🌱 Add support for prow for CI and SAST checks #4897
Conversation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
dosubot
bot
added
the
size:XXL
AdamKorcz
had a problem deploying
to
integration-test
GitHub Actions
Failure
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #4897 +/- ##
==========================================
+ Coverage 66.80% 67.49% +0.68%
==========================================
Files 230 252 +22
Lines 16602 15968 -634
==========================================
- Hits 11091 10777 -314
+ Misses 4808 4325 -483
- Partials 703 866 +163 🚀 New features to boost your workflow:
|
… logs Signed-off-by: Adam Korczynski <adam@adalogics.com>
AdamKorcz
had a problem deploying
to
integration-test
GitHub Actions
Failure
Signed-off-by: Adam Korczynski <adam@adalogics.com>
AdamKorcz
had a problem deploying
to
integration-test
GitHub Actions
Failure
Signed-off-by: Adam Korczynski <adam@adalogics.com>
AdamKorcz
had a problem deploying
to
integration-test
GitHub Actions
Failure
I assume you mean Code-Review?
Do we need to worry about rate limiting? How widely used is Prow, is this limited to certain LF projects? Only K8s? I haven't looked at implementation yet, but is there any chance of splitting these into their components? Or are the changes largely intertwined? |
|
This pull request has been marked stale because it has been open for 10 days with no activity |
2 participants
What kind of change does this PR introduce?
This adds support for Prow for the Code review check and the SAST check. It allows Scorecard to consider approvals in the format that Prow users leave as well as whether security SAST tools run in Prow - Scorecard already had limited support for this but does not extract the reviews to consider them in the CI check. This PR fixes that. The CI fix is fairly simple. The SAST fix has a bit more to it; It allows Scorecard to parse Prow config files and look for SAST tools. A limitation in this is that most projects don't place their Prow config files in the same repository. As such, this won't work with a lot of projects, however, I think we should leave it since there may be project with which it will work. In addition, it will be easy to add support for projects to specify where their Prow configuration file is. The PR also adds support for reading Prow CI logs and look for the invocation of security SAST tools. This requires Scorecard to first get the URL of the logs, download them and then scan them. The log scanning part could be optimized in the future, but it does a fair job for now. For example, when I run it on Kubernetes (see blow), I only see that it runs
golangciwhich seems correct, judging from the the logs, its workflows and this old comment indicating that Kubernetes does not run the popular gosec.This can be tested on Kubernetes:
Before this PR:
After this PR:
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)