wip: fix for #802

ossf · Aug 25, 2021 · 05d3cc2 · 05d3cc2
1 parent 8cf95c4
commit 05d3cc2
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/checks/pinned_dependencies.go b/checks/pinned_dependencies.go
@@ -16,12 +16,11 @@ package checks
 
 import (
  "fmt"
+ "gopkg.in/yaml.v3"
  "regexp"
  "strings"
 
  "github.com/moby/buildkit/frontend/dockerfile/parser"
- "gopkg.in/yaml.v2"
-
  "github.com/ossf/scorecard/v2/checker"
  sce "github.com/ossf/scorecard/v2/errors"
 )
@@ -517,12 +516,26 @@ func validateGitHubActionWorkflow(pathfn string, content []byte,
 
  hashRegex := regexp.MustCompile(`^.*@[a-f\d]{40,}`)
  ret := true
+ gh := true
  for jobName, job := range workflow.Jobs {
  if len(job.Name) > 0 {
  jobName = job.Name
  }
  for _, step := range job.Steps {
  if len(step.Uses) > 0 {
+ // check whether we have github related action
+ // either action/ or github/
+ ghaction := regexp.MustCompile(`(actions/)`)
+ ghgithub := regexp.MustCompile(`(github/)`)
+
+ maction := ghaction.Match([]byte(step.Uses))
+ mgithub := ghgithub.Match([]byte(step.Uses))
+
+ if (!maction) && (!mgithub) {
+ fmt.Println("not matched either action/ or github/")
+ gh = false
+ }
+
  // Ensure a hash at least as large as SHA1 is used (40 hex characters).
  // Example: action-name@hash
  match := hashRegex.Match([]byte(step.Uses))
@@ -534,7 +547,7 @@ func validateGitHubActionWorkflow(pathfn string, content []byte,
  }
  }
 
- addPinnedResult(pdata, ret)
+ addPinnedResult(pdata, (ret && gh))
  return true, nil
 }