From 105346e21e34c346c44ae6cfe518668c3511902c Mon Sep 17 00:00:00 2001
From: Love Kumar Chauhan <lovechauhan6564@gmail.com>
Date: Mon, 23 Mar 2026 11:43:41 +0530
Subject: [PATCH 1/2] fix(checker): add committer fields to dangerous workflow
 checked contexts

Signed-off-by: Love Kumar Chauhan <lovechauhan6564@gmail.com>
---
 checks/raw/dangerous_workflow.go      |  4 ++++
 checks/raw/dangerous_workflow_test.go | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/checks/raw/dangerous_workflow.go b/checks/raw/dangerous_workflow.go
index 1d8f5ca794f..6dfb232a68f 100644
--- a/checks/raw/dangerous_workflow.go
+++ b/checks/raw/dangerous_workflow.go
@@ -45,8 +45,12 @@ func containsUntrustedContextPattern(variable string) bool {
 			`head_commit\.message|` +
 			`head_commit\.author\.email|` +
 			`head_commit\.author\.name|` +
+			`head_commit\.committer\.email|` +
+			`head_commit\.committer\.name|` +
 			`commits.*\.author\.email|` +
 			`commits.*\.author\.name|` +
+			`commits.*\.committer\.email|` +
+			`commits.*\.committer\.name|` +
 			`blocked_user\.name|` +
 			`blocked_user\.email|` +
 			`pull_request\.head\.ref|` +
diff --git a/checks/raw/dangerous_workflow_test.go b/checks/raw/dangerous_workflow_test.go
index c6431b7b127..973f26a6ec7 100644
--- a/checks/raw/dangerous_workflow_test.go
+++ b/checks/raw/dangerous_workflow_test.go
@@ -85,6 +85,26 @@ func TestUntrustedContextVariables(t *testing.T) {
 			variable: "github.event.commits[2].author.email",
 			expected: true,
 		},
+		{
+			name:     "commits committer name",
+			variable: "github.event.commits[2].committer.name",
+			expected: true,
+		},
+		{
+			name:     "commits committer email",
+			variable: "github.event.commits[2].committer.email",
+			expected: true,
+		},
+		{
+			name:     "head_commit committer name",
+			variable: "github.event.head_commit.committer.name",
+			expected: true,
+		},
+		{
+			name:     "head_commit committer email",
+			variable: "github.event.head_commit.committer.email",
+			expected: true,
+		},
 		{
 			name:     "blocked_user name",
 			variable: "github.event.pull_request.organization.blocked_user.name",

From 3eeea4330788e3887c961e761beeaeb1b0d3e2a3 Mon Sep 17 00:00:00 2001
From: Love Kumar Chauhan <lovechauhan6564@gmail.com>
Date: Wed, 25 Mar 2026 00:39:35 +0530
Subject: [PATCH 2/2] fix(github): handle 422 search errors in
 Dependency-Update-Tool

The GitHub Search API can return a 422 Validation Failed error for
public repositories that are not yet indexed. This was causing an
internal error in Scorecard's Dependency-Update-Tool check.

This fix catches the 422 error and returns an empty list of commits,
allowing the check to proceed without a hard failure.

Fixes #4352

Signed-off-by: Love Kumar Chauhan <lovechauhan6564@gmail.com>
---
 clients/githubrepo/searchCommits.go      |  8 ++++-
 clients/githubrepo/searchCommits_test.go | 43 ++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/clients/githubrepo/searchCommits.go b/clients/githubrepo/searchCommits.go
index cdde327dcff..83162944d2b 100644
--- a/clients/githubrepo/searchCommits.go
+++ b/clients/githubrepo/searchCommits.go
@@ -16,7 +16,9 @@ package githubrepo
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 
 	"github.com/google/go-github/v82/github"
@@ -49,7 +51,11 @@ func (handler *searchCommitsHandler) search(request clients.SearchCommitsOptions
 		query,
 		&github.SearchOptions{ListOptions: github.ListOptions{PerPage: 100}})
 	if err != nil {
-		return nil, fmt.Errorf("Search.Code: %w", err)
+		var gerr *github.ErrorResponse
+		if errors.As(err, &gerr) && gerr.Response.StatusCode == http.StatusUnprocessableEntity {
+			return nil, nil // Return empty list on 422
+		}
+		return nil, fmt.Errorf("Search.Commits: %w", err)
 	}
 
 	return searchCommitsResponseFrom(resp), nil
diff --git a/clients/githubrepo/searchCommits_test.go b/clients/githubrepo/searchCommits_test.go
index 3dd252c63c8..6be5750d69a 100644
--- a/clients/githubrepo/searchCommits_test.go
+++ b/clients/githubrepo/searchCommits_test.go
@@ -15,9 +15,15 @@
 package githubrepo
 
 import (
+	"context"
 	"errors"
+	"io"
+	"net/http"
+	"strings"
 	"testing"
 
+	"github.com/google/go-github/v82/github"
+
 	"github.com/ossf/scorecard/v5/clients"
 )
 
@@ -76,3 +82,40 @@ func TestSearchCommitsBuildQuery(t *testing.T) {
 		})
 	}
 }
+
+func TestSearchCommitsHandle422(t *testing.T) {
+	t.Parallel()
+	handler := searchCommitsHandler{
+		ghClient: github.NewClient(&http.Client{
+			Transport: &mockErrorTransport{
+				statusCode: http.StatusUnprocessableEntity,
+			},
+		}),
+		ctx: context.Background(),
+		repourl: &Repo{
+			commitSHA: clients.HeadSHA,
+			owner:     "testowner",
+			repo:      "testrepo",
+		},
+	}
+
+	commits, err := handler.search(clients.SearchCommitsOptions{Author: "testbot"})
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+	if len(commits) != 0 {
+		t.Fatalf("expected 0 commits, got: %d", len(commits))
+	}
+}
+
+type mockErrorTransport struct {
+	statusCode int
+}
+
+func (m *mockErrorTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return &http.Response{
+		StatusCode: m.statusCode,
+		Body:       io.NopCloser(strings.NewReader(`{"message": "Validation Failed"}`)),
+		Header:     make(http.Header),
+	}, nil
+}