Merge pull request #195 from safedep/chore/vet-integrate-vet

ci: Add vet for vetting PR
2025-12-10 00:22:08 -06:00 · 2024-04-01 15:49:34 +05:30 · 2024-04-01 15:49:34 +05:30 · 948b411a6e
commit 948b411a6e
parent c4fcab47d1 ab3ee44b6d
3 changed files with 76 additions and 0 deletions
--- a/.github/vet/policy.yml
+++ b/.github/vet/policy.yml
@ -0,0 +1,42 @@
+name: SafeDep vet OSS suite
+description: |
+  Customized filter suite for vet vetting vet.
+tags:
+  - general
+  - safedep-vet
+filters:
+  - name: critical-or-high-vulns
+    check_type: CheckTypeVulnerability
+    summary: Critical or high risk vulnerabilities were found
+    value: |
+      vulns.critical.exists(p, true) || vulns.high.exists(p, true)
+  - name: low-popularity
+    check_type: CheckTypePopularity
+    summary: Component popularity is low by Github stars count
+    value: |
+      projects.exists(p, (p.type == "GITHUB") && (p.stars < 10))
+  - name: risky-oss-licenses
+    check_type: CheckTypeLicense
+    summary: Risky OSS license was detected
+    value: |
+      licenses.exists(p, p == "GPL-2.0") ||
+      licenses.exists(p, p == "GPL-2.0-only") ||
+      licenses.exists(p, p == "GPL-3.0") ||
+      licenses.exists(p, p == "GPL-3.0-only") ||
+      licenses.exists(p, p == "BSD-3-Clause OR GPL-2.0")
+  - name: ossf-unmaintained
+    check_type: CheckTypeMaintenance
+    summary: Component appears to be unmaintained
+    value: |
+      scorecard.scores["Maintained"] == 0
+  - name: osv-malware
+    check_type: CheckTypeMalware
+    summary: Malicious (malware) component detected
+    value: |
+      vulns.all.exists(v, v.id.startsWith("MAL-"))
+  - name: ossf-dangerous-workflow
+    check_type: CheckTypeSecurityScorecard
+    summary: Component release pipeline appear to use dangerous workflows
+    value: |
+      scorecard.scores["Dangerous-Workflow"] == 0
+
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -29,6 +29,10 @@ jobs:
        env:
          VET_E2E: true

+          # Used to avoid rate limiting issue while running
+          # test suites that use GitHub API
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
  run-e2e:
    timeout-minutes: 30
    runs-on: ubuntu-latest
--- a/.github/workflows/vet-ci.yml
+++ b/.github/workflows/vet-ci.yml
@ -0,0 +1,30 @@
+name: vet OSS Components
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  security-events: write
+
+jobs:
+  vet:
+    name: vet
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Run vet
+        uses: safedep/vet-action@v1
+        with:
+          policy: .github/vet/policy.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}