Naveen
af24ed4d7f
🌱 Included codeql check for GitHub Actions ( #988 )
...
Included codeql check for GitHub actions https://github.com/ossf/scorecard/issues/987
2021-09-09 23:02:11 +00:00
laurentsimon
870db56814
Cleanup documentation code ( #981 )
...
* draft 1
* unit tests
* fix
* fixes
* fix
* mod
* comments
* fixes
* rename
* fix
* linter
2021-09-09 22:09:39 +00:00
Nanik
1da121da29
✨ Give low importance to github-owned actions ( #802 ) ( #906 )
...
* Different calculation between github and non-github actions
* Add test case for different kind of github and non-github action
* Modify existing test as score calculation has changed
2021-09-09 12:16:31 -07:00
naveen
576447a45b
🌱 Fix the jwt finding
...
* This fixes the JWT finding CVE-2020-26160
2021-09-08 11:17:40 -05:00
olivekl
924d4d5da9
📖 Update README.md ( #976 )
...
* Update README.md
Minor fixes for clarity.
* Update README.md
* Update README.md
Reinstating "Understanding Scorecard Results" paragraph after accidental deletion.
* Update README.md
Delete test phrase ("DELETE THIS")
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-09-08 08:22:25 -07:00
naveen
2b15b1353b
🌱 Moving tools dependencies to separate go.mod
...
* Moving the tools dependencies to a separate go.mod to reduce the
dependencies on scorecard.
* This is also increases the security posture by having less dependencies
on the main go.mod
2021-09-07 18:23:41 -05:00
Chris McGehee
1c7ba79435
🐛 Github workflow steps run on Windows should default to pwsh as its shell ( #877 )
...
* Github workflow steps run on Windows should default to pwsh as its shell
* Style change from PR feedback
* Fixing linter error
* MR feedback: simplifying code
* Moving consts to top of file
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-09-07 09:09:20 -07:00
Naveen
a3d63bf324
🌱 Updated actions permission for codeql ( #964 )
...
* Updated the actions permissions for codeql from write to specific
settings. https://github.com/ossf/scorecard/issues/942
2021-09-07 08:52:14 -07:00
dependabot[bot]
942c4cfc25
🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 ( #971 )
...
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg ) from 3.2.0 to 4.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases )
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md )
- [Commits](1c6a9e9d35...8c43807e82
)
---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-09-07 15:24:51 +00:00
dependabot[bot]
0aa4305c61
🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 ( #973 )
...
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint ) from 1.42.0 to 1.42.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases )
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md )
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.42.0...v1.42.1 )
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-09-07 14:59:22 +00:00
neil465
5476b878bd
✨ Removed unnecessary linters ( #969 )
...
* gomnd
* prealloc
* dupl
2021-09-07 10:45:12 -04:00
dependabot[bot]
f2209240a7
🌱 Bump distroless/base in /cron/worker
...
Bumps distroless/base from `19d927c` to `a74f307`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-09-06 12:28:54 -05:00
Chris McGehee
29b7bd3885
Parsing GitHub Workflows should only happen on yaml files
2021-09-06 10:51:33 -05:00
Naveen
2ae8910579
📖 Fixed the deadlink to the documentation ( #963 )
...
Fixed the deadlink to the documentation
2021-09-04 19:21:31 +00:00
neil465
fda87a45bb
Fixed typo reepo to repo
2021-09-04 10:53:19 -05:00
dependabot[bot]
f55b86d662
🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 ( #955 )
...
Bumps [peter-evans/slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch ) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/peter-evans/slash-command-dispatch/releases )
- [Commits](fc430081ad...40877f718d
)
---
updated-dependencies:
- dependency-name: peter-evans/slash-command-dispatch
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-09-03 16:39:23 +00:00
dependabot[bot]
e30d9e5bbc
🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 ( #956 )
...
Bumps [gocloud.dev](https://github.com/google/go-cloud ) from 0.23.0 to 0.24.0.
- [Release notes](https://github.com/google/go-cloud/releases )
- [Commits](https://github.com/google/go-cloud/compare/v0.23.0...v0.24.0 )
---
updated-dependencies:
- dependency-name: gocloud.dev
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-09-03 15:46:28 +00:00
dependabot[bot]
b847d54c66
🌱 Bump distroless/base in /cron/controller ( #961 )
...
Bumps distroless/base from `19d927c` to `a74f307`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-09-03 15:27:17 +00:00
nathan-415
062075823c
Updated go get to go install ( #953 )
...
Based on recommendations from the `go` tool.
```
go get: installing executables with 'go get' in module mode is deprecated.
Use 'go install pkg@version' instead.
For more information, see https://golang.org/doc/go-get-install-deprecation
or run 'go help get' or 'go help install'.
