Commit Graph

22 Commits

Author SHA1 Message Date
Spencer Schrock
76a9b0470a
⚠️ Only include probes which ran for probe format (#3991)
* add findings to check results struct

these dont make it to the JSON output format as theyre
not copied to the jsonCheckResultV2 struct in AsJSON2()

Signed-off-by: Spencer Schrock <sschrock@google.com>

* populate CheckResult findings

It would be nice if the evaluation functions did this for us,
but would require changes to theCreate*ScoreResult functions.
It was simpler just to set it in one place at the check level.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-04-04 14:43:30 -07:00
AdamKorcz
f422f692fe
🌱 Convert Dangerous Workflow check to probes (#3521)
* 🌱 Convert Dangerous Workflow check to probes

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove hasAnyWorkflows probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* combine two conditionals into one

Signed-off-by: AdamKorcz <adam@adalogics.com>

* preserve logging from original evaluation

Signed-off-by: AdamKorcz <adam@adalogics.com>

* rebase

Signed-off-by: AdamKorcz <adam@adalogics.com>

---------

Signed-off-by: AdamKorcz <adam@adalogics.com>
2023-11-06 21:43:03 +00:00
Arnaud J Le Hors
2169bc44c7
Use new project name in Copyright notices (#2505)
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
2022-12-01 15:08:48 -08:00
laurentsimon
4622952c85
Raw results for dangerous workflow (#1849)
* draft

* update

* update

* updates

* comments

* comments

* comments
2022-04-21 22:02:18 +00:00
noamd
5860896619 detect workflow_run as a dangerous trigger 2022-04-06 07:22:54 -05:00
laurentsimon
2bbbce75b3
🐛 Discard GitHub token in dangerous workflow check (#1772)
* Discard GitHub token in dangerous workflow check

* missing files
2022-03-23 23:37:23 +00:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
2022-03-23 02:23:39 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-22 17:40:34 -06:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-15 18:26:06 +00:00
laurentsimon
e7fd58d9a3
Check for secrets in pull_request_target (#1634)
* checks/dangerous_workflow.go: add pull_request_target support for secrets

* missing files

* linter
2022-02-15 16:04:57 +00:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface (#1628)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-11 15:48:58 -08:00
laurentsimon
7de151cf49
Check for secrets in workflows run on pull requests (#1615)
* updates

* missing files

* typo

* linter

* linter

* updates

* updates
2022-02-10 18:54:44 +00:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes (#1579)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-02-07 16:49:49 -08:00
naveen
f7b329e830 Unit test for all_checks
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-01-12 17:24:38 -06:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
7a91384f8d
Add line numbers for insecure downloads (#1413)
* add lines for docker files

* support for other constructs

* other insecure patterns

* fixes

* fixes

* comments
2022-01-06 00:13:53 +00:00
asraa
cfa1593e1c
Add Script Injection to Dangerous-Workflow (#1368)
* add dangerous workflow pattern script injection

Signed-off-by: Asra Ali <asraa@google.com>

* add more tests

Signed-off-by: Asra Ali <asraa@google.com>

* update laurent comments

Signed-off-by: Asra Ali <asraa@google.com>
2021-12-09 13:53:55 -08:00
asraa
fd67ddf1c4
🌱 update dangerous workflow to use actionlint (#1328)
* update dangerous workflow to use actionlint

Signed-off-by: Asra Ali <asraa@google.com>

* fix nilptr

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-11-22 18:32:27 +00:00
asraa
730076fab1
🐛 fix dangerous workflow test and workflow parsing (#1283)
* fix dangerous workflow

Signed-off-by: Asra Ali <asraa@google.com>

* check if removing label comment fixes

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2021-11-20 00:16:02 +00:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244)
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
2021-11-16 19:57:14 +00:00
asraa
1050b1cd60
Add dangerous workflow check with untrusted code checkout pattern (#1168)
* add dangerous workflow check with untrusted code checkout pattern

Signed-off-by: Asra Ali <asraa@google.com>

* update

Signed-off-by: Asra Ali <asraa@google.com>

* add env var

Signed-off-by: Asra Ali <asraa@google.com>

* fix comment

Signed-off-by: Asra Ali <asraa@google.com>

* add repos git checks.yaml

Signed-off-by: Asra Ali <asraa@google.com>

* update checks.md

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix merge

Signed-off-by: Asra Ali <asraa@google.com>

* add delete

Signed-off-by: Asra Ali <asraa@google.com>

* update docs

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
2021-11-15 20:18:10 +00:00