ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
745 Commits 36 Branches 42 Tags 436 MiB
af24ed4d7f
Commit Graph

745 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Naveen
af24ed4d7f
🌱 Included codeql check for GitHub Actions (#988) 
Included codeql check for GitHub actions https://github.com/ossf/scorecard/issues/987
 2021-09-09 23:02:11 +00:00
laurentsimon
870db56814
Cleanup documentation code (#981) 
* draft 1

* unit tests

* fix

* fixes

* fix

* mod

* comments

* fixes

* rename

* fix

* linter
 2021-09-09 22:09:39 +00:00
Nanik
1da121da29
Give low importance to github-owned actions (#802) (#906) 
* Different calculation between github and non-github actions

* Add test case for different kind of github and non-github action

* Modify existing test as score calculation has changed
 2021-09-09 12:16:31 -07:00
naveen
576447a45b 🌱 Fix the jwt finding 
* This fixes the JWT finding CVE-2020-26160
 2021-09-08 11:17:40 -05:00
olivekl
924d4d5da9
📖 Update README.md (#976) 
* Update README.md

Minor fixes for clarity.

* Update README.md

* Update README.md

Reinstating "Understanding Scorecard Results" paragraph after accidental deletion.

* Update README.md

Delete test phrase ("DELETE THIS")

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-08 08:22:25 -07:00
naveen
2b15b1353b 🌱 Moving tools dependencies to separate go.mod 
* Moving the tools dependencies to a separate go.mod to reduce the
dependencies on scorecard.

* This is also increases the security posture by having less dependencies
on the main go.mod
 2021-09-07 18:23:41 -05:00
Chris McGehee
1c7ba79435
🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877) 
* Github workflow steps run on Windows should default to pwsh as its shell

* Style change from PR feedback

* Fixing linter error

* MR feedback: simplifying code

* Moving consts to top of file

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 09:09:20 -07:00
Naveen
a3d63bf324
🌱 Updated actions permission for codeql (#964) 
* Updated the actions permissions for codeql from write to specific
  settings. https://github.com/ossf/scorecard/issues/942
 2021-09-07 08:52:14 -07:00
dependabot[bot]
942c4cfc25
🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 (#971) 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 3.2.0 to 4.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](1c6a9e9d35...8c43807e82)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-07 15:24:51 +00:00
dependabot[bot]
0aa4305c61
🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 (#973) 
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.42.0 to 1.42.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.42.0...v1.42.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 14:59:22 +00:00
neil465
5476b878bd
Removed unnecessary linters (#969) 
* gomnd
* prealloc
* dupl
 2021-09-07 10:45:12 -04:00
dependabot[bot]
f2209240a7 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-09-06 12:28:54 -05:00
Chris McGehee
29b7bd3885 Parsing GitHub Workflows should only happen on yaml files 2021-09-06 10:51:33 -05:00
Naveen
2ae8910579
📖 Fixed the deadlink to the documentation (#963) 
Fixed the deadlink to the documentation
 2021-09-04 19:21:31 +00:00
neil465
fda87a45bb Fixed typo reepo to repo 2021-09-04 10:53:19 -05:00
dependabot[bot]
f55b86d662
🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 (#955) 
Bumps [peter-evans/slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/peter-evans/slash-command-dispatch/releases)
- [Commits](fc430081ad...40877f718d)

---
updated-dependencies:
- dependency-name: peter-evans/slash-command-dispatch
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-03 16:39:23 +00:00
dependabot[bot]
e30d9e5bbc
🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 (#956) 
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.23.0 to 0.24.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-03 15:46:28 +00:00
dependabot[bot]
b847d54c66
🌱 Bump distroless/base in /cron/controller (#961) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-03 15:27:17 +00:00
nathan-415
062075823c
Updated go get to go install (#953) 
Based on recommendations from the `go` tool.
```
go get: installing executables with 'go get' in module mode is deprecated.
	Use 'go install pkg@version' instead.
	For more information, see https://golang.org/doc/go-get-install-deprecation
	or run 'go help get' or 'go help install'.
```

