Spencer Schrock
a8e9050ae0
✨ Optimize SAST check ( #2191 )
...
* Optimize SAST
* Address PR feedback
* split checkruns into separate graphql query
* Enable SAST check in the releasetest cron worker
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2022-08-26 19:53:48 +00:00
Spencer Schrock
11ff78e35c
Deduplicate projects by excluding URL fragments ( #2201 )
2022-08-26 15:35:08 -04:00
dependabot[bot]
b40efd221c
🌱 Bump cloud.google.com/go/bigquery from 1.38.0 to 1.39.0
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.38.0 to 1.39.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.38.0...bigquery/v1.39.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-08-26 15:03:59 +00:00
Caleb Brown
946003048e
Make the Scalable Scorecards document public. ( #2199 )
2022-08-26 14:27:59 +00:00
dependabot[bot]
fb630a8042
🌱 Bump github/codeql-action from 2.1.20 to 2.1.21 ( #2200 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.20 to 2.1.21.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7fee4ca032...c7f292ea4f
2022-08-26 06:40:40 -05:00
dependabot[bot]
64daafb9ee
🌱 Bump cloud.google.com/go/pubsub from 1.24.0 to 1.25.1 ( #2197 )
...
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go ) from 1.24.0 to 1.25.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.24.0...pubsub/v1.25.1 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-25 10:23:27 -05:00
dependabot[bot]
32d6ba2775
🌱 Bump actions/setup-go from 3.2.1 to 3.3.0 ( #2194 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 3.2.1 to 3.3.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](84cbf80943...268d8c0ca0
2022-08-24 07:53:48 -05:00
dependabot[bot]
8b3793ac51
🌱 Bump github/codeql-action from 2.1.19 to 2.1.20 ( #2187 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.19 to 2.1.20.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f5d217be74...7fee4ca032
2022-08-23 09:08:36 -05:00
dependabot[bot]
86aa297dc3
🌱 Bump github.com/caarlos0/env/v6 from 6.9.3 to 6.10.0 ( #2188 )
2022-08-23 13:27:24 +00:00
dependabot[bot]
e2813b8e8d
🌱 Bump actions/cache from 3.0.7 to 3.0.8 ( #2184 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.0.7 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](a7c34adf76...fd5de65bc8
2022-08-22 10:18:23 -05:00
dependabot[bot]
a4d2c01c22
🌱 Bump distroless/base from 49d2923 to 533c15e ( #2185 )
...
Bumps distroless/base from `49d2923` to `533c15e`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-22 07:35:08 -05:00
dependabot[bot]
af2ee3d73f
🌱 Bump github/codeql-action from 1.0.0 to 2.1.19 ( #2178 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 1.0.0 to 2.1.19.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v1...f5d217be74900c6ac8fbbe53f3c10376ba4e64da )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-20 14:58:53 +00:00
Bill Nottingham
77fa781d07
Check for security polices in RST format at toplevel and .github as well. ( #2180 )
2022-08-19 14:44:05 -07:00
Spencer Schrock
2920b32518
✨ Improved license check ( #2179 )
...
* Add GPL-2.0 to the license check. Restructure tests to avoid duplication
* expand GPL test to be version agnostic
2022-08-19 13:50:17 -07:00
dependabot[bot]
25fd14dfe2
🌱 Bump actions/dependency-review-action from 2.0.4 to 2.1.0 ( #2176 )
...
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action ) from 2.0.4 to 2.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](94145f3150...23d1ffffb6
2022-08-19 08:45:15 -05:00
Ethan Davis
4a15760da7
Don't error on workflow parse failure in Binary-Artifacts ( #2170 )
2022-08-19 03:44:18 +00:00
laurentsimon
2cbf5afd54
Update .goreleaser.yml ( #2172 )
2022-08-18 16:58:35 -05:00
Azeem Shaikh
f7c0db7377
Update scorecard-action to v2:alpha ( #2171 )
2022-08-18 20:26:48 +00:00
Spencer Schrock
6dcfde9299
🐛 Fix remediation text when Scorecard is run multiple times within a program ( #2168 )
...
* quick fix for wrong info in remediation text
* add test for old, incorrect behavior
* Rename Setup to New
2022-08-17 16:10:49 -05:00
dependabot[bot]
c86a1aad96
🌱 Bump sigstore/cosign-installer from 2.5.0 to 2.5.1 ( #2167 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 2.5.0 to 2.5.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](09a077b27e...b3413d484c
2022-08-17 11:08:01 -05:00
Naveen
10b6052acf
🌱 Upgrade to go 1.18 ( #2143 )
...
