Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Structured results for permissions #2584

Merged
merged 38 commits into from
Jan 31, 2023

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented Jan 6, 2023

This PR is the first of a series to implement the structured results. It starts with the permission check.

This PR is very large because it includes not just the permission check's changes, but also all the needed changes to incorporate the structured results. Fortunately, the majority of files changes are small fixes to change package names.

The main changes to review:

  1. rule/ package. This takes a directory with a list of *.yml files. Each yml file contains the information for a rule.
  2. A check is composed of multiple rules
  3. finding is a finding. It uses the rule to create a finding, and additional information such as a location, snippet, etc. provided by a check.This is eventually displayed to users
  4. pkg is updated to use the structured results
  5. A new format extended-json for the --format option is used. The SCORECARD_EXPERIMENTAL=1 must be set to enable it.

An example result looks like the following:
SCORECARD_EXPERIMENTAL=1 go run . --repo=GoogleCloudPlatform/rad-lab --format extended-json --show-details --checks Token-Permissions | jq

{
  "date": "2023-01-06",
  "repo": {
    "name": "github.com/GoogleCloudPlatform/rad-lab",
    "commit": "4a94eb550a8fee9fd2e57a0ddaa70ded65903acb"
  },
  "scorecard": {
    "version": "(devel)",
    "commit": "unknown"
  },
  "score": 0,
  "checks": [
    {
      "risk": "High",
      "outcome": "Negative",
      "score": 0,
      "reason": "non read-only tokens detected in GitHub workflows",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
      "findings": [
        {
          "rule": "GitHubWorkflowPermissionsTopNoWrite",
          "outcome": "Negative",
          "risk": "High",
          "message": "topLevel 'contents' permission set to 'write'",
          "location": {
            "type": 1,
            "value": ".github/workflows/build-module-readme.yml",
            "lineStart": 28,
            "snippet": "write"
          },
          "remediation": {
            "text": "Update your workflow using https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions",
            "markdown": "Update your workflow using [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions).",
            "effort": "Low"
          }
        },
        {
          "rule": "GitHubWorkflowPermissionsTopNoWrite",
          "outcome": "Positive",
          "risk": "High",
          "message": "topLevel 'contents' permission set to 'read'",
          "location": {
            "type": 1,
            "value": ".github/workflows/check-tf-plan.yml",
            "lineStart": 30
          }
        },
...
    

There are several TODOS in the code which I will create a tracking issue for once the review is complete.

Structured results for permissions

@spencerschrock
Copy link
Member

Still need to go through this, but WDUT about using the new extended-json format to implement #2577. Rules could also have numeric IDs?

A new results format would be a good time to add it since backwards compatibility isn't a concern.

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Jan 6, 2023

Still need to go through this, but WDUT about using the new extended-json format to implement #2577. Rules could also have numeric IDs?

A new results format would be a good time to add it since backwards compatibility isn't a concern.

The rule names are essentially ruleID that are more explicit than numbers. I can definitely add a number, but we have to be sure we don't get collision, ie we need some proper pre-submit to verify this over time. (at least in the current implementation because rule files are stored in a folder named after the check, here permissions/*.yml). If we want to stored all files i a single folder, it becomes easier. I've kept the rules in different folders to simplify reviewing which rules are used in which check. I certainly need some feedback about this decision...

@joycebrum
Copy link
Contributor

Regarding the

...
"remediation": {
  "text": "Update your workflow using https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions",
  "markdown": "Update your workflow using [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions).",
  "effort": "Low"
}
...

Is it possible to also suggest a direct remediation instruction? It has happened that a maintainer didn't like the tool and got confused about which options to enable to fix the check and though the remediation was also saying to enable Harden Runner which he didn't seem to want.

Maybe with a remediation like "Update your workflow by adding contents: read permission or using [...]", we would not rely fully on the step security tool and the maintainer can rather fix himself.

In this case, for example, the https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions does not fix the contents: write permission to contents: read, so the maintainer could ended up confused on what the check would be expecting from him since the stepsecurity itself didn't change anything.

step security tool not changing the contents write option to read

In the print above I've selected the pin dependencies just to show that the changes should be applied.

@laurentsimon
Copy link
Contributor Author

Regarding the

...
"remediation": {
  "text": "Update your workflow using https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions",
  "markdown": "Update your workflow using [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions).",
  "effort": "Low"
}
...

Is it possible to also suggest a direct remediation instruction? It has happened that a maintainer didn't like the tool and got confused about which options to enable to fix the check and though the remediation was also saying to enable Harden Runner which he didn't seem to want.

Maybe with a remediation like "Update your workflow by adding contents: read permission or using [...]", we would not rely fully on the step security tool and the maintainer can rather fix himself.

In this case, for example, the https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions does not fix the contents: write permission to contents: read, so the maintainer could ended up confused on what the check would be expecting from him since the stepsecurity itself didn't change anything.

step security tool not changing the contents write option to read

In the print above I've selected the pin dependencies just to show that the changes should be applied.

Thanks for the feedback. One issue of asking users to fix the top-level themselves is that some of the steps may require write permissions, so their workflow would break after an update. If I update the remediation to explicitly ask to users to untick harden runner and pinned deps, would it be OK?

@laurentsimon
Copy link
Contributor Author

qq:

  1. do we want to keep the score for this format?
  2. do we want to "flatten" the results and remove the "checks": and instead only provide a list of findings: []finding? If so, we may still need to check field in the findings to indicate to users which check the result belongs to

@laurentsimon
Copy link
Contributor Author

Regarding the

...
"remediation": {
  "text": "Update your workflow using https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions",
  "markdown": "Update your workflow using [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions).",
  "effort": "Low"
}
...

