Skip to content

Commit 1e839d7

Browse files
committed
chore: bootstrap code-signal scanner
0 parents  commit 1e839d7

44 files changed

Lines changed: 8958 additions & 0 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.bestpractices.json

Lines changed: 171 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,171 @@
1+
{
2+
"$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
3+
"_comment": "OpenSSF Best Practices autofill metadata for RandomCodeSpace/code-signal. Project page: https://www.bestpractices.dev/projects/13445.",
4+
"project_id": 13445,
5+
"name": "code-signal",
6+
"description": "Built-in, offline code quality scanner that reports aggregate static-analysis signals for polyglot repositories without external analyzers or telemetry.",
7+
"homepage_url": "https://github.com/RandomCodeSpace/code-signal",
8+
"repo_url": "https://github.com/RandomCodeSpace/code-signal",
9+
"license": "MIT",
10+
"level": "passing",
11+
12+
"description_good_status": "Met",
13+
"description_good_justification": "README.md describes code-signal as a standalone offline scanner, explains the problem it solves, and lists the built-in aggregate signals it reports.",
14+
15+
"interact_status": "Met",
16+
"interact_justification": "README.md documents how to obtain, build, run, and configure the CLI. GitHub Issues and Pull Requests are used for feedback and changes.",
17+
18+
"contribution_status": "Met",
19+
"contribution_justification": "CONTRIBUTING.md documents the branch strategy, PR process, required checks, and test policy.",
20+
"contribution_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/CONTRIBUTING.md",
21+
22+
"contribution_requirements_status": "Met",
23+
"contribution_requirements_justification": "CONTRIBUTING.md requires feature branches, pull requests, conventional commit subjects, Go tests, vet, scanner self-checks, and behavior tests for changes.",
24+
"contribution_requirements_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/CONTRIBUTING.md",
25+
26+
"floss_license_status": "Met",
27+
"floss_license_justification": "The project is released under the MIT License, an OSI-approved FLOSS license.",
28+
"floss_license_osi_status": "Met",
29+
"floss_license_osi_justification": "MIT is OSI-approved.",
30+
"license_location_status": "Met",
31+
"license_location_justification": "The full MIT License text is in the top-level LICENSE file.",
32+
"license_location_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/LICENSE",
33+
34+
"documentation_basics_status": "Met",
35+
"documentation_basics_justification": "README.md covers installation, build from source, quickstart commands, exit-code policy, configuration, supported languages, and privacy/security constraints.",
36+
"documentation_interface_status": "Met",
37+
"documentation_interface_justification": "README.md documents the external CLI interface: scan, diff, detect, doctor, JSON mode, timeout/config options, config schema, and report contract.",
38+
39+
"sites_https_status": "Met",
40+
"sites_https_justification": "The project website, repository, Best Practices page, and GitHub release/download URLs use HTTPS.",
41+
"discussion_status": "Met",
42+
"discussion_justification": "GitHub Issues and Pull Requests provide searchable, URL-addressable public discussion.",
43+
"english_status": "Met",
44+
"english_justification": "README.md, CONTRIBUTING.md, SECURITY.md, CHANGELOG.md, workflows, code comments, and public project communication are in English.",
45+
"maintained_status": "Met",
46+
"maintained_justification": "The repository is actively maintained on main, with CI/security checks and SECURITY.md response targets.",
47+
48+
"repo_public_status": "Met",
49+
"repo_public_justification": "Source is publicly readable on GitHub at https://github.com/RandomCodeSpace/code-signal.",
50+
"repo_track_status": "Met",
51+
"repo_track_justification": "Git records who changed what and when. Main is protected after bootstrap.",
52+
"repo_interim_status": "Met",
53+
"repo_interim_justification": "CONTRIBUTING.md requires feature branches and pull requests for review before merge to main.",
54+
"repo_distributed_status": "Met",
55+
"repo_distributed_justification": "The project uses Git, a distributed version control system.",
56+
57+
"version_unique_status": "Met",
58+
"version_unique_justification": "Releases use immutable SemVer git tags such as v0.1.0 and GitHub Releases generated by release-go.yml.",
59+
"version_semver_status": "Met",
60+
"version_semver_justification": "The release workflow is tag-triggered on vX.Y.Z SemVer tags.",
61+
"version_tags_status": "Met",
62+
