-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Update message for org-level security policy files #1939
Conversation
Integration tests success for |
Codecov Report
@@ Coverage Diff @@
## main #1939 +/- ##
==========================================
+ Coverage 50.79% 53.85% +3.06%
==========================================
Files 83 83
Lines 6719 6729 +10
==========================================
+ Hits 3413 3624 +211
+ Misses 3078 2870 -208
- Partials 228 235 +7 |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
Some pre-submits are failing, PTAL https://github.com/ossf/scorecard/runs/6598997286?check_suite_focus=true If you see errors like
this is a known problem. Let me know if all other pre-submits are failing and I'll merge in |
Integration tests success for |
Integration tests success for |
Head branch was pushed to by a user without write access
Integration tests success for |
Integration tests success for |
Head branch was pushed to by a user without write access
Integration tests success for |
What kind of change does this PR introduce?
Introduce a non-breaking feature.
What is the current behavior?
As described in #1908, the org-defined security policy file is reported as
SECURITY.md
instead ofgithub.com/org/.github/SECURITY.md
.What is the new behavior (if this is a feature change)?**
Scorecards can report more granular information/messages for an org-defined (global) security policy as
github.com/ORG_NAME/.github/SECURITY.md
in the detailed logger.No new unit tests have been added for this specific bug fix since (1) the changes don't affect the original correct judgment logic of the security policy file; (2) the root cause for this bug is trivial: when an org-defined security policy is detected, it doesn't set the
file.Type
to4
(an URL) and thefile.Path
is not filled with the client URI (instead, it is just a file path in the repo withfile.Type=1
)Manual testcases like
go run . --repo=aidenwang9867/scorecard --format json --checks Security-Policy --show-details --verbosity debug | jq
(security policy in repo),go run . --repo=aidenwang9867/vld --format json --checks Security-Policy --show-details --verbosity debug | jq
(security policy in org) can be used to verify the correctness of my changes.checks/security_policy_test.go
)Which issue(s) this PR fixes
#1908
Special notes for your reviewer
N/A
Does this PR introduce a user-facing change?
No.