* 🌱 Upgrade to go 1.18
- Upgrade to go 1.18
- Updated the deps to avoid critical CVE's
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated dockerfile.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the linter issues.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the CVE dependencies
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated ko to latest
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-08-16 20:55:48 -05:00
laurentsimon
887facf3ca
Use generic generator for SLSA ( #2146 )
...
* update
* update
* update
* update
* update
* update
* update
* update
* update
* update
2022-08-17 00:27:03 +00:00
Azeem Shaikh
60015719e3
Unflag the --commit option ( #2156 )
2022-08-16 23:35:29 +00:00
raghavkaul
ff9c0626ef
🐛 Detect recently created Github repositories ( #2151 )
...
* Bugfix: Detect recently created Github repositories
Adjust the unweighted score -3 points if they were created in the last
90 days
* Address PR comments
* Address PR comments
* Make log message more urgent
* Add to raw results
* Zero 'Maintained' score if the repo is too new to evaluate
* Update docs
* Update maintained_test.go
* Fix lint error
2022-08-16 16:09:46 -07:00
Azeem Shaikh
d2b3496beb
Remove duplicate projects with different casings ( #2155 )
2022-08-16 16:53:55 -05:00
Spencer Schrock
2f253e83c4
🐛 Add scorecard-action to the security-events allowlist in Token Permissions check ( #2153 )
...
* fails tests
* update tests to reflect number of exepected debug msgs (one fewer per workflow)
* Replace strings.Cut usage with strings.Split since we dont use go1.18 yet
* fix number of debug messages in e2e tests. also a result of deduplication of messages in sarif allowlist
2022-08-16 21:05:06 +00:00
dependabot[bot]
2fd81c0356
🌱 Bump cloud.google.com/go/bigquery from 1.37.0 to 1.38.0 ( #2149 )
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.37.0 to 1.38.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.37.0...bigquery/v1.38.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-16 10:54:13 -05:00
Spencer Schrock
8de962e91d
✨ Scorecard returns a non-zero exit code if any check has a runtime error ( #2133 )
...
* return a non-zero exit code if any check has a runtime error
* Fix existing usage of runtime vs inconclusive errors
2022-08-15 20:48:00 +00:00
dependabot[bot]
6f4115d9f0
🌱 Bump step-security/harden-runner from 1.4.4 to 1.4.5 ( #2148 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 1.4.4 to 1.4.5.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](74b568e859...dd2c410b08
2022-08-15 06:41:14 -07:00
laurentsimon
777298477c
✨ Favor SLSA provenance over plain signature in Signed-Release ( #2144 )
...
* update
* update
2022-08-12 11:49:32 -07:00
dependabot[bot]
1e1bfabccf
🌱 Bump actions/cache from 3.0.6 to 3.0.7
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.0.6 to 3.0.7.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](f4278025ab...a7c34adf76
2022-08-12 16:59:50 +00:00
Varun Sharma
86d1c7c37a
🐛 Fix bug 2051 ( #2140 )
...
* Fix bug 2051
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
* Fix lint errors and add mock code
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
* Fix unit test
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-08-12 16:23:07 +00:00
Avishay Balter
abcd4095bf
✨ Support OneFuzz in fuzzing checks ( #2141 )
...
* add onefuzz
* with link to onefuzz docs
* check.yaml
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2022-08-12 05:42:36 -10:00
Alvaro Frias
0d9b7a1fac
✨ Feature: Improve Dependabot detection through PRs ( #2125 )
...
* clients: Update client type to add SearchCommits function
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* checks/raw: Update Dependency Update Tool check to search for commits made by dependabot in default branch
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients/mockclients: Update mock for repoClient to add SearchCommits function mocks
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* checks: Update unit tests for Dependency Update tool with new feature of SearchCommits
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients/githubrepo: Update SearchCommitsHandler's buildQuery function & add tests
Add "author:" to the query.
Remove ReplaceAll unused for Author formatting.
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients: Add explanatory comment for SearchCommits
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* Clients: Update SearchCommits to return []Commit instead of SearchCommitsResponse
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* checks: Update dependency update tool check according to change by SearchCommits now returning []Commit
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients/githubrepo: Add license header
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients: Add exported comment & remove unused structs
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* checks/raw: Address rangeValCopy issue when iterating commits
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients: Address issue concerning field alignment in User struct
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
* clients/githubrepo: Addres line length linter issue
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
Signed-off-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
Co-authored-by: Alvaro Frias Garay <alvaro.frias@eclypsium.com>
2022-08-11 15:09:21 +00:00
laurentsimon
4e37e796c2
✨ support for SLSA provenance in Signed-Release ( #2131 )
...