Is it possible to also suggest a direct remediation instruction? It has happened that a maintainer didn't like the tool and got confused about which options to enable to fix the check and though the remediation was also saying to enable Harden Runner which he didn't seem to want.
Maybe with a remediation like "Update your workflow by adding contents: read permission or using [...]", we would not rely fully on the step security tool and the maintainer can rather fix himself.
In this case, for example, the https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions does not fix the contents: write permission to contents: read, so the maintainer could ended up confused on what the check would be expecting from him since the stepsecurity itself didn't change anything.
step security tool not changing the contents write option to read
In the print above I've selected the pin dependencies just to show that the changes should be applied.

Thanks for the feedback. One issue of asking users to fix the top-level themselves is that some of the steps may require write permissions, so their workflow would break after an update. If I update the remediation to explicitly ask to users to untick harden runner and pinned deps, would it be OK?

@varunsh-coder there seems to be a bug in the webpage: the contents: write is not removed? Is it because you don't know which permissions the Actions used in steps require?

@joycebrum
Copy link
Contributor

Thanks for the feedback. One issue of asking users to fix the top-level themselves is that some of the steps may require write permissions, so their workflow would break after an update. If I update the remediation to explicitly ask to users to untick harden runner and pinned deps, would it be OK?

I think it would still be fully dependent of the tool, but it would be much better because it will be clear to the user what he was supposed to use in the tool to fix the check. Something like

Update your workflow using the "Restrict permissions for GITHUB_TOKEN" at <link>

Or maybe adding the "fix it yourself as a turn around" with something like:

Update your workflow using <link> or set the permission default to read (`contents: read`) giving write permissions only to jobs

Both options I think would be great.

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Jan 9, 2023

Thanks for the feedback. One issue of asking users to fix the top-level themselves is that some of the steps may require write permissions, so their workflow would break after an update. If I update the remediation to explicitly ask to users to untick harden runner and pinned deps, would it be OK?

I think it would still be fully dependent of the tool, but it would be much better because it will be clear to the user what he was supposed to use in the tool to fix the check. Something like

Update your workflow using the "Restrict permissions for GITHUB_TOKEN" at <link>

Or maybe adding the "fix it yourself as a turn around" with something like:

Update your workflow using <link> or set the permission default to read (`contents: read`) giving write permissions only to jobs

Both options I think would be great.

That's very helpful, thanks. I realize I did not explain well. Can you take a look at the changes I made? You can edit the PR yourself as well by using the branch on my repo, so feel free to make additional changes you think would be meaningful. Let me know once you've made the changes. Thanks!

@varunsh-coder
Copy link
Contributor

varunsh-coder commented Jan 9, 2023

Regarding the

...
"remediation": {
  "text": "Update your workflow using https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions",
  "markdown": "Update your workflow using [https://app.stepsecurity.io/secureworkflow](https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions).",
  "effort": "Low"
}
...

Is it possible to also suggest a direct remediation instruction? It has happened that a maintainer didn't like the tool and got confused about which options to enable to fix the check and though the remediation was also saying to enable Harden Runner which he didn't seem to want.
Maybe with a remediation like "Update your workflow by adding contents: read permission or using [...]", we would not rely fully on the step security tool and the maintainer can rather fix himself.
In this case, for example, the https://app.stepsecurity.io/secureworkflow/GoogleCloudPlatform/rad-lab/build-module-readme.yml/main?enable=permissions does not fix the contents: write permission to contents: read, so the maintainer could ended up confused on what the check would be expecting from him since the stepsecurity itself didn't change anything.
step security tool not changing the contents write option to read
In the print above I've selected the pin dependencies just to show that the changes should be applied.

Thanks for the feedback. One issue of asking users to fix the top-level themselves is that some of the steps may require write permissions, so their workflow would break after an update. If I update the remediation to explicitly ask to users to untick harden runner and pinned deps, would it be OK?

@varunsh-coder there seems to be a bug in the webpage: the contents: write is not removed? Is it because you don't know which permissions the Actions used in steps require?

@laurentsimon as of now, if a workflow already has permissions defined at the top level, we do not change it. We just give a message that it already has permissions. I can take an action item to re-evaluate the permissions if they are present and suggest better permissions, if possible.

Also, regarding checkboxes, we can come up with a way to only show the option as per the query string, e.g. for token permissions, only show that and not the other boxes. That might be better than adding documentation to not select other options. We have also added more remediations via pull-request, e.g. to add dependabot config and CodeQL. Should we discuss this remediation experience in one of the upcoming Scorecard community meetings?

Copy link
Contributor

@joycebrum joycebrum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some improvements/fixes to the steps write permission response.

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
@github-actions
Copy link

Integration tests success for
[3622896]
(https://github.com/ossf/scorecard/actions/runs/4047513898)

Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon laurentsimon temporarily deployed to integration-test January 31, 2023 01:47 — with GitHub Actions Inactive
@github-actions
Copy link

Integration tests success for
[7fc0e6f]
(https://github.com/ossf/scorecard/actions/runs/4049926149)

@laurentsimon laurentsimon merged commit 2ea140a into ossf:main Jan 31, 2023
@laurentsimon laurentsimon added this to the Structured results milestone Feb 2, 2023
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsTopNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Shofiya2003 pushed a commit to Shofiya2003/scorecard that referenced this pull request Mar 10, 2023
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsTopNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: Shofiya2003 <shofiyabootwala@gmail.com>
Shofiya2003 pushed a commit to Shofiya2003/scorecard that referenced this pull request Mar 10, 2023
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsTopNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: Shofiya2003 <shofiyabootwala@gmail.com>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Apr 4, 2023
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsTopNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants