ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-13 01:25:07 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,221 Commits 36 Branches 42 Tags 440 MiB
d5893c226f
Commit Graph

1221 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
d5893c226f 🌱 Bump distroless/base from 02f6671 to 792dfe7 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:59:25 -05:00
dependabot[bot]
9e9e5a9392 🌱 Bump distroless/base in /cron/webhook 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:39:11 -05:00
dependabot[bot]
8f6df49de8 🌱 Bump github.com/go-logr/logr from 1.2.2 to 1.2.3 
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.2 to 1.2.3.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-logr/logr/compare/v1.2.2...v1.2.3)

---
updated-dependencies:
- dependency-name: github.com/go-logr/logr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:06:22 -05:00
dependabot[bot]
23921a6cc5 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 08:54:35 -05:00
dependabot[bot]
a496d8ca87 🌱 Bump cloud.google.com/go/bigquery from 1.29.0 to 1.30.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.29.0 to 1.30.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.29.0...spanner/v1.30.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-17 12:01:45 -05:00
Azeem Shaikh
a3f4b05bbf
Pass in specific commit-SHA in cron job (#1739) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-16 22:53:51 +00:00
naveensrinivasan
ba78d0aa59 Unit test for CLI options 
- Initial tests for CLI options.
 2022-03-16 16:33:31 -05:00
Azeem Shaikh
dc302bde4d Enable CI-Tests to run as commit-based check 2022-03-16 16:20:21 -05:00
Naveen
c8acf3645f
🌱 .github: Audit CodeQL egress with harden-runner (#1728) 2022-03-15 16:14:03 +00:00
dependabot[bot]
c8af71cf35 🌱 Bump crazy-max/ghaction-import-gpg from 4.2.0 to 4.3.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](b7c9a01276...4d58d49bfe)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-15 05:11:38 -05:00
dependabot[bot]
3f73d69acd 🌱 Bump github.com/rhysd/actionlint from 1.6.9 to 1.6.10 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.9 to 1.6.10.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.9...v1.6.10)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-14 06:32:30 -05:00
dependabot[bot]
2df9d088f2 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.6.1 to 1.6.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.6.1...v1.6.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-14 06:18:25 -05:00
naveensrinivasan
7d1795384c Fixed the path of the generated mock files. 
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-11 09:55:24 -06:00
naveensrinivasan
1995bc3b9c 🌱 Refactor to make it testable 
- Related to https://github.com/ossf/scorecard/issues/1568

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-11 09:55:24 -06:00
dependabot[bot]
f2a132a430 🌱 Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-11 09:29:05 -06:00
naveensrinivasan
e303a1b8fd 🌱 Ignore mock clients for code coverage 
- Ignoring mock clients for code coverage tracking.
 2022-03-09 14:21:20 -06:00
naveensrinivasan
35d31562a0 🌱 Unit tests for pinned_dependencies 
- Additional tests for pinned_dependencies
https://github.com/ossf/scorecard/issues/986
 2022-03-09 09:53:21 -06:00
stm9
c10a6ae0f0
Update README.md (#1716) 
Updated instructions on how to access public BigQuery dataset in section [public-data] (https://github.com/ossf/scorecard/edit/main/README.md#public-data)

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-03-08 15:44:38 +00:00
dependabot[bot]
eb258163ea 🌱 Bump cloud.google.com/go/pubsub from 1.18.0 to 1.19.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.18.0 to 1.19.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.18.0...pubsub/v1.19.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-08 06:02:44 -05:00
laurentsimon
e128c3de82
allow empty committer (#1714) 2022-03-07 21:25:54 +00:00
Chris McGehee
c1761a8936 Only download repo tarball when necessary 
Previously, this was downloading the tarball for github.com/google/oss-fuzz every time scorecard was run
 2022-03-07 11:52:20 -05:00
dependabot[bot]
0268747d6d 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.5.0 to 1.6.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.5.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-07 05:29:32 -05:00
naveensrinivasan
4b9f0389c6 🌱 Fix for CVE-2022-23648 
- Fix for https://github.com/advisories/GHSA-crp2-qrr5-8pq7
 2022-03-06 17:08:11 -05:00
Azeem Shaikh
241b0f4b4d
Mark License, Security-Policy as commit-based (#1711) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-04 11:24:06 -06:00
laurentsimon
3c92dec81b
🐛 Add GitHub committer verification (#1695) 
* Add GitHub committer verification and fix empty reviewers

* update comment

* linter

* comments
 2022-03-03 18:04:05 +00:00
dependabot[bot]
57b4664c71 🌱 Bump cloud.google.com/go/bigquery from 1.28.0 to 1.29.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.28.0 to 1.29.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.28.0...spanner/v1.29.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-03 07:10:50 -06:00
naveensrinivasan
4904b317ac 🌱 additional tests for github_workflow 
- Additional tests for github_workflow
 2022-03-02 20:36:34 -06:00
Stephen Augustus (he/him)
3070b3ca1b
cmd: Allow new scorecard to be instantiated with options (#1703) 
* cmd: Allow new scorecard commands to be instantiated with options
* options: Default flags to struct field values
* options: Use constants for flag names
* options: Simplify SARIF check