* update
* update
* update
* update
2022-08-11 04:30:54 +00:00
Spencer Schrock
2fa6bc2885
🌱 Limit access to registered checks ( #2134 )
...
* Limit access to registered checks except through GetAll() and GetAllForEnvironment()
* Switch names to GetAll and GetAllWithExperimental. Change webhook check to use SCORECARD_EXPERIMENTAL
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2022-08-10 20:11:18 +00:00
Carlos Tadeu Panato Junior
83c07bfd32
🌱 github actions cleanup and set to get the latest go available ( #2135 )
...
* update slsa generator to 1.2.0 and use git hash
Signed-off-by: cpanato <ctadeu@gmail.com>
* update go to get always the latest available and general cleanup
Signed-off-by: cpanato <ctadeu@gmail.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
2022-08-10 08:44:33 -07:00
dependabot[bot]
0eb7cb2d74
🌱 Bump nick-invision/retry from 2.8.0 to 2.8.1 ( #2130 )
...
Bumps [nick-invision/retry](https://github.com/nick-invision/retry ) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/nick-invision/retry/releases )
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js )
- [Commits](616fa81820...b4fa57557d
2022-08-08 06:37:24 -10:00
dependabot[bot]
81b3c5a104
🌱 Bump cloud.google.com/go/bigquery from 1.36.0 to 1.37.0
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.36.0 to 1.37.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.36.0...bigquery/v1.37.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-08-06 14:04:48 +00:00
dependabot[bot]
596a2e1ba4
🌱 Bump actions/cache from 3.0.5 to 3.0.6 ( #2127 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.0.5 to 3.0.6.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](0865c47f36...f4278025ab
2022-08-06 08:25:05 -05:00
Spencer Schrock
7f0258ecba
Include an example query for the public BigQuery dataset ( #2123 )
2022-08-04 14:04:52 -05:00
dependabot[bot]
86eff21160
🌱 Bump nick-invision/retry from 2.6.0 to 2.8.0
...
Bumps [nick-invision/retry](https://github.com/nick-invision/retry ) from 2.6.0 to 2.8.0.
- [Release notes](https://github.com/nick-invision/retry/releases )
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js )
- [Commits](7f8f3d9f0f...616fa81820
2022-08-04 14:39:28 +00:00
dependabot[bot]
29076cc776
🌱 Bump gocloud.dev from 0.25.0 to 0.26.0 ( #2121 )
...
Bumps [gocloud.dev](https://github.com/google/go-cloud ) from 0.25.0 to 0.26.0.
- [Release notes](https://github.com/google/go-cloud/releases )
- [Commits](https://github.com/google/go-cloud/compare/v0.25.0...v0.26.0 )
---
updated-dependencies:
- dependency-name: gocloud.dev
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-04 09:10:15 -05:00
Aiden Wang
8c04788f38
✨ Enhancement: Dependency-diff API optimization - changing the input param changeType from a map to an array ( #2111 )
...
* save
* save
* save
* save
* save
* save
* save
2022-08-03 15:54:26 -07:00
laurentsimon
ae4d09cdd2
feat: Add pom.xml support for sonarype SAST ( #2114 )
...
* update
* update
* comments
2022-08-03 19:57:59 +00:00
Aiden Wang
7de97139f6
✨ Enhancement: adding new entries for GH actions & Pub as ecosystems, typo fixes ( #2109 )
...
* save
* save
* Update mapping.go
* save
* save
* save
2022-08-01 17:58:46 +00:00
Azeem Shaikh
69eb1ccf1d
Fix a bug in cron API data exporting ( #2112 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-07-31 06:59:56 -05:00
dependabot[bot]
89163cc4d4
🌱 Bump google.golang.org/protobuf from 1.28.0 to 1.28.1
...
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go ) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases )
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash )
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-07-29 16:11:07 +00:00
dependabot[bot]
6813ed1981
🌱 Bump google.golang.org/protobuf in /tools ( #2110 )
...
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go ) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases )
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash )
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-07-29 10:27:52 -05:00
Aiden Wang
1e0e44a0e8
🐛 Bug fixing: recurring results of the scorecard fuzzing check for go built-in fuzzers ( #2101 )
...
* save
* save
* save
* save
* save
2022-07-28 18:26:23 +00:00
