diff --git a/README.md b/README.md index 3addb21b930..55b32c8c476 100644 --- a/README.md +++ b/README.md @@ -544,24 +544,24 @@ The following checks are all run against the target project by default: Name | Description | Risk Level | Token Required | GitLab Support | Note ----------- | ----------------------------------------- | ---------- | --------------- | -------------- | --- | [Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported | -[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT -[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported -[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating | -[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating | -[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating | -[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported | -[Dependency-Update-Tool](docs/checks.md#dependency-update-tool) | Does the project use tools to help update its dependencies? | High | PAT, GITHUB_TOKEN | Unsupported | -[Fuzzing](docs/checks.md#fuzzing) | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz), [QuickCheck](https://hackage.haskell.org/package/QuickCheck) or [fast-check](https://fast-check.dev/)? | Medium | PAT, GITHUB_TOKEN | Validating -[License](docs/checks.md#license) | Does the project declare a license? | Low | PAT, GITHUB_TOKEN | Validating | -[Maintained](docs/checks.md#maintained) | Is the project at least 90 days old, and maintained? | High | PAT, GITHUB_TOKEN | Validating | -[Pinned-Dependencies](docs/checks.md#pinned-dependencies) | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? | Medium | PAT, GITHUB_TOKEN | Validating | -[Packaging](docs/checks.md#packaging) | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ? | Medium | PAT, GITHUB_TOKEN | Validating | -[SAST](docs/checks.md#sast) | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM (deprecated)](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN | Unsupported | -[Security-Policy](docs/checks.md#security-policy) | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? | Medium | PAT, GITHUB_TOKEN | Validating | -[Signed-Releases](docs/checks.md#signed-releases) | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? | High | PAT, GITHUB_TOKEN | Validating | -[Token-Permissions](docs/checks.md#token-permissions) | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)? | High | PAT, GITHUB_TOKEN | Unsupported | -[Vulnerabilities](docs/checks.md#vulnerabilities) | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev). | High | PAT, GITHUB_TOKEN | Validating | -[Webhooks](docs/checks.md#webhooks) | Does the webhook defined in the repository have a token configured to authenticate the origins of requests? | Critical | maintainer PAT (`admin: repo_hook` or `admin> read:repo_hook` [doc](https://docs.github.com/en/rest/webhooks/repo-config#get-a-webhook-configuration-for-a-repository) | | EXPERIMENTAL +[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT +[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported +[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating | +[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating | +[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating | +[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported | +[Dependency-Update-Tool](docs/checks.md#dependency-update-tool) | Does the project use tools to help update its dependencies? | High | PAT, GITHUB_TOKEN | Unsupported | +[Fuzzing](docs/checks.md#fuzzing) | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz), [QuickCheck](https://hackage.haskell.org/package/QuickCheck) or [fast-check](https://fast-check.dev/)? | Medium | PAT, GITHUB_TOKEN | Validating +[License](docs/checks.md#license) | Does the project declare a license? | Low | PAT, GITHUB_TOKEN | Validating | +[Maintained](docs/checks.md#maintained) | Is the project at least 90 days old, and maintained? | High | PAT, GITHUB_TOKEN | Validating | +[Pinned-Dependencies](docs/checks.md#pinned-dependencies) | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? | Medium | PAT, GITHUB_TOKEN | Validating | +[Packaging](docs/checks.md#packaging) | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ? | Medium | PAT, GITHUB_TOKEN | Validating | +[SAST](docs/checks.md#sast) | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN | Unsupported | +[Security-Policy](docs/checks.md#security-policy) | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? | Medium | PAT, GITHUB_TOKEN | Validating | +[Signed-Releases](docs/checks.md#signed-releases) | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? | High | PAT, GITHUB_TOKEN | Validating | +[Token-Permissions](docs/checks.md#token-permissions) | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)? | High | PAT, GITHUB_TOKEN | Unsupported | +[Vulnerabilities](docs/checks.md#vulnerabilities) | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev). | High | PAT, GITHUB_TOKEN | Validating | +[Webhooks](docs/checks.md#webhooks) | Does the webhook defined in the repository have a token configured to authenticate the origins of requests? | Critical | maintainer PAT (`admin: repo_hook` or `admin> read:repo_hook` [doc](https://docs.github.com/en/rest/webhooks/repo-config#get-a-webhook-configuration-for-a-repository) | | EXPERIMENTAL ### Detailed Checks Documentation diff --git a/checks/raw/sast.go b/checks/raw/sast.go index 77f11e9e1ae..3c59817ba1d 100644 --- a/checks/raw/sast.go +++ b/checks/raw/sast.go @@ -40,7 +40,6 @@ var errInvalid = errors.New("invalid") var sastTools = map[string]bool{ "github-advanced-security": true, "github-code-scanning": true, - "lgtm-com": true, "sonarcloud": true, "sonarqubecloud": true, } diff --git a/checks/raw/sast_test.go b/checks/raw/sast_test.go index d93348558de..10b2c539538 100644 --- a/checks/raw/sast_test.go +++ b/checks/raw/sast_test.go @@ -167,14 +167,14 @@ func TestSAST(t *testing.T) { Status: "completed", Conclusion: "success", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, { Status: "completed", Conclusion: "success", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, }, diff --git a/checks/sast_test.go b/checks/sast_test.go index 990a8f3e017..01e1309530c 100644 --- a/checks/sast_test.go +++ b/checks/sast_test.go @@ -115,32 +115,6 @@ func Test_SAST(t *testing.T) { NumberOfDebug: 1, }, }, - { - name: "Successful SAST checker should return success status for lgtm", - commits: []clients.Commit{ - { - AssociatedMergeRequest: clients.PullRequest{ - MergedAt: time.Now().Add(time.Hour - 1), - }, - }, - }, - searchresult: clients.SearchResponse{}, - checkRuns: []clients.CheckRun{ - { - Status: "completed", - Conclusion: "success", - App: clients.CheckRunApp{ - Slug: "lgtm-com", - }, - }, - }, - path: "", - expected: scut.TestReturn{ - Score: checker.MaxResultScore, - NumberOfInfo: 1, - NumberOfDebug: 1, - }, - }, { name: "Successful SAST checker should return success status for sonarcloud", commits: []clients.Commit{ @@ -200,14 +174,14 @@ func Test_SAST(t *testing.T) { Status: "completed", Conclusion: "success", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, { Status: "completed", Conclusion: "success", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, }, @@ -235,14 +209,14 @@ func Test_SAST(t *testing.T) { Status: "completed", Conclusion: "wrongConclusionValue", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, { Status: "completed", Conclusion: "success", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, }, @@ -275,14 +249,14 @@ func Test_SAST(t *testing.T) { Status: "notCompletedForTestingOnly", Conclusion: "notSuccessForTestingOnly", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, { Status: "notCompletedForTestingOnly", Conclusion: "notSuccessForTestingOnly", App: clients.CheckRunApp{ - Slug: "lgtm-com", + Slug: "github-code-scanning", }, }, }, diff --git a/docs/checks.md b/docs/checks.md index 3c9325711cb..9850ef3fa62 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -532,8 +532,7 @@ codebase. The checks currently looks for known GitHub apps such as [CodeQL](https://codeql.github.com/) (github-code-scanning) or [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use -of "github/codeql-action" in a GitHub workflow. It also checks for the deprecated -[LGTM](https://lgtm.com/) service until its forthcoming shutdown. +of "github/codeql-action" in a GitHub workflow. Note: A project that fulfills this criterion with other tools may still receive a low score on this test. There are many ways to implement SAST, and it is diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index bab6591a16f..37bf55fcd9d 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -549,8 +549,7 @@ checks: The checks currently looks for known GitHub apps such as [CodeQL](https://codeql.github.com/) (github-code-scanning) or [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use - of "github/codeql-action" in a GitHub workflow. It also checks for the deprecated - [LGTM](https://lgtm.com/) service until its forthcoming shutdown. + of "github/codeql-action" in a GitHub workflow. Note: A project that fulfills this criterion with other tools may still receive a low score on this test. There are many ways to implement SAST, and it is