Commit Graph

1339 Commits

Author SHA1 Message Date
dependabot[bot]
fc7157e38a
🌱 Bump actions/dependency-review-action from 1.0.0 to 1.0.1 (#1923)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](3f943b86c9...39e692fa32)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-18 07:10:22 -05:00
Naveen
bbaf072dd5
⚠️ Remove the oldjson format from cron (#1920)
- removed the old json format from cron
fix https://github.com/ossf/scorecard/pull/1487

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-17 17:31:25 -07:00
Appu
e7ef60d7fe
📖 Add information for pinning manfest lists (#1918)
* Add information for pinning manfest lists

Signed-off-by: Appu Goundan <appu@google.com>

* Update checks.md
2022-05-17 10:36:57 -07:00
dependabot[bot]
6406cfd4e3 🌱 Bump actions/setup-go from 3.0.0 to 3.1.0
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](f6164bd8c8...fcdc43634a)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-16 16:52:04 +00:00
Azeem Shaikh
236b296403
Do not fail on empty repositories (#1914)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-16 00:41:17 +00:00
laurentsimon
b1ab7eb9bb
Update raw format for Dangerous workflows (#1865)
* updates

* e2e fix

* comments
2022-05-13 19:10:57 -07:00
Scott Ford
cd0470403b
📖 Fixes description for webhook check (#1882)
Signed-off-by: Scott Ford <scott@scottford.io>
2022-05-12 21:14:43 +00:00
Naveen
0275a94a3f
:warn: Remove the old Details field from CheckResult (#1906)
https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-12 12:58:12 -07:00
naveensrinivasan
b9f333bc2a ⚠️ Remove the pass from the CheckResult
- Remove Pass field from CheckResult

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-12 14:03:19 -05:00
dependabot[bot]
f0481647dd 🌱 Bump github.com/caarlos0/env/v6 from 6.9.1 to 6.9.2
Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.1 to 6.9.2.
- [Release notes](https://github.com/caarlos0/env/releases)
- [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml)
- [Commits](https://github.com/caarlos0/env/compare/v6.9.1...v6.9.2)

---
updated-dependencies:
- dependency-name: github.com/caarlos0/env/v6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 17:13:16 +00:00
dependabot[bot]
74f521fcf2 🌱 Bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.0
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.3 to 3.5.0.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.3...v3.5.0)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 14:43:48 +00:00
dependabot[bot]
2b35afc5bb 🌱 Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.45.2 to 1.46.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.45.2...v1.46.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-12 02:04:06 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902)
* update

* update

* update
2022-05-11 20:41:37 -05:00
dependabot[bot]
2fc6fbb196 🌱 Bump cloud.google.com/go/bigquery from 1.31.0 to 1.32.0
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.31.0 to 1.32.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.31.0...spanner/v1.32.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-11 08:47:39 -05:00
Romain Dauby
804127f46a Upgrade to buildkit 0.10.3 2022-05-10 10:55:48 -05:00
06kellyjac
c5d787a598 pkg: refactor out scorecard_version 2022-05-10 09:51:55 -05:00
laurentsimon
62e3de5f48
🐛 Remove Options that belong to the Action (#1898)
* updates

* tests
2022-05-09 19:40:15 +00:00
Naveen
7ff4b7e050
⚠️ Removing the confidence field from CheckResult struct (#1896)
- Removing the confidence field from `CheckResult` struct
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-09 17:46:24 +00:00
Arnaud J Le Hors
6d79817e3b
📖 Fix command Usage (#1814)
This changes the cmd Usage text to accurately represents the
supported syntax:

Usage:
  ./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
	 [--checks=check1,...] [--show-details] [flags]
...
      --repo string        repository to check (valid inputs: "owner/repo", "github.com/owner/repo", "https://github.com/owner/repo")
...

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
2022-05-09 10:23:13 -04:00
Arnaud J Le Hors
815de1819f
📖 Remove erroneous ref to CSV output (#1813) 2022-05-09 12:15:14 +00:00
Azeem Shaikh
5758364c82
Fix bug in Scorecard tag Docker image creation (#1890)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-06 20:38:19 +00:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885)
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
2022-05-06 12:52:30 -07:00
Azeem Shaikh
22694dcd41
Support commits reviewed through Piper (#1889)
Co-authored-by: Azeem Shaikh <azeems@google.com>
2022-05-06 18:41:44 +00:00
Parth Kanakiya
9a7d030902
Added additional github repositories in projects.csv (#1886)
* Added additional repositories

* Added more repos

* Cleaned the repos
2022-05-06 16:13:50 +00:00
Vihang Mehta
72086c9d4c
Add support for Phabricator as a code review system (#1884)
*  Add support for Phabricator as a code review system

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Also look for Differential Revision: to ensure that this repo uses Phabricator

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>

* Add some unit tests to cover Phabricator Review detection

Signed-off-by: Vihang Mehta <vihang@pixielabs.ai>
2022-05-05 21:48:04 +00:00
dependabot[bot]
f779fb8761 🌱 Bump cloud.google.com/go/pubsub from 1.21.0 to 1.21.1
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.21.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.21.0...pubsub/v1.21.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-05 08:09:14 -05:00
laurentsimon
74ea0f4266
🐛 Fix .lib false positives in binary artifacts (#1879)
* ignore printable files

