Skip to content

Commit

Permalink
add probe for protected branches.
Browse files Browse the repository at this point in the history 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
  • Loading branch information
@AdamKorcz
AdamKorcz committed Jan 9, 2024
1 parent ba40d03 commit b05d177
Show file tree
Hide file tree
Showing 6 changed files with 550 additions and 304 deletions.
26 changes: 25 additions & 1 deletion checks/evaluation/branch_protection.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/ossf/scorecard/v4/probes/blocksDeleteOnBranches"
"github.com/ossf/scorecard/v4/probes/blocksForcePushOnBranches"
"github.com/ossf/scorecard/v4/probes/branchProtectionAppliesToAdmins"
"github.com/ossf/scorecard/v4/probes/branchesAreProtected"
"github.com/ossf/scorecard/v4/probes/dismissesStaleReviews"
"github.com/ossf/scorecard/v4/probes/requiresApproversForPullRequests"
"github.com/ossf/scorecard/v4/probes/requiresCodeOwnersReview"
Expand Down Expand Up @@ -76,6 +77,7 @@ func BranchProtection(name string,
expectedProbes := []string{
blocksDeleteOnBranches.Probe,
blocksForcePushOnBranches.Probe,
branchesAreProtected.Probe,
branchProtectionAppliesToAdmins.Probe,
dismissesStaleReviews.Probe,
requiresApproversForPullRequests.Probe,
Expand Down Expand Up @@ -111,7 +113,12 @@ func BranchProtection(name string,
// Protected field only indates that the branch matches
// one `Branch protection rules`. All settings may be disabled,
// so it does not provide any guarantees.
protected := (f.Values["branchProtected"] == 1)
protected, err := isBranchProtected(findings, branchName)
if err != nil {
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
return checker.CreateRuntimeErrorResult(name, e)
}

Check warning on line 120 in checks/evaluation/branch_protection.go

View check run for this annotation

Codecov / codecov/patch

checks/evaluation/branch_protection.go#L118-L120 

Added lines #L118 - L120 were not covered by tests

if !protected && !contains(warnedBranches, branchName) {
dl.Warn(&checker.LogMessage{
Text: fmt.Sprintf("branch protection not enabled for branch '%s'", branchName),

Check warning on line 124 in checks/evaluation/branch_protection.go

View check run for this annotation

Codecov / codecov/patch

checks/evaluation/branch_protection.go#L124 

Added line #L124 was not covered by tests
Expand Down Expand Up @@ -196,6 +203,23 @@ func BranchProtection(name string,
}
}

func isBranchProtected(findings []finding.Finding, branchName string) (bool, error) {
for i := range findings {
f := &findings[i]
if f.Probe != branchesAreProtected.Probe {
continue
}
fBranchName, err := getBranchName(f)
if err != nil {
return false, sce.WithMessage(sce.ErrScorecardInternal, "no branch name found")
}

Check warning on line 215 in checks/evaluation/branch_protection.go

View check run for this annotation

Codecov / codecov/patch

checks/evaluation/branch_protection.go#L214-L215 

Added lines #L214 - L215 were not covered by tests
if fBranchName == branchName {
return f.Outcome == finding.OutcomePositive, nil
}
}
return false, sce.WithMessage(sce.ErrScorecardInternal, "could not determine whether branch is protected")

Check warning on line 220 in checks/evaluation/branch_protection.go

View check run for this annotation

Codecov / codecov/patch

checks/evaluation/branch_protection.go#L220 

Added line #L220 was not covered by tests
}

func getBranchName(f *finding.Finding) (string, error) {
for k := range f.Values {
if k == "branchProtected" || k == "numberOfRequiredReviewers" || k == "codeownersFiles" {
Expand Down

0 comments on commit b05d177

Please sign in to comment.