ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 04:57:14 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
1,160 Commits 36 Branches 42 Tags 436 MiB
bba55d4257
Commit Graph

1160 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
laurentsimon
b8d7a6b722
make critical (#1348) 2021-12-03 17:55:54 +00:00
Nanik
45b5a35020
Add new checking for license file availability (#1178) 
* Add checking logic inside license_check.go
    * Add test case license_check_test.go
    * Add check information inside checks.yaml
 2021-12-03 09:28:27 -08:00
laurentsimon
8cb4804c28
Update action names (#1346) 
* update action

* add schedule

* comments

* e2e fix
 2021-12-03 02:17:00 +00:00
laurentsimon
c3c017bf6f
npm ci only (#1314) 2021-12-03 01:37:18 +00:00
laurentsimon
938c637ee0
rem audio files (#1300) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-03 00:54:06 +00:00
Varun Sharma
9ab2b20b07
Update verify.yml (#1325) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-02 22:11:00 +00:00
Azeem Shaikh
aa558ff2f4
Add parallelism to improve build times (#1342) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-02 12:20:27 -08:00
Azeem Shaikh
4d6f2b606b
Relax releasetest constraints (#1330) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-01 18:30:14 +00:00
Evgeny Vereshchagin
3cf8b2bfdb
docs: be more specific about what Dependabot brings with it (#1336) 
It would have helped me to decide whether I needed it or not

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-01 17:56:28 +00:00
naveen
ce0802571a 🌱 Fixed the opencontainer image-spec vuln 2021-12-01 11:23:15 -06:00
Arnaud J Le Hors
83ea9bf653
Fix faulty shell file handling (#1312) 
Parsing errors are meant to be discarded but aren't. This patch
changes the code so that the error is indeed discarded and checking
continues as intended and adds a unit test for it.

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-01 16:46:00 +00:00
laurentsimon
2d6bf97dd8
fix (#1331) 2021-12-01 14:43:25 +00:00
laurentsimon
fb3d483c7d
Only run license check and not everything (#1333) 
* remove make all

* pin

* fix
 2021-12-01 14:10:42 +00:00
dota17
6a7e314c37 1.Add the check Dangerous-Workflow 
2.Fix the typo of rubygems
 2021-12-01 07:44:28 -06:00
Varun Sharma
f9b9773e2f
🌱 Secure workflow stale.yml (#1326) 
* Update stale.yml

* Update stale.yml

* Update stale.yml

* Update stale.yml
 2021-11-23 23:33:49 +00:00
Azeem Shaikh
de0cfbec9a Add a validation step for goreleaser 2021-11-23 13:08:26 -06:00
laurentsimon
a500ba9e83
fix doc (#1332) 2021-11-23 00:43:13 +00:00
laurentsimon
736f2e2922
Allow pip install with --require-hashes only (#1313) 
* allow --require-hashes only

* comment

* rem log

* comment

* att test

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* comments

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
 2021-11-23 00:02:56 +00:00
asraa
fd67ddf1c4
🌱 update dangerous workflow to use actionlint (#1328) 
* update dangerous workflow to use actionlint

Signed-off-by: Asra Ali <asraa@google.com>

* fix nilptr

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-22 18:32:27 +00:00
Chris McGehee
9b600bdc69
Skip pinned dependencies check for template Dockerfiles (#1324) 
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-22 16:16:03 +00:00
Chris McGehee
2d8ec84be4
Get OSes from matrix.include if present (#1323) 2021-11-22 15:40:17 +00:00
laurentsimon
23b0ddb8aa
fix (#1316) 2021-11-20 05:51:11 +00:00
laurentsimon
67c5e933d0
fix (#1318) 2021-11-19 21:27:14 -08:00
laurentsimon
fd8731481f
Update score for branch protection with levels (#1287) 
* draft

* draft2

* fix

* fix

* fix

* test

* linter

* comments

* comment

* update doc

* comments
 2021-11-20 01:42:21 +00:00
Evgeny Vereshchagin
9d2976592f
Signed-Releases: really look for *.sign files (#1298) 
With this patch applied projects like dracut pass the check:
```
  "checks": [
    {
      "details": [
        "Debug: GitHub release found: 055",
        "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937",
        "Debug: GitHub release found: 054",
        "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052",
        "Debug: GitHub release found: 053",
        "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038",
        "Debug: GitHub release found: 052",
        "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796",
        "Debug: GitHub release found: 051",
        "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850"
      ],
      "score": 10,
      "reason": "5 out of 5 artifacts are signed -- score normalized to 10",
      "name": "Signed-Releases",
```
 2021-11-20 00:55:08 +00:00
asraa
730076fab1
🐛 fix dangerous workflow test and workflow parsing (#1283) 
* fix dangerous workflow