"version_tags_justification": "release-go.yml is triggered by pushed SemVer tags and publishes artifacts for that tag.",
63+
"release_notes_status": "Met",
64+
"release_notes_justification": "GitHub Releases are used for human-readable release notes. CHANGELOG.md records unreleased changes.",
65+
"release_notes_url": "https://github.com/RandomCodeSpace/code-signal/releases",
66+
"release_notes_vulns_status": "Met",
67+
"release_notes_vulns_justification": "SECURITY.md requires confirmed security fixes to be documented through the security advisory and release process.",
68+
69+
"report_process_status": "Met",
70+
"report_process_justification": "GitHub Issues are used for non-security bugs. SECURITY.md documents private vulnerability reporting.",
71+
"report_process_url": "https://github.com/RandomCodeSpace/code-signal/issues",
72+
"report_tracker_status": "Met",
73+
"report_tracker_justification": "GitHub Issues tracks individual bug reports and enhancements.",
74+
"report_responses_status": "Met",
75+
"report_responses_justification": "SECURITY.md and CONTRIBUTING.md document response and triage expectations; there are no stale public reports at bootstrap.",
76+
"enhancement_responses_status": "Met",
77+
"enhancement_responses_justification": "Enhancements are tracked through GitHub Issues and Pull Requests; there are no stale enhancement requests at bootstrap.",
78+
"report_archive_status": "Met",
79+
"report_archive_justification": "GitHub Issues and Pull Requests remain publicly searchable and URL-addressable after closure.",
80+
"report_archive_url": "https://github.com/RandomCodeSpace/code-signal/issues",
81+
82+
"vulnerability_report_process_status": "Met",
83+
"vulnerability_report_process_justification": "SECURITY.md documents private vulnerability reporting through GitHub advisories or maintainer email.",
84+
"vulnerability_report_process_url": "https://github.com/RandomCodeSpace/code-signal/blob/main/SECURITY.md",
85+
"vulnerability_report_private_status": "Met",
86+
"vulnerability_report_private_justification": "SECURITY.md directs reporters to GitHub private vulnerability reporting and a private email fallback.",
87+
"vulnerability_report_response_status": "Met",
88+
"vulnerability_report_response_justification": "SECURITY.md targets acknowledgement within 72 hours and triage within 7 days.",
89+
90+
"build_status": "Met",
91+
"build_justification": "The project builds from source with the standard Go toolchain: go build ./cmd/scanner. CI and release-go.yml run the same build path.",
92+
"build_common_tools_status": "Met",
93+
"build_common_tools_justification": "The build uses Go modules and the Go toolchain, common FLOSS tools for Go projects.",
94+
"build_floss_tools_status": "Met",
95+
"build_floss_tools_justification": "Go, GitHub Actions, Goreleaser, Syft, Cosign, and the security scanners used by CI are FLOSS or free OSS tooling.",
96+
97+
"test_status": "Met",
98+
"test_justification": "The repository includes Go unit/integration tests and documents go test ./... in README.md and CONTRIBUTING.md.",
99+
"test_invocation_status": "Met",
100+
"test_invocation_justification": "The standard Go command go test ./... runs the test suite locally and in CI.",
101+
"test_most_status": "Met",
102+
"test_most_justification": "Tests cover CLI exit behavior, config parsing, language detection, aggregate reporting, duplicate detection, scoring, local git snapshots, offline guards, and performance guards.",
103+
"test_continuous_integration_status": "Met",
104+
"test_continuous_integration_justification": ".github/workflows/go-ci.yml runs tests on push and pull_request to main.",
105+
"test_policy_status": "Met",
106+
"test_policy_justification": "CONTRIBUTING.md requires tests for behavior changes and scanner rule changes.",
107+
"tests_are_added_status": "Met",
108+
"tests_are_added_justification": "Recent scanner behavior changes include corresponding Go tests for config rejection, exit codes, language detection, and built-in rule behavior.",
109+
"tests_documented_added_status": "Met",
110+
"tests_documented_added_justification": "CONTRIBUTING.md documents the test policy for new behavior.",
111+
112+
"warnings_status": "Met",
113+
"warnings_justification": "go-ci.yml runs go vet, staticcheck, gosec, and govulncheck.",
114+
"warnings_fixed_status": "Met",
115+
"warnings_fixed_justification": "CI gates require vet, tests, staticcheck, gosec, and govulncheck to pass before merge.",
116+
"warnings_strict_status": "Met",
117+
"warnings_strict_justification": "CI treats vet/staticcheck/gosec/govulncheck failures as job failures.",
118+
119+
"know_secure_design_status": "Met",
120+
