-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add back the trusty rule_type and an example to profile.yaml (#1488)
I'm pretty sure this must have been a bad rebase of commit 20dfa79 which seems to have removed the trusty rule_type. Oops. Also let's add an example to profile.yaml
- Loading branch information
Showing
2 changed files
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| version: v1 | ||
| type: rule-type | ||
| name: pr_trusty_check | ||
| context: | ||
| provider: github | ||
| description: Verifies that pull requests do not add any dependencies with low Trusty scores | ||
| guidance: | | ||
| For every pull request submitted to a repository, this rule will check if the pull request | ||
| adds a new dependency with a low Trusty score. If a dependency with a low | ||
| score is added, the PR will commented on or even rejected, depending on the configuration. | ||
| def: | ||
| in_entity: pull_request | ||
| rule_schema: | ||
| type: object | ||
| properties: | ||
| action: | ||
| type: string | ||
| description: "The action to take if a package with a low score is found." | ||
| enum: | ||
| # the evaluator engine will merely pass on an error, marking the profile as failed if a packages with low scores is found | ||
| - profile_only | ||
| # the evaluator engine will add a single summary comment with a table listing the packages with low scores found | ||
| - summary | ||
| default: review | ||
| ecosystem_config: | ||
| type: array | ||
| description: "The configuration for the ecosystems to check." | ||
| items: | ||
| type: object | ||
| properties: | ||
| name: | ||
| type: string | ||
| description: "The name of the ecosystem to check. Currently only `npm` and `pypi` are supported." | ||
| pi_threshold: | ||
| type: number | ||
| description: "The minimum Trusty score for a dependency to be considered safe." | ||
| default: 5 | ||
| ingest: | ||
| type: diff | ||
| diff: | ||
| ecosystems: | ||
| - name: npm | ||
| depfile: package-lock.json | ||
| - name: pypi | ||
| depfile: requirements.txt | ||
| # Defines the configuration for evaluating data ingested against the given profile | ||
| eval: | