The highest tagged major version is
Documentation
¶
Overview ¶
Package checks defines all Scorecard checks.
Index ¶
- Constants
- Variables
- func BinaryArtifacts(c *checker.CheckRequest) checker.CheckResult
- func BranchProtection(c *checker.CheckRequest) checker.CheckResult
- func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult
- func CITests(c *checker.CheckRequest) checker.CheckResult
- func CheckFileContainsCommands(content []byte, comment string) bool
- func CheckFilesContent(shellPathFnPattern string, caseSensitive bool, c *checker.CheckRequest, ...) error
- func CheckIfFileExists(checkName string, c *checker.CheckRequest, onFile FileCb, data FileCbData) error
- func Contributors(c *checker.CheckRequest) checker.CheckResult
- func DoesCodeReview(c *checker.CheckRequest) checker.CheckResult
- func FileGetCbDataAsBoolPointer(data FileCbData) *bool
- func Fuzzing(c *checker.CheckRequest) checker.CheckResult
- func HasUnfixedVulnerabilities(c *checker.CheckRequest) checker.CheckResult
- func IsMaintained(c *checker.CheckRequest) checker.CheckResult
- func Packaging(c *checker.CheckRequest) checker.CheckResult
- func PinnedDependencies(c *checker.CheckRequest) checker.CheckResult
- func SAST(c *checker.CheckRequest) checker.CheckResult
- func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult
- func SignedReleases(c *checker.CheckRequest) checker.CheckResult
- func TokenPermissions(c *checker.CheckRequest) checker.CheckResult
- func UsesDependencyUpdateTool(c *checker.CheckRequest) checker.CheckResult
- type FileCb
- type FileCbData
- type FileContentCb
Constants ¶
const CheckBinaryArtifacts string = "Binary-Artifacts"
CheckBinaryArtifacts is the exported name for Binary-Artifacts check.
const (
// CheckBranchProtection is the exported name for Branch-Protected check.
CheckBranchProtection = "Branch-Protection"
)
const CheckCIIBestPractices = "CII-Best-Practices"
CheckCIIBestPractices is the registered name for CIIBestPractices.
const (
// CheckCITests is the registered name for CITests.
CheckCITests = "CI-Tests"
)
const CheckCodeReview = "Code-Review"
CheckCodeReview is the registered name for DoesCodeReview.
const (
// CheckContributors is the registered name for Contributors.
CheckContributors = "Contributors"
)
const CheckDependencyUpdateTool = "Dependency-Update-Tool"
CheckDependencyUpdateTool is the exported name for Automatic-Depdendency-Update.
const CheckFuzzing = "Fuzzing"
CheckFuzzing is the registered name for Fuzzing.
const (
// CheckMaintained is the exported check name for Maintained.
CheckMaintained = "Maintained"
)
const CheckPackaging = "Packaging"
CheckPackaging is the registered name for Packaging.
const CheckPinnedDependencies = "Pinned-Dependencies"
CheckPinnedDependencies is the registered name for FrozenDeps.
const CheckSAST = "SAST"
CheckSAST is the registered name for SAST.
const CheckSecurityPolicy = "Security-Policy"
CheckSecurityPolicy is the registred name for SecurityPolicy.
const (
// CheckSignedReleases is the registered name for SignedReleases.
CheckSignedReleases = "Signed-Releases"
)
const CheckTokenPermissions = "Token-Permissions"
CheckTokenPermissions is the exported name for Token-Permissions check.
const (
// CheckVulnerabilities is the registered name for the OSV check.
CheckVulnerabilities = "Vulnerabilities"
)
Variables ¶
var AllChecks = checker.CheckNameToFnMap{}
AllChecks is the list of all security checks that will be run.