"know_secure_design_justification": "SECURITY.md documents the local-only threat model, no-network/no-telemetry constraint, aggregate-only output contract, and vulnerability response process.",
121+
"know_common_errors_status": "Met",
122+
"know_common_errors_justification": "Security CI runs Semgrep OWASP/security-audit/golang rules, gosec, govulncheck, OSV-Scanner, Trivy, and Gitleaks.",
123+
124+
"crypto_published_status": "N/A",
125+
"crypto_published_justification": "code-signal does not implement cryptographic protocols or algorithms for application security.",
126+
"crypto_call_status": "N/A",
127+
"crypto_call_justification": "The project does not implement custom cryptography.",
128+
"crypto_floss_status": "N/A",
129+
"crypto_floss_justification": "No project-specific cryptographic functionality is shipped.",
130+
"crypto_keylength_status": "N/A",
131+
"crypto_keylength_justification": "The project does not configure cryptographic key lengths.",
132+
"crypto_working_status": "Met",
133+
"crypto_working_justification": "The scanner does not depend on broken cryptographic algorithms for security. It avoids runtime network transport entirely.",
134+
"crypto_weaknesses_status": "Met",
135+
"crypto_weaknesses_justification": "No weak cryptographic protocol is used by the scanner runtime.",
136+
"crypto_pfs_status": "N/A",
137+
"crypto_pfs_justification": "code-signal is a local CLI and does not terminate network sessions.",
138+
"crypto_password_storage_status": "N/A",
139+
"crypto_password_storage_justification": "code-signal does not authenticate users or store passwords.",
140+
"crypto_random_status": "N/A",
141+
"crypto_random_justification": "The scanner does not generate cryptographic keys or nonces.",
142+
143+
"delivery_mitm_status": "Met",
144+
"delivery_mitm_justification": "Source and release artifacts are distributed over HTTPS by GitHub. Release checksums are signed with Sigstore keyless signing in .goreleaser.yml.",
145+
"delivery_unsigned_status": "Met",
146+
"delivery_unsigned_justification": "Release checksums are signed by Cosign and release artifacts include SHA-256 checksums.",
147+
"vulnerabilities_fixed_60_days_status": "Met",
148+
"vulnerabilities_fixed_60_days_justification": "SECURITY.md requires confirmed high/critical vulnerabilities to be fixed before normal feature work; CI includes OSV, Trivy, Semgrep, gosec, govulncheck, and Gitleaks gates.",
149+
"vulnerabilities_critical_fixed_status": "Met",
150+
"vulnerabilities_critical_fixed_justification": "High/critical findings from CI security tools block merge and SECURITY.md prioritizes confirmed high/critical issues.",
151+
"no_leaked_credentials_status": "Met",
152+
"no_leaked_credentials_justification": "Gitleaks scans the full git history in security.yml, and .gitignore excludes common secret file patterns.",
153+
154+
"static_analysis_status": "Met",
155+
"static_analysis_justification": "go-ci.yml runs staticcheck, gosec, and govulncheck. security.yml runs Semgrep security-audit, OWASP Top 10, and Go rules. sonarcloud.yml analyzes project key RandomCodeSpace_code-signal when SONAR_TOKEN is configured.",
156+
"static_analysis_common_vulnerabilities_status": "Met",
157+
"static_analysis_common_vulnerabilities_justification": "SonarCloud, Semgrep OWASP/security-audit/golang, gosec, govulncheck, OSV-Scanner, and Trivy cover common vulnerability classes for Go and repository configuration.",
158+
"static_analysis_fixed_status": "Met",
159+
"static_analysis_fixed_justification": "Static-analysis jobs fail CI and must be fixed before protected-branch merge.",
160+
"static_analysis_often_status": "Met",
161+
"static_analysis_often_justification": "Static analysis runs on push, pull_request, and weekly scheduled security scans; SonarCloud runs on push and pull_request when SONAR_TOKEN is configured.",
162+
163+
"dynamic_analysis_status": "Unmet",
164+
"dynamic_analysis_justification": "No fuzzing or DAST pipeline is currently configured. The project is a local CLI with no public network service.",
165+
"dynamic_analysis_unsafe_status": "N/A",
166+
"dynamic_analysis_unsafe_justification": "The project is written in memory-safe Go and CGO is disabled for release builds.",
167+
"dynamic_analysis_enable_assertions_status": "N/A",
168+
"dynamic_analysis_enable_assertions_justification": "Go does not use assertion-enable runtime modes comparable to C/C++ or JVM assertion flags for this project.",
169+
"dynamic_analysis_fixed_status": "Met",
170+
"dynamic_analysis_fixed_justification": "Any future exploitable vulnerability found by dynamic analysis would be handled under SECURITY.md and branch-protection remediation gates."
171+
}

