Coder Social home page Coder Social logo

stacklok / trusty-action Goto Github PK

View Code? Open in Web Editor NEW
0.0 16.0 0.0 590 KB

Trusty Dependency Analysis Action

Home Page: https://trustypkg.dev

License: Apache License 2.0

Dockerfile 0.41% Go 99.59%
devsecops security securiy-tools software supply-chain

trusty-action's Introduction

Trusty Dependency Analysis Action

Get a security and quality analysis of your dependencies with TrustyPkg!

alt text

Features

  • Check if the dependencies are malicious, deprecated or archived
  • Assess the quality and security of your dependencies using TrustyPkg activity hueristics
  • See if it contains a source of origin to a legitimate code repository using sigstore and Trusty's historical provenance algorithm
  • Understand if the package is a possible typo squatting attack
  • Get a list of recommended alternatives to the dependency

Overview

This action takes any added dependencies within a pull request and assesses their quality using the Trusty API. If any dependencies are found to be below a certain threshold (See details below), the action will fail.

If any dependencies are malicious, deprecated, or archived, the action will also fail.

Full Language Support (inline with Trusty):

  • Python
  • JavaScript
  • Java
  • Rust
  • Go

Usage

To use this action, you can add the following to your workflow:

name: TrustyPkg Dependency Check

on:
  pull_request:
    branches:
      - main

jobs:
  trusty_pkg_check:
    runs-on: ubuntu-latest
    name: Check Dependencies with TrustyPkg
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: TrustyPkg Action
        uses: stacklok/[email protected]
        with:
          global_threshold: 5
          provenance_threshold: 5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Inputs

Only one input is available for this action:

score_threshold: The minimum score required for a dependency to be considered high quality. Anything below this score will fail the action.

trusty-action's People

Contributors

yrobla avatar lukehinds avatar jaormx avatar stacklokbot avatar dependabot[bot] avatar

Watchers

avatar Jakub Hrozek avatar Brian Dussault avatar avatar Puerco avatar Gabe Diaz avatar Craig McLuckie avatar Don Browne avatar Giuseppe Scuglia avatar avatar Alejandro Ponce de Leon avatar Pankaj Telang avatar James Tenniswood avatar Radoslav Dimitrov avatar Dania Valladares avatar avatar

trusty-action's Issues

Full scan support

Allow the ability to perform a full trusty scan on pushes or a regular schedule.

Extend threshold

Currently we fail the action, based on the overall trusty score

Perhaps we could also have other thresholds to fail if:

  • typosquatting
  • provenance (historical / sigstore)

Add details about provenance

Surface the provenance data into the github comment.

Display sigstore provenance if it has it, if not render some useful information about historical provenance (details of tags etc

If sigstore provenance is in the payload, display the provenance data in a similar to trusty:

Source repo:
https://github.com/sigstore/sigstore-js
GitHub Action Workflow:
.github/workflows/release.yml
Issuer:
CN=sigstore-intermediate,O=sigstore.dev
Rekor Public Ledger:
https://search.sigstore.dev/?logIndex=83491949

If historical provenance is in the payload, display the data in a similar to trusty:

Summarize package reports

Currently the report is expanded all the time. It can be difficult to read if there are hundreds of dependencies. We can have an initial summary table with the failure/success, then expanded on demand.

Do not early return for score threshold

We can make the dep fail only if the global score is less than a threshold, but we still can show information about the dependency, malicious, deprecation, etc...

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.