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-03 01:38:34 +00:00
laurentsimon
d192c8e3ac
Add score to SARIF for all results (#1694) 
* add score

* fix unit tests
 2022-03-02 17:06:47 -08:00
laurentsimon
3818dbe839
Update CODEOWNERS (#1701) 
@inferno-chromium asked to be removed because he's not actively reviewing PRs anymore and his inbox is being bombarded :-)

cc @inferno-chromium
 2022-03-02 16:21:38 +00:00
dependabot[bot]
189cdc5b9b 🌱 Bump actions/stale from 4.1.0 to 5 
Bumps [actions/stale](https://github.com/actions/stale) from 4.1.0 to 5.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](7fb802b307...3cc1237663)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 09:03:04 -06:00
dependabot[bot]
23819152f8 🌱 Bump crazy-max/ghaction-import-gpg from 4.1.0 to 4.2.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](cb4264d331...b7c9a01276)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 08:10:27 -06:00
dependabot[bot]
13b9cc5212 🌱 Bump actions/checkout from 2.4.0 to 3 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 07:29:16 -06:00
Stephen Augustus (he/him)
84cdc8cbec
cmd: Refactor to make importable (#1696) 
* cmd: Refactor to make importable
* options: Add support for parsing via environment variables
* options: Support setting feature flags via option
* cmd: Replace `version` with sigs.k8s.io/release-utils/version
* cmd: Move option validation into pre-run function

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-01 21:18:44 -08:00
Azeem Shaikh
738b246fe9
Fix cmd panic (#1692) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-01 20:17:24 +00:00
dependabot[bot]
837729418a 🌱 Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.0 to 2.9.1.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](c127c9be61...b953231f81)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:42:36 -06:00
dependabot[bot]
dd9ae7df99 🌱 Bump actions/setup-go from 2.2.0 to 3 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.2.0 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](bfdd3570ce...f6164bd8c8)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:33:03 -06:00
naveensrinivasan
5e5abdcd09 🌱 Unit tests for github workflow 
- Unit tests for github workflow.
https://github.com/ossf/scorecard/issues/986
 2022-02-28 20:02:50 -06:00
Naveen
ddb0fe3f31
Changed jsonScorecardResultV2 type Public (#1682) 
*  Changed jsonScorecardResultV2 type Public

- Fixes https://github.com/ossf/scorecard/issues/1673

* Update pkg/json.go

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>

* Fixed the govet warning by including nolint

Fixed the govet linter warning by including  nolint.

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>
 2022-02-28 15:20:07 -05:00
dependabot[bot]
4635570f7c 🌱 Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.8.1 to 2.9.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](79d4afbba1...c127c9be61)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-28 06:37:46 -06:00
Stephen Augustus (he/him)
d71866ca16 Update badges to correct package version and reference URLs 2022-02-27 09:29:49 -06:00
naveensrinivasan
c664364ccf 📖 Included reference to the GoDoc 2022-02-27 09:29:49 -06:00
Stephen Augustus (he/him)
7956ff4fe7
Miscellaneous refactors to ease downstream consumption (#1645) 
* checker: Add `NewLogger` constructor for `DetailLogger` impl
* checker: Add `NewRunner` constructor for `Runner`
* cmd: Update to use refactored packages
* cmd: Move command flags and validation into an `options` package
* cmd: Move client accessors to `githubrepo` package
* cmd: Move policy and enabled checks to `policy` package
* cmd: Move results formatting to `format` package
* checker: Prefer `Set` prefixes for setters
* checker: Use `DetailLogger` return value for `NewLogger()`
* checker: Add `GetClients` accessor
* Move `FormatResults` to `pkg/`
* checks: Add getter for all checks

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-27 02:09:21 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656) 
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-02-25 22:47:11 +00:00
dependabot[bot]
4c82c29552 🌱 Bump github.com/rhysd/actionlint from 1.6.8 to 1.6.9 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.8 to 1.6.9.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.8...v1.6.9)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-02-25 08:25:57 -06:00
Stephen Augustus (he/him)
692c682f22
Refine copy for PR template and add a release-note code fence (#1678) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-02-24 22:37:34 -05:00
Azeem Shaikh
504f134416
Update scorecard-analysis.yml (#1674) 2022-02-23 21:08:46 -08:00
Naveen
faeae4121e
🌱 Fixes the vulnerability GHSA-qq97-vm5h-rrhg (#1672) 
- Fixed the vulnerability GHSA-qq97-vm5h-rrhg by using replace
  directives.
 2022-02-23 07:41:05 -08:00
naveensrinivasan
5a1ab20fae 🌱 Fix containerd vulns 
- Fixes the containerd vulnerability by replacing 1.58 to 1.59 which
  addresses the fix and dependabot will stop complaining about the
  issue.
 2022-02-22 21:57:46 -06:00
Naveen
d94a87d974
🌱 Fix containerd Vulnerability (#1560) 
Fixes the containerd vulns.

https://github.com/ossf/scorecard/issues/1537
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-02-23 00:41:56 +00:00