.github/dependabot.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "gomod"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
day: "monday"
8+
time: "08:00"
9+
timezone: "Etc/UTC"
10+
open-pull-requests-limit: 10
11+
labels:
12+
- "type:dependencies"
13+
- "area:go"
14+
commit-message:
15+
prefix: "chore(deps)"
16+
include: "scope"
17+
18+
- package-ecosystem: "github-actions"
19+
directory: "/"
20+
schedule:
21+
interval: "weekly"
22+
day: "monday"
23+
time: "08:00"
24+
timezone: "Etc/UTC"
25+
open-pull-requests-limit: 5
26+
labels:
27+
- "type:dependencies"
28+
- "area:ci"
29+
commit-message:
30+
prefix: "chore(actions)"
31+
include: "scope"
32+
groups:
33+
actions:
34+
patterns:
35+
- "*"

.github/workflows/go-ci.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: go-ci
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
# No paths filter: if branch protection marks this required, skipped
9+
# workflows leave PRs waiting for a status that never reports.
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
go:
16+
name: vet / test / staticcheck / gosec / govulncheck
17+
runs-on: ubuntu-latest
18+
env:
19+
CGO_ENABLED: "0"
20+
steps:
21+
- name: Checkout
22+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
- name: Setup Go
24+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
25+
with:
26+
go-version: '1.26.2'
27+
cache: true
28+
- name: go vet
29+
run: go vet ./...
30+
- name: go test (race)
31+
run: go test ./... -race -count=1
32+
- name: staticcheck
33+
run: |
34+
go install honnef.co/go/tools/cmd/staticcheck@latest
35+
"$(go env GOPATH)/bin/staticcheck" ./...
36+
- name: gosec
37+
run: |
38+
go install github.com/securego/gosec/v2/cmd/gosec@latest
39+
"$(go env GOPATH)/bin/gosec" -quiet ./...
40+
- name: govulncheck
41+
run: |
42+
go install golang.org/x/vuln/cmd/govulncheck@latest
43+
"$(go env GOPATH)/bin/govulncheck" ./...