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-03 15:09:32 +00:00
Azeem Shaikh
7b912e8903
Return DefaultBranch as part of ListBranches (#960) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-03 14:40:32 +00:00
Azeem Shaikh
830c4f57db
100k cron job repos (#958) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-02 19:31:55 +00:00
Azeem Shaikh
afe5b40567
Make RepoClient as default interface for Scorecard (#951) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-02 02:32:26 +00:00
flying-cow
1434977ac0 :sparkling: Upgraded to go 1.17 2021-09-01 18:31:44 -04:00
Azeem Shaikh
eceb577b84
Add and use RepoClient API for ListStatuses (#949) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 18:34:58 +00:00
Azeem Shaikh
eb2b3b2185
Add RepoClient API for ListCheckRunsForRef (#948) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 17:43:53 +00:00
laurentsimon
8f5e742e20
Improve JSON format (#934) 
* support for verison

* fix

* fix

* linter

* typo

* fix
 2021-09-01 17:29:40 +00:00
dependabot[bot]
b5e4c7797b
🌱 Bump distroless/base from 19d927c to a74f307 (#945) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 10:15:03 -07:00
dependabot[bot]
992775e641
🌱 Bump distroless/base in /cron/webhook (#946) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 16:26:27 +00:00
dependabot[bot]
dcbf7528a7
🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 (#939) 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.21.0...spanner/v1.22.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 16:14:12 +00:00
Azeem Shaikh
dcbfb3ccd2
Fix syntax bug in CloudBuild YAML (#947) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 14:35:25 +00:00
Azeem Shaikh
df2acb47e2
Add COMMIT_SHA to Scorecard docker image (#944) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 13:28:07 +10:00
Azeem Shaikh
d6b601298c
Specify fractions instead of percentage (#943) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 01:23:07 +00:00
Azeem Shaikh
99b9c91570
Use RepoClient API for Packaging check (#940) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 01:05:34 +00:00
laurentsimon
bb6e010dc1
Decouple scorecard json from cron json (#941) 
* decouple

* linnter
 2021-08-31 15:27:29 -07:00
dependabot[bot]
001ba670bb 🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1 
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/jszwec/csvutil/releases)
- [Commits](https://github.com/jszwec/csvutil/compare/v1.5.0...v1.5.1)

---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-31 08:06:06 -04:00
Azeem Shaikh
d6ba2cd6ac
Fix #890 (#938) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 20:26:11 -07:00
Azeem Shaikh
e305a94e4f
Use ListReleases API for BranchProtection check (#937) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 17:52:08 -07:00
Azeem Shaikh
9a1978a051
Use RefUpdateRule in BranchProtection check (#936) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 23:14:42 +00:00
Azeem Shaikh
d9f5209803
Update test utils (#933) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 14:12:57 -07:00
Chris McGehee
dbb23450e5
Add line number to unpinned dependency: GitHub workflow "uses" field (#821) 
* Display line number for github workflow "uses" field

* Adding test for line numbers

* Updating comment

* Updating this log message to use SARIF format

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-08-30 17:03:45 +00:00
Azeem Shaikh
ee6acdd6a6
Syntax bug in k8s file (#931) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 03:47:04 +00:00
dependabot[bot]
915bad8222 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `bc84925` to `19d927c`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-29 23:25:01 -04:00
dependabot[bot]
95c2df2faa
🌱 Bump distroless/base from bc84925 to 19d927c in /cron/bq (#926) 
Bumps distroless/base from `bc84925` to `19d927c`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-08-30 02:31:36 +00:00
dependabot[bot]
51016ea8ae
🌱 Bump cloud.google.com/go/pubsub from 1.15.0 to 1.16.0 (#904) 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.15.0 to 1.16.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.15.0...pubsub/v1.16.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-08-30 02:00:18 +00:00
Azeem Shaikh
c1edcea194
Use a completion threshold for BQ transfers (#930) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-29 18:45:22 -07:00
Naveen
f40fa63826
🌱 Included race flag to tests (#921) 
Included the `-race` flag to tests to detect any race conditions.
Especially now that we are using the `sync` package.
 2021-08-27 14:17:14 +00:00
dependabot[bot]
d9b4188d08 🌱 Bump distroless/base in /cron/webhook 
Bumps distroless/base from `bc84925` to `19d927c`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-27 08:43:15 -05:00
dependabot[bot]
5b74c04e73 🌱 Bump distroless/base in /cron/controller 
Bumps distroless/base from `bc84925` to `19d927c`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-26 17:27:54 -05:00
Azeem Shaikh
fe54c5131c
Only call GitHub APIs when needed (#918) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-26 22:09:41 +00:00
olivekl
c9a617b236
📖 Expand "Motivation" section (#924) 
* Expand "Motivation" section

Add description of the tool; introduce "checks" as a term used throughout documentation

* Update README.md
 2021-08-26 20:53:40 +00:00