diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 133ddf0f..c98fd6fa 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -19,26 +19,6 @@ jobs: - name: __all__ run: nix-env -if . && m . __all__ - linux_calculatescorecard: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /calculateScorecard - env: - GITHUB_TOKEN: ${{ github.token }} - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /calculateScorecard" - macos_calculatescorecard: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /calculateScorecard - env: - GITHUB_TOKEN: ${{ github.token }} - run: nix-env -if . && m . /calculateScorecard - linux_deployTerraform_module: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml index ed273769..e2156640 100644 --- a/.github/workflows/prod.yml +++ b/.github/workflows/prod.yml @@ -94,28 +94,6 @@ jobs: env: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - linux_calculatescorecard: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845 - name: /calculateScorecard - env: - GITHUB_TOKEN: ${{ github.token }} - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - with: - args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /calculateScorecard" - macos_calculatescorecard: - runs-on: macos-latest - steps: - - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 - - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac - - name: /calculateScorecard - env: - GITHUB_TOKEN: ${{ github.token }} - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - run: nix-env -if . && m . /calculateScorecard - linux_deployTerraform_module: runs-on: ubuntu-latest steps: diff --git a/docs/mkdocs.yaml b/docs/mkdocs.yaml index 12fca2df..723da5be 100644 --- a/docs/mkdocs.yaml +++ b/docs/mkdocs.yaml @@ -119,7 +119,6 @@ nav: - api/builtins/format.md - api/builtins/framework-configuration.md - api/builtins/lint.md - - api/builtins/monitoring.md - api/builtins/performance.md - api/builtins/secrets.md - api/builtins/security.md diff --git a/docs/src/api/builtins/monitoring.md b/docs/src/api/builtins/monitoring.md deleted file mode 100644 index 47d6ef7b..00000000 --- a/docs/src/api/builtins/monitoring.md +++ /dev/null @@ -1,97 +0,0 @@ -## calculateScorecard - -Calculate your remote repository [Scorecard](https://github.com/ossf/scorecard). -This module is only -available for [GitHub](https://github.com) projects at the moment. - -Pre-requisites: - -1. To run this module you need to set up a valid `GITHUB_AUTH_TOKEN` on your - target repository. You can set this up in your CI or locally to run this - check on your machine. - -Types: - -- checks (`listOf str`): Optional, - defaults to all the checks available for Scorecard: - - ```nix - [ - "Branch-Protection" - "Fuzzing" - "License" - "SAST" - "Binary-Artifacts" - "Dependency-Update-Tool" - "Pinned-Dependencies" - "CI-Tests" - "Code-Review" - "Contributors" - "Maintained" - "Token-Permissions" - "Security-Policy" - "CII-Best-Practices" - "Dangerous-Workflow" - "Packaging" - "Signed-Releases" - "Vulnerabilities" - ] - ``` - -- format (`str`): Optional, defaults to JSON. This is the format which - the scorecard will be printed. Accepted values are: `"default"` which is an - `ASCII Table` and JSON. -- target (`str`): Mandatory, this is the repository url where you want to run - scorecard. - -Example: - -=== "makes.nix" - - ```nix - { - calculateScorecard = { - checks = [ "SAST" ]; - enable = true; - format = "json" - target = "github.com/fluidattacks/makes"; - }; - } - ``` - -=== "Invocation" - - ```bash - m . /calculateScorecard - ... - [INFO] Calculating Scorecard - { - "date": "2022-02-28", - "repo": { - "name": "github.com/fluidattacks/makes", - "commit": "739dcdc0513c29de67406e543e1392ea194b3452" - }, - "scorecard": { - "version": "4.0.1", - "commit": "c60b66bbc8b85286416d6ab9ae9324a095e66c94" - }, - "score": 5, - "checks": [ - { - "details": [ - "Warn: 16 commits out of 30 are checked with a SAST tool", - "Warn: CodeQL tool not detected" - ], - "score": 5, - "reason": "SAST tool is not run on all commits -- score normalized to 5", - "name": "SAST", - "documentation": { - "url": "https://github.com/ossf/scorecard/blob/c60b66bbc8b85286416d6ab9ae9324a095e66c94/docs/checks.md#sast", - "short": "Determines if the project uses static code analysis." - } - } - ], - "metadata": null - } - [INFO] Aggregate score: 5 - ``` diff --git a/makes.nix b/makes.nix index bad13d30..c6bd88de 100644 --- a/makes.nix +++ b/makes.nix @@ -14,10 +14,6 @@ }; }; }; - calculateScorecard = { - enable = true; - target = "github.com/fluidattacks/makes"; - }; deployContainer = { makesAmd64 = { credentials = { diff --git a/src/args/agnostic.nix b/src/args/agnostic.nix index 47a59b28..77485c75 100644 --- a/src/args/agnostic.nix +++ b/src/args/agnostic.nix @@ -27,7 +27,6 @@ let attrsMerge = builtins.foldl' __nixpkgs__.lib.recursiveUpdate { }; attrsOptional = __nixpkgs__.lib.optionalAttrs; calculateCvss3 = import ./calculate-cvss-3/default.nix self; - calculateScorecard = import ./calculate-scorecard/default.nix self; chunks = import ./chunks/default.nix self; computeOnAwsBatch = import ./compute-on-aws-batch/default.nix self; deployContainer = import ./deploy-container/default.nix self; diff --git a/src/args/calculate-scorecard/default.nix b/src/args/calculate-scorecard/default.nix deleted file mode 100644 index 1d81d591..00000000 --- a/src/args/calculate-scorecard/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ __nixpkgs__, makeScript, ... }: -{ checks, format, target, ... }: -makeScript { - entrypoint = ./entrypoint.sh; - name = "calculate-scorecard"; - replace = { - __argChecks__ = checks; - __argFormat__ = format; - __argTarget__ = target; - }; - searchPaths.bin = [ - __nixpkgs__.coreutils - __nixpkgs__.gnugrep - __nixpkgs__.jq - __nixpkgs__.scorecard - ]; -} diff --git a/src/args/calculate-scorecard/entrypoint.sh b/src/args/calculate-scorecard/entrypoint.sh deleted file mode 100644 index 29455fd7..00000000 --- a/src/args/calculate-scorecard/entrypoint.sh +++ /dev/null @@ -1,46 +0,0 @@ -# shellcheck shell=bash - -function main { - local result - local target=__argTarget__ - local format=__argFormat__ - local checks=__argChecks__ - local checks_len=("${checks}") - - info Calculating Scorecard \ - && temp="$(mktemp)" \ - && if test "${format}" == "json"; then - if (("${#checks_len[@]}")); then - scorecard --repo="${target}" --checks="${checks}" --format="${format}" --show-details > "${temp}" \ - && jq < "${temp}" \ - && result="$(jq '.score' < "${temp}")" \ - && info Aggregate score: "${result}" - else - scorecard --repo="${target}" --format="${format}" --show-details > "${temp}" \ - && result="$(jq '.score' < "${temp}")" \ - && info Aggregate score: "${result}" - fi - elif test "${format}" == "default"; then - if (("${#checks_len[@]}")); then - scorecard --repo="${target}" --checks="${checks}" --format="${format}" --show-details > "${temp}" \ - && cat "${temp}" \ - && result="$(grep -oP '(?<=Aggregate score: )[0-9]+([.][0-9]+)?' < "${temp}")" \ - && info Aggregate score: "${result}" - else - scorecard --repo="${target}" --format="${format}" --show-details > "${temp}" \ - && cat "${temp}" \ - && result="$(grep -oP '(?<=Aggregate score: )[0-9]+([.][0-9]+)?' < "${temp}")" \ - && info Aggregate score: "${result}" - fi - else - critical invalid output format: "${format}" valid formats are: default, json - fi \ - && if test "${result/.*/}" -lt 10; then - error Scorecard check failed - else - return 0 - fi - -} - -main "${@}" diff --git a/src/evaluator/modules/calculate-scorecard/default.nix b/src/evaluator/modules/calculate-scorecard/default.nix deleted file mode 100644 index d3b83bc6..00000000 --- a/src/evaluator/modules/calculate-scorecard/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ __nixpkgs__, calculateScorecard, ... }: -{ config, lib, ... }: { - options = { - calculateScorecard = { - checks = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - }; - enable = lib.mkOption { - default = false; - type = lib.types.bool; - }; - format = lib.mkOption { - default = "json"; - type = lib.types.str; - }; - target = lib.mkOption { - default = ""; - type = lib.types.str; - }; - }; - }; - config = { - outputs = { - "/calculateScorecard" = lib.mkIf config.calculateScorecard.enable - (calculateScorecard { - checks = if config.calculateScorecard.checks == [ ] then - config.calculateScorecard.checks - else - builtins.concatStringsSep "," config.calculateScorecard.checks; - inherit (config.calculateScorecard) format; - inherit (config.calculateScorecard) target; - }); - }; - }; -} diff --git a/src/evaluator/modules/default.nix b/src/evaluator/modules/default.nix index e2b0d630..e8d58530 100644 --- a/src/evaluator/modules/default.nix +++ b/src/evaluator/modules/default.nix @@ -2,7 +2,6 @@ , toFileJson, ... }@args: { imports = [ (import ./cache/default.nix args) - (import ./calculate-scorecard/default.nix args) (import ./compute-on-aws-batch/default.nix args) (import ./dev/default.nix args) (import ./deploy-container/default.nix args)