.github/workflows/perf-gate.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: perf-gate
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
workflow_dispatch:
9+
10+
permissions:
11+
contents: read
12+
13+
jobs:
14+
bench:
15+
name: scanner self-check
16+
runs-on: ubuntu-latest
17+
env:
18+
CGO_ENABLED: "0"
19+
MAX_SCAN_SECONDS: "10"
20+
steps:
21+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
23+
with:
24+
go-version: '1.26.2'
25+
cache: true
26+
- name: Build code-signal
27+
run: go build -trimpath -o /tmp/scanner ./cmd/scanner
28+
- name: Run scanner self-check
29+
run: |
30+
set -euo pipefail
31+
START=$(date +%s)
32+
/tmp/scanner scan . --json > /tmp/code-signal-scan.json
33+
END=$(date +%s)
34+
ELAPSED=$((END - START))
35+
test -s /tmp/code-signal-scan.json
36+
grep -q '"score"' /tmp/code-signal-scan.json
37+
{
38+
echo "## code-signal self-check"
39+
echo ""
40+
echo "| metric | value | budget |"
41+
echo "|---|---:|---:|"
42+
echo "| scan wall-clock (s) | ${ELAPSED} | <= ${MAX_SCAN_SECONDS} |"
43+
} >> "$GITHUB_STEP_SUMMARY"
44+
if [ "$ELAPSED" -gt "$MAX_SCAN_SECONDS" ]; then
45+
echo "::error::scan wall-clock ${ELAPSED}s exceeds budget ${MAX_SCAN_SECONDS}s"
46+
exit 1
47+
fi

.github/workflows/release-go.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: release-go
2+
3+
on:
4+
push:
5+
tags:
6+
- 'v*.*.*'
7+
workflow_dispatch:
8+
inputs:
9+
tag:
10+
description: 'Tag to release, e.g. v0.1.0. Must already exist.'
11+
required: true
12+
13+
permissions:
14+
contents: write
15+
id-token: write
16+
packages: write
17+
attestations: write
18+
19+
jobs:
20+
release:
21+
name: release
22+
runs-on: ubuntu-latest
23+
env:
24+
CGO_ENABLED: "0"
25+
steps:
26+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27+
with:
28+
fetch-depth: 0
29+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
30+
with:
31+
go-version: '1.26.2'
32+
cache: true
33+
- name: Install Syft
34+
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
35+
- name: Install Cosign
36+
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
37+
- uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
38+
with:
39+
distribution: goreleaser
40+
version: '~> v2'
41+
args: release --clean
42+
env:
43+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
44+
- name: Attest release artifacts
45+
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
46+
with:
47+
subject-path: 'dist/code-signal_*.tar.gz'

.github/workflows/scorecard.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
name: Scorecard supply-chain security
2+
3+
on:
4+
push:
5+
branches: [main]
6+
schedule:
7+
- cron: "0 6 * * 1"
8+
workflow_dispatch:
9+
10+
permissions: read-all
11+
12+
jobs:
13+
analysis:
14+
name: Scorecard analysis
15+
runs-on: ubuntu-latest
16+
permissions:
17+
security-events: write
18+
id-token: write
19+
contents: read
20+
actions: read
21+
steps:
22+
- name: Harden runner egress
23+
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.0
24+
with:
25+
egress-policy: audit
26+
- name: Checkout code
27+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
28+
with:
29+
persist-credentials: false
30+
- name: Run Scorecard analysis
31+
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
32+
with:
33+
results_file: results.sarif
34+
results_format: sarif
35+
publish_results: true
36+
- name: Upload Scorecard SARIF artifact
37+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.6.2
38+
with:
39+
name: scorecard-sarif
40+
path: results.sarif
41+
retention-days: 5
42+
- name: Upload SARIF to GitHub code scanning
43+
uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3.35.2
44+
with:
45+
sarif_file: results.sarif

0 commit comments

Comments
 (0)