and Packit-as-a-Service (#1293 ) to make it more likely for some projects to pass the check https://semaphoreci.com/ https://github.com/marketplace/packit-as-a-service Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2021-12-03 23:33:01 +00:00
Azeem Shaikh	84d169bf23	Use updated clients for `local` (#1355 ) Co-authored-by: Azeem Shaikh <azeems@google.com>	2021-12-03 15:09:04 -08:00
laurentsimon	aed511670f	✨ Cleanup Branch Protection and add e2e tests (#1344 ) * BP cleanup * linnter * e2e fix * linter * linter Co-authored-by: asraa <asraa@google.com>	2021-12-03 21:53:18 +00:00
laurentsimon	3eb2e5aec8	license (#1350 )	2021-12-03 21:01:38 +00:00
laurentsimon	b8d7a6b722	make critical (#1348 )	2021-12-03 17:55:54 +00:00
Nanik	45b5a35020	✨ Add new checking for license file availability (#1178 ) * Add checking logic inside license_check.go * Add test case license_check_test.go * Add check information inside checks.yaml	2021-12-03 09:28:27 -08:00
laurentsimon	8cb4804c28	✨ Update action names (#1346 ) * update action * add schedule * comments * e2e fix	2021-12-03 02:17:00 +00:00
laurentsimon	c3c017bf6f	npm ci only (#1314 )	2021-12-03 01:37:18 +00:00
laurentsimon	938c637ee0	rem audio files (#1300 ) Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-03 00:54:06 +00:00
Varun Sharma	9ab2b20b07	Update verify.yml (#1325 ) Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-02 22:11:00 +00:00
Azeem Shaikh	aa558ff2f4	Add parallelism to improve build times (#1342 ) Co-authored-by: Azeem Shaikh <azeems@google.com>	2021-12-02 12:20:27 -08:00
Azeem Shaikh	4d6f2b606b	Relax releasetest constraints (#1330 ) Co-authored-by: Azeem Shaikh <azeems@google.com>	2021-12-01 18:30:14 +00:00
Evgeny Vereshchagin	3cf8b2bfdb	docs: be more specific about what Dependabot brings with it (#1336 ) It would have helped me to decide whether I needed it or not Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-01 17:56:28 +00:00
naveen	ce0802571a	🌱 Fixed the opencontainer image-spec vuln	2021-12-01 11:23:15 -06:00
Arnaud J Le Hors	83ea9bf653	Fix faulty shell file handling (#1312 ) Parsing errors are meant to be discarded but aren't. This patch changes the code so that the error is indeed discarded and checking continues as intended and adds a unit test for it. Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-12-01 16:46:00 +00:00
laurentsimon	2d6bf97dd8	fix (#1331 )	2021-12-01 14:43:25 +00:00
laurentsimon	fb3d483c7d	✨ Only run license check and not everything (#1333 ) * remove make all * pin * fix	2021-12-01 14:10:42 +00:00
dota17	6a7e314c37	1.Add the check Dangerous-Workflow 2.Fix the typo of rubygems	2021-12-01 07:44:28 -06:00
Varun Sharma	f9b9773e2f	🌱 Secure workflow stale.yml (#1326 ) * Update stale.yml * Update stale.yml * Update stale.yml * Update stale.yml	2021-11-23 23:33:49 +00:00
Azeem Shaikh	de0cfbec9a	Add a validation step for goreleaser	2021-11-23 13:08:26 -06:00
laurentsimon	a500ba9e83	fix doc (#1332 )	2021-11-23 00:43:13 +00:00
laurentsimon	736f2e2922	✨ Allow pip install with --require-hashes only (#1313 ) * allow --require-hashes only * comment * rem log * comment * att test * Update checks/shell_download_validate.go Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Update checks/shell_download_validate.go Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Update checks/shell_download_validate.go Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com> * Update checks/shell_download_validate.go Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Update checks/shell_download_validate.go Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Update checks/shell_download_validate.go Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * comments Co-authored-by: Dustin Ingram <di@users.noreply.github.com> Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>	2021-11-23 00:02:56 +00:00
asraa	fd67ddf1c4	🌱 update dangerous workflow to use actionlint (#1328 ) * update dangerous workflow to use actionlint Signed-off-by: Asra Ali <asraa@google.com> * fix nilptr Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-11-22 18:32:27 +00:00
Chris McGehee	9b600bdc69	Skip pinned dependencies check for template Dockerfiles (#1324 ) Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-11-22 16:16:03 +00:00
Chris McGehee	2d8ec84be4	Get OSes from matrix.include if present (#1323 )	2021-11-22 15:40:17 +00:00
laurentsimon	23b0ddb8aa	fix (#1316 )	2021-11-20 05:51:11 +00:00
laurentsimon	67c5e933d0	fix (#1318 )	2021-11-19 21:27:14 -08:00
laurentsimon	fd8731481f	✨ Update score for branch protection with levels (#1287 ) * draft * draft2 * fix * fix * fix * test * linter * comments * comment * update doc * comments	2021-11-20 01:42:21 +00:00
Evgeny Vereshchagin	9d2976592f	Signed-Releases: really look for *.sign files (#1298 ) With this patch applied projects like dracut pass the check: ``` "checks": [ { "details": [ "Debug: GitHub release found: 055", "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937", "Debug: GitHub release found: 054", "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052", "Debug: GitHub release found: 053", "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038", "Debug: GitHub release found: 052", "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796", "Debug: GitHub release found: 051", "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850" ], "score": 10, "reason": "5 out of 5 artifacts are signed -- score normalized to 10", "name": "Signed-Releases", ```	2021-11-20 00:55:08 +00:00
asraa	730076fab1	🐛 fix dangerous workflow test and workflow parsing (#1283 ) * fix dangerous workflow Signed-off-by: Asra Ali <asraa@google.com> * check if removing label comment fixes Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>	2021-11-20 00:16:02 +00:00
Azeem Shaikh	10ee2c069f	Use `pull_request_target` + protected env for e2e (#1308 ) Co-authored-by: Azeem Shaikh <azeems@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2021-11-19 15:48:31 -08:00
naveen	6e7e13ede4	🌱 Fix vulnerabilities in dependencies	2021-11-19 16:49:56 -06:00
Azeem Shaikh	5025299eb6	Fix issues with CII client (#1309 ) Co-authored-by: Azeem Shaikh <azeems@google.com>	2021-11-19 18:24:43 +00:00
Azeem Shaikh	08a78762da	Run `Dangerous-Workflow` in release tests (#1301 ) Co-authored-by: Azeem Shaikh <azeems@google.com>	2021-11-18 21:46:32 +00:00

1 2 3 4 5 ...

980 Commits