also removes the edited trigger. codecov posts 3 times on each PR,
which causes this action to trigger 3x. It is skipped though, so not a huge deal.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* wip
Signed-off-by: Spencer Schrock <sschrock@google.com>
* try to use jq without quotes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* try to make file another way.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* try using homedir
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add github token to env
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add link to workflow run
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make comment its own job
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix typo in job context
Signed-off-by: Spencer Schrock <sschrock@google.com>
* typo part 2
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use github-script to get PR SHAs.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* need to go through one more type to get to API response.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* temporarily use monitor action to see the required permissions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* spacing is hard
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove monitor and apply minimal permissions
the read-all at the top might be too broad, but the monitor doesnt support graphql so best we can do for now.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* try to set the checks
Signed-off-by: Spencer Schrock <sschrock@google.com>
* read the comment body
Signed-off-by: Spencer Schrock <sschrock@google.com>
* try to get around regex syntax error?
Signed-off-by: Spencer Schrock <sschrock@google.com>
* quote comment body
Signed-off-by: Spencer Schrock <sschrock@google.com>
* we want to pass an empty string to the args
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix the regex string
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rest of repo has upgraded
Signed-off-by: Spencer Schrock <sschrock@google.com>
* seed 15 repos to analyze to start with
Signed-off-by: Spencer Schrock <sschrock@google.com>
* support gitlab repos in scdiff
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename pr step to config
we also need the checks to run, so update the name to reflect that
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch from default token to a PAT
By default, the GitHub Action token gets 1000 req/hour.
If running all checks, the before/after each take about 1100 of core quota
A PAT grants 5000/hr so the 2200 required should be fine if used infrequently.
Ideally, the caller will always pass the check they care about into the command
Signed-off-by: Spencer Schrock <sschrock@google.com>
* escape comment body with bash
Signed-off-by: Spencer Schrock <sschrock@google.com>
* setup go manually
Signed-off-by: Spencer Schrock <sschrock@google.com>
* don't need to run on comment delete
Signed-off-by: Spencer Schrock <sschrock@google.com>
* limit scdiff to individuals with repo access
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
14f864bfea not only fixed the --commit-depth option,
but also fixed the default commit depth for GitLab repos. Previously GitLab repos looked
back 20 commits because that was GitLab's default for the commits API. Now, GitLab repos
look back 30 commits, so the proportions of this e2e test changed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* feat: Integrated paging to allow for querying based on the --commit-depth value provided
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: rework git commits changes for readability
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: add additional commit depth test
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---------
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* upgrade go.mod to 1.21
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use slices from stdlib
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use max/min builtins
Signed-off-by: Spencer Schrock <sschrock@google.com>
* multierrors
possibly spin this off into its own PR
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont call rand.Seed
As of Go 1.20, the generator is seeded randomly at startup.
https://pkg.go.dev/math/rand#Seed
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update minimum Go version in documentation
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
actions which influence the build/release process are excluded.
dependabot will send individual updates for those.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch ossfuzz test to smaller repo
tensorflow/tensorflow is huge, and this causes the test to take forever.
locally this reduces the test time from 17 to 2.4 seconds
Signed-off-by: Spencer Schrock <sschrock@google.com>
* reuse scorecard results for scorecard attestor policies
previously this test took 27 seconds locally, and now takes 8.
which is split across 3 subtests:
good repos: 1s
bad repos: 5s
code review policies: 2s
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Continue on error detecting OS
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests for error detecting OS
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add ElementError to identify elements that errored
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add Incomplete field to PinningDependenciesData
Will store all errors handled during analysis, which may lead to incomplete results.
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Register job steps that errored out
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests that incomplete steps are caught
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add warnings to details about incomplete steps
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests that incomplete steps generate warnings
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Register shell files skipped due to parser errors
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests showing when parser errors affect analysis
Dockerfile pinning is not affected.
Everything in a 'broken' Dockerfile RUN block is ignored
Everything in a 'broken' shell script is ignored
testdata/script-invalid.sh modified to demonstrate the above
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Incomplete results logged as Info, not Warn
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Remove `Type` from logging of incomplete results
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Update tests after rebase
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add Unwrap for ElementError, improve its docs
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add ElementError case to evaluation unit test
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Move ElementError to checker/raw_result
checker/raw_result defines types used to describe analysis results.
ElementError is meant to describe potential flaws in the analysis
and is therefore a sort of analysis result itself.
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Use finding.Location for ElementError.Element
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Use an ElementError for script parser errors
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Replace .Incomplete []error with .ProcessingErrors []ElementError
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Adopt from reviewer comments
- Replace ElementError's `Element *finding.Location`
with `Location finding.Location`
- Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter
- Fix unit test
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---------
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
For now, this is just producing very long detail strings.
Probably negatively affecting cron results
Signed-off-by: Spencer Schrock <sschrock@google.com>
Individual maintainer assignments within CODEOWNERS mean that we
cannot take advantage of GitHub code review distribution schemes
for team review assignments.
In this commit, we switch to team assignments within CODEOWNERS.
A common complaint with this approach is that unless you are a part
of the GitHub organization, you will not be able to view a team's
membership/understand who the maintainers of a project are.
To provide visibility into the maintainer list, we've added a
MAINTAINERS.md here as well.
Signed-off-by: Stephen Augustus <foo@auggie.dev>
* 🌱 convert vulnerabilities check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* edit def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add vuln ID dynamically to def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Elaborate the purpose of test data in unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Move logging out of loop and change logic of negativeFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve number of vulns found in output
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Preserve grouping of vulns
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add remediation data
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use checker.LogFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