Signed-off-by: Asra Ali <asraa@google.com>

* check if removing label comment fixes

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-20 00:16:02 +00:00
Azeem Shaikh
10ee2c069f
Use pull_request_target + protected env for e2e (#1308) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-19 15:48:31 -08:00
naveen
6e7e13ede4 🌱 Fix vulnerabilities in dependencies 2021-11-19 16:49:56 -06:00
Azeem Shaikh
5025299eb6
Fix issues with CII client (#1309) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-19 18:24:43 +00:00
Azeem Shaikh
08a78762da
Run Dangerous-Workflow in release tests (#1301) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 21:46:32 +00:00
Azeem Shaikh
89b316c64d
Use blob-based CII client in cron job (#1284) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-19 08:02:06 +11:00
Azeem Shaikh
9878c4e61e
Randomize the repos tested during release test (#1299) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 17:04:07 +00:00
Azeem Shaikh
e15e7b1ca5
More nilptr issues (#1296) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 05:27:06 +00:00
Evgeny Vereshchagin
b4e32052fe
ci: drop trailing whitespaces (#1292) 
This should help to prevent various linters from complaining about
trailing whitespaces when the file is copy-pasted to other repositories:
```
.github/workflows/scorecard-analysis.yml:2: trailing whitespace.
+on:
.github/workflows/scorecard-analysis.yml:18: trailing whitespace.
+
.github/workflows/scorecard-analysis.yml:40: trailing whitespace.
+
```
 2021-11-17 20:40:53 +00:00
Azeem Shaikh
8fae5b10bd
Fix more nil-ptr dereferences (#1295) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 20:00:40 +00:00
Naveen
0339eeadc2
🌱 Fix integration test runs (#1286) 2021-11-17 03:36:39 +00:00
Azeem Shaikh
2375ae2812
Add a OssFuzzRepoClient (#1280) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 03:04:37 +00:00
Azeem Shaikh
0b32cc3138
Fix broken e2e tests (#1291) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 02:41:25 +00:00
Evgeny Vereshchagin
0bd575641d
Binary-Artifacts: no longer complain about ".bin" files (#1288) 
Those files most likely contain binary data used by tests for
example. It should be safe to remove this because executables
disguised as ".bin" files will still be caught and flagged by scorecard
before it even have a chance to look at extensions.

It should address https://github.com/ossf/scorecard/issues/1256
 2021-11-17 01:08:25 +00:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244) 
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
 2021-11-16 19:57:14 +00:00
Chris McGehee
4bd24b8291
Including line number: Dockerfile FROM not pinned (#1258) 
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-16 18:28:51 +00:00
laurentsimon
86835fcfd6
🐛 Fix branch protection results (#1252) 
* fix

* fix

* doc

* fix

* comment

* update tests

* fix

* fixes

* fix

* disable tests temp

* score change

* fix

* comments

* docs
 2021-11-16 17:27:27 +00:00
Naveen
a05ac54b67
🐛 Fix the reproducible builds (#1282) 
https://github.com/sigstore/cosign/pull/1053
 2021-11-16 08:41:23 -08:00
Azeem Shaikh
71e8698617
Add a cron job to copy CII badges data (#1278) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-16 04:23:00 +00:00
laurentsimon
4502dfb557
Reduce false positives in Token-Permissions for contents permission (#1253) 
* fix

* tests
 2021-11-16 03:03:54 +00:00
laurentsimon
63e3b92466
fix (#1277) 2021-11-15 21:42:25 +00:00
asraa
1050b1cd60
Add dangerous workflow check with untrusted code checkout pattern (#1168) 
* add dangerous workflow check with untrusted code checkout pattern

Signed-off-by: Asra Ali <asraa@google.com>

* update

Signed-off-by: Asra Ali <asraa@google.com>

* add env var

Signed-off-by: Asra Ali <asraa@google.com>

* fix comment

Signed-off-by: Asra Ali <asraa@google.com>

* add repos git checks.yaml

Signed-off-by: Asra Ali <asraa@google.com>

* update checks.md

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix merge

Signed-off-by: Asra Ali <asraa@google.com>

* add delete

Signed-off-by: Asra Ali <asraa@google.com>

* update docs

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-11-15 20:18:10 +00:00
Azeem Shaikh
4dde356329
Fix nil-ptr dereference (#1269) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-15 17:54:27 +00:00
asraa
5950fdef67
🐛 fix special character in search query to fix fuzzing check (#1241) 
* fix fuzzing path separator

Signed-off-by: Asra Ali <asraa@google.com>

* add comment

Signed-off-by: Asra Ali <asraa@google.com>
 2021-11-15 16:50:03 +00:00
Azeem Shaikh
72e20a076c
Add repoClient.Close for all e2e tests (#1265) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-15 14:53:01 +11:00