* updates

* e2e tests

* e2e fix

* comments
2022-05-03 13:31:51 -07:00
naveensrinivasan
2cb654102d ⚠️ Removing the pass field from result (#1853)
- Removing the pass field from result
    - https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-05-03 11:17:47 -05:00
laurentsimon
875b6f694e
🐛 Ignore shell parsing errors when reporting results (#1878)
* ignore parsing errors

* updates
2022-05-02 10:11:50 -07:00
dependabot[bot]
e97bf30ef6 🌱 Bump step-security/harden-runner from 1.4.2 to 1.4.3
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](34cbc43f0b...248ae51c2e)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-02 08:45:02 -05:00
laurentsimon
815de5c351
Propagate error in log (#1875) 2022-04-27 17:41:23 +00:00
dependabot[bot]
2b68f38d16 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 15:44:39 +00:00
dependabot[bot]
3a9f011398 🌱 Bump github.com/google/go-cmp from 0.5.7 to 0.5.8
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.7 to 0.5.8.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.7...v0.5.8)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 15:20:00 +00:00
dependabot[bot]
a598b2ae78 🌱 Bump cloud.google.com/go/pubsub from 1.20.0 to 1.21.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.20.0...pubsub/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 14:39:07 +00:00
dependabot[bot]
ac14ce72c1 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.3 to 2.1.4 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.3 to 2.1.4.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.3...v2.1.4)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-27 13:56:27 +00:00
laurentsimon
05d8c01b1c
🐛 Don't look for secrets in pull_request (#1864)
* Remove pull_request

* updates

* updates

* linter and e2e
2022-04-26 18:27:29 -07:00
laurentsimon
b304306451
Add token needed for checks in README (#1854)
* check perm doc

* updates
2022-04-26 16:02:02 +00:00
laurentsimon
ac88460c75
Raw results for best practices badge (#1795)
* Raw results for best practices badge

* updates

* updates

* tests

* comment
2022-04-25 17:04:21 +00:00
Alan Jowett
fe6e0917ac
Support for detecting choco installer without required hash (#1810)
* Initial support for choco installer

https://github.com/ossf/scorecard/issues/1807

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* PR feedback

Signed-off-by: Alan Jowett <alanjo@microsoft.com>

* Simplify if statement

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
2022-04-25 09:40:35 -07:00
dependabot[bot]
5d8a277d76 🌱 Bump crazy-max/ghaction-import-gpg from 4.3.0 to 4.4.0
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](4d58d49bfe...e00cb83a68)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-25 10:28:45 -05:00
dependabot[bot]
dbaba8a536 🌱 Bump step-security/harden-runner from 1.4.1 to 1.4.2
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/v1.4.1...34cbc43f0b10c9dda284e663cf43c2ebaf83e956)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-25 09:29:45 -05:00
Naveen
44ad5f53ad
⚠️ Removing the error field from result (#1853)
- Removing the error field from result
- https://github.com/ossf/scorecard/issues/1393

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-22 23:22:43 +00:00
laurentsimon
1f3861b4cc
Update env variables in cron (#1858) 2022-04-22 20:21:08 +00:00
dependabot[bot]
ee1086efd7 🌱 Bump codecov/codecov-action from 3.0.0 to 3.1.0
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](e3c560433a...81cd2dc814)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 07:25:53 -05:00
dependabot[bot]
64bf903f36 🌱 Bump actions/checkout from 3.0.1 to 3.0.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](dcd71f6466...2541b1294d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-22 07:02:44 -05:00
laurentsimon
4622952c85
Raw results for dangerous workflow (#1849)
* draft

* update

* update

* updates

* comments

* comments

* comments
2022-04-21 22:02:18 +00:00
dependabot[bot]
72e248694d 🌱 Bump contrib.go.opencensus.io/exporter/stackdriver
Bumps [contrib.go.opencensus.io/exporter/stackdriver](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver) from 0.13.11 to 0.13.12.
- [Release notes](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/releases)
- [Commits](https://github.com/census-ecosystem/opencensus-go-exporter-stackdriver/compare/v0.13.11...v0.13.12)

---
updated-dependencies:
- dependency-name: contrib.go.opencensus.io/exporter/stackdriver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-20 09:01:35 -05:00
naveensrinivasan
6ed6c9b70e 🌱 Publish images with ko
- Publish images with ko

https://github.com/ossf/scorecard/issues/744

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2022-04-18 10:40:05 -05:00
laurentsimon
f99e1a1552
Schema for BQ table for raw results (#1762)
* Fix schemas

* updates

* updates

* Schema for BQ table of raw result

* update

* updates

* create utility function only

* update

* updates

* updates

* manifest
2022-04-15 16:35:01 +00:00
dependabot[bot]
9532e55ee9 🌱 Bump github.com/rhysd/actionlint from 1.6.11 to 1.6.12
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.11 to 1.6.12.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.11...v1.6.12)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-15 09:13:27 -05:00