Functions ¶
func BinaryArtifacts ¶
func BinaryArtifacts(c *checker.CheckRequest) checker.CheckResult
BinaryArtifacts will check the repository if it contains binary artifacts.
func BranchProtection ¶
func BranchProtection(c *checker.CheckRequest) checker.CheckResult
BranchProtection runs Branch-Protection check.
func CIIBestPractices ¶
func CIIBestPractices(c *checker.CheckRequest) checker.CheckResult
CIIBestPractices runs CII-Best-Practices check.
func CITests ¶
func CITests(c *checker.CheckRequest) checker.CheckResult
CITests runs CI-Tests check.
func CheckFileContainsCommands ¶
CheckFileContainsCommands checks if the file content contains commands or not. `comment` is the string or character that indicates a comment: for example for Dockerfiles, it would be `#`.
func CheckFilesContent ¶
func CheckFilesContent(shellPathFnPattern string, caseSensitive bool, c *checker.CheckRequest, onFileContent FileContentCb, data FileCbData, ) error
CheckFilesContent downloads the tar of the repository and calls the onFileContent() function shellPathFnPattern is used for https://golang.org/pkg/path/#Match Warning: the pattern is used to match (1) the entire path AND (2) the filename alone. This means:
- To scope the search to a directory, use "./dirname/*". Example, for the root directory, use "./*".
- A pattern such as "*mypatern*" will match files containing mypattern in *any* directory.
func CheckIfFileExists ¶
func CheckIfFileExists(checkName string, c *checker.CheckRequest, onFile FileCb, data FileCbData) error
CheckIfFileExists downloads the tar of the repository and calls the onFile() to check for the occurrence.
func Contributors ¶
func Contributors(c *checker.CheckRequest) checker.CheckResult
Contributors run Contributors check.
func DoesCodeReview ¶
func DoesCodeReview(c *checker.CheckRequest) checker.CheckResult
DoesCodeReview attempts to determine whether a project requires review before code gets merged. It uses a set of heuristics: - Looking at the repo configuration to see if reviews are required. - Checking if most of the recent merged PRs were "Approved". - Looking for other well-known review labels.
func FileGetCbDataAsBoolPointer ¶
func FileGetCbDataAsBoolPointer(data FileCbData) *bool
FileGetCbDataAsBoolPointer returns callback data as bool.
func Fuzzing ¶
func Fuzzing(c *checker.CheckRequest) checker.CheckResult
Fuzzing runs Fuzzing check.
func HasUnfixedVulnerabilities ¶
func HasUnfixedVulnerabilities(c *checker.CheckRequest) checker.CheckResult
HasUnfixedVulnerabilities runs Vulnerabilities check.
func IsMaintained ¶
func IsMaintained(c *checker.CheckRequest) checker.CheckResult
IsMaintained runs Maintained check.
func Packaging ¶
func Packaging(c *checker.CheckRequest) checker.CheckResult
Packaging runs Packaging check.
func PinnedDependencies ¶
func PinnedDependencies(c *checker.CheckRequest) checker.CheckResult
PinnedDependencies will check the repository if it contains frozen dependecies.
func SecurityPolicy ¶
func SecurityPolicy(c *checker.CheckRequest) checker.CheckResult
SecurityPolicy runs Security-Policy check.
func SignedReleases ¶
func SignedReleases(c *checker.CheckRequest) checker.CheckResult
SignedReleases runs Signed-Releases check.
func TokenPermissions ¶
func TokenPermissions(c *checker.CheckRequest) checker.CheckResult
TokenPermissions runs Token-Permissions check.
func UsesDependencyUpdateTool ¶
func UsesDependencyUpdateTool(c *checker.CheckRequest) checker.CheckResult
UsesDependencyUpdateTool will check the repository uses a dependency update tool.
Types ¶
type FileCb ¶
type FileCb func(path string, dl checker.DetailLogger, data FileCbData) (bool, error)
FileCb represents a callback fn.
type FileCbData ¶
type FileCbData interface{}
FileCbData is any data the caller can act upon to keep state.
type FileContentCb ¶
type FileContentCb func(path string, content []byte, dl checker.DetailLogger, data FileCbData) (bool, error)
FileContentCb is the callback. The bool returned indicates whether the CheckFilesContent2 should continue iterating over files or not.
Source Files
¶
- all_checks.go
- binary_artifact.go
- branch_protection.go
- ci_tests.go
- cii_best_practices.go
- code_review.go
- contributors.go
- dependency_update_tool.go
- errors.go
- file_utils.go
- fuzzing.go
- maintained.go
- packaging.go
- permissions.go
- pinned_dependencies.go
- sast.go
- security_policy.go
- shell_download_validate.go
- signed_releases.go
- vulnerabilities.go