stacklok / trusty-action Goto Github PK
View Code? Open in Web Editor NEWTrusty Dependency Risk Action
Home Page: https://trustypkg.dev/
License: Apache License 2.0
Trusty Dependency Risk Action
Home Page: https://trustypkg.dev/
License: Apache License 2.0
See lukehinds/demo-repo-go#3 (comment)
URLs are rendered as: https://www.trustypkg.dev/go/golang.org/x/sys
They should be: https://www.trustypkg.dev/go/golang.org%2Fx%2Fsys (or at least that is how the search function in trusty renders them).
Currently the report is expanded all the time. It can be difficult to read if there are hundreds of dependencies. We can have an initial summary table with the failure/success, then expanded on demand.
We can make the dep fail only if the global score is less than a threshold, but we still can show information about the dependency, malicious, deprecation, etc...
Surface the provenance data into the github comment.
Display sigstore provenance if it has it, if not render some useful information about historical provenance (details of tags etc
If sigstore provenance is in the payload, display the provenance data in a similar to trusty:
Source repo:
https://github.com/sigstore/sigstore-js
GitHub Action Workflow:
.github/workflows/release.yml
Issuer:
CN=sigstore-intermediate,O=sigstore.dev
Rekor Public Ledger:
https://search.sigstore.dev/?logIndex=83491949
If historical provenance is in the payload, display the data in a similar to trusty:
There is an archive flag we can use:
"archived": false,
requests=0.0.1
works
requests
fails as it creates an empty array which is passed to the trusty API call.
When a malicious package is found, it needs to be more obvious, as it is an important blocker
Allow the ability to perform a full trusty scan on pushes or a regular schedule.
Also reformat the report for each of the dependencies to make it more compact
Currently we fail the action, based on the overall trusty score
Perhaps we could also have other thresholds to fail if:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.