stacklok / trusty-action Goto Github PK

See lukehinds/demo-repo-go#3 (comment)

URLs are rendered as: https://www.trustypkg.dev/go/golang.org/x/sys

They should be: https://www.trustypkg.dev/go/golang.org%2Fx%2Fsys (or at least that is how the search function in trusty renders them).

Currently the report is expanded all the time. It can be difficult to read if there are hundreds of dependencies. We can have an initial summary table with the failure/success, then expanded on demand.

We can make the dep fail only if the global score is less than a threshold, but we still can show information about the dependency, malicious, deprecation, etc...

Surface the provenance data into the github comment.

Display sigstore provenance if it has it, if not render some useful information about historical provenance (details of tags etc

If sigstore provenance is in the payload, display the provenance data in a similar to trusty:

Source repo:
https://github.com/sigstore/sigstore-js
GitHub Action Workflow:
.github/workflows/release.yml
Issuer:
CN=sigstore-intermediate,O=sigstore.dev
Rekor Public Ledger:
https://search.sigstore.dev/?logIndex=83491949

If historical provenance is in the payload, display the data in a similar to trusty:

There is an archive flag we can use:

    "archived": false,

requests=0.0.1 works
requests fails as it creates an empty array which is passed to the trusty API call.

When a malicious package is found, it needs to be more obvious, as it is an important blocker

Allow the ability to perform a full trusty scan on pushes or a regular schedule.

Also reformat the report for each of the dependencies to make it more compact

Currently we fail the action, based on the overall trusty score

Perhaps we could also have other thresholds to fail if:

• typosquatting
• provenance (historical / sigstore)