```
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-09-03 15:09:32 +00:00
Azeem Shaikh
7b912e8903
Return DefaultBranch as part of ListBranches ( #960 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-03 14:40:32 +00:00
Azeem Shaikh
830c4f57db
100k cron job repos ( #958 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-02 19:31:55 +00:00
Azeem Shaikh
afe5b40567
Make RepoClient as default interface for Scorecard ( #951 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-02 02:32:26 +00:00
flying-cow
1434977ac0
:sparkling: Upgraded to go 1.17
2021-09-01 18:31:44 -04:00
Azeem Shaikh
eceb577b84
Add and use RepoClient API for ListStatuses ( #949 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 18:34:58 +00:00
Azeem Shaikh
eb2b3b2185
Add RepoClient API for ListCheckRunsForRef ( #948 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 17:43:53 +00:00
laurentsimon
8f5e742e20
✨ Improve JSON format ( #934 )
...
* support for verison
* fix
* fix
* linter
* typo
* fix
2021-09-01 17:29:40 +00:00
dependabot[bot]
b5e4c7797b
🌱 Bump distroless/base from 19d927c
to a74f307
( #945 )
...
Bumps distroless/base from `19d927c` to `a74f307`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-09-01 10:15:03 -07:00
dependabot[bot]
992775e641
🌱 Bump distroless/base in /cron/webhook ( #946 )
...
Bumps distroless/base from `19d927c` to `a74f307`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-09-01 16:26:27 +00:00
dependabot[bot]
dcbf7528a7
🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 ( #939 )
...
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go ) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.21.0...spanner/v1.22.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-09-01 16:14:12 +00:00
Azeem Shaikh
dcbfb3ccd2
Fix syntax bug in CloudBuild YAML ( #947 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 14:35:25 +00:00
Azeem Shaikh
df2acb47e2
Add COMMIT_SHA to Scorecard docker image ( #944 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 13:28:07 +10:00
Azeem Shaikh
d6b601298c
Specify fractions instead of percentage ( #943 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 01:23:07 +00:00
Azeem Shaikh
99b9c91570
Use RepoClient API for Packaging check ( #940 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-09-01 01:05:34 +00:00
laurentsimon
bb6e010dc1
✨ Decouple scorecard json from cron json ( #941 )
...
* decouple
* linnter
2021-08-31 15:27:29 -07:00
dependabot[bot]
001ba670bb
🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1
...
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil ) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/jszwec/csvutil/releases )
- [Commits](https://github.com/jszwec/csvutil/compare/v1.5.0...v1.5.1 )
---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-31 08:06:06 -04:00
Azeem Shaikh
d6ba2cd6ac
Fix #890 ( #938 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 20:26:11 -07:00
Azeem Shaikh
e305a94e4f
Use ListReleases API for BranchProtection check ( #937 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 17:52:08 -07:00
Azeem Shaikh
9a1978a051
Use RefUpdateRule in BranchProtection check ( #936 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 23:14:42 +00:00
Azeem Shaikh
d9f5209803
Update test utils ( #933 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 14:12:57 -07:00
Chris McGehee
dbb23450e5
✨ Add line number to unpinned dependency: GitHub workflow "uses" field ( #821 )
...
* Display line number for github workflow "uses" field
* Adding test for line numbers
* Updating comment
* Updating this log message to use SARIF format
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2021-08-30 17:03:45 +00:00
Azeem Shaikh
ee6acdd6a6
Syntax bug in k8s file ( #931 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-30 03:47:04 +00:00
dependabot[bot]
915bad8222
🌱 Bump distroless/base in /cron/worker
...
Bumps distroless/base from `bc84925` to `19d927c`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-29 23:25:01 -04:00
dependabot[bot]
95c2df2faa
🌱 Bump distroless/base from bc84925
to 19d927c
in /cron/bq ( #926 )
...
Bumps distroless/base from `bc84925` to `19d927c`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-08-30 02:31:36 +00:00
dependabot[bot]
51016ea8ae
🌱 Bump cloud.google.com/go/pubsub from 1.15.0 to 1.16.0 ( #904 )
...
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go ) from 1.15.0 to 1.16.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.15.0...pubsub/v1.16.0 )
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-08-30 02:00:18 +00:00
Azeem Shaikh
c1edcea194
Use a completion threshold for BQ transfers ( #930 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-29 18:45:22 -07:00
Naveen
f40fa63826
🌱 Included race flag to tests ( #921 )
...
Included the `-race` flag to tests to detect any race conditions.
Especially now that we are using the `sync` package.
2021-08-27 14:17:14 +00:00
dependabot[bot]
d9b4188d08
🌱 Bump distroless/base in /cron/webhook
...
Bumps distroless/base from `bc84925` to `19d927c`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-27 08:43:15 -05:00
dependabot[bot]
5b74c04e73
🌱 Bump distroless/base in /cron/controller
...
Bumps distroless/base from `bc84925` to `19d927c`.
---
updated-dependencies:
- dependency-name: distroless/base
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-26 17:27:54 -05:00
Azeem Shaikh
fe54c5131c
Only call GitHub APIs when needed ( #918 )
...
Co-authored-by: Azeem Shaikh <azeems@google.com>
2021-08-26 22:09:41 +00:00
olivekl
c9a617b236
📖 Expand "Motivation" section ( #924 )
...
* Expand "Motivation" section
Add description of the tool; introduce "checks" as a term used throughout documentation
* Update README.md
2021-08-26 20:53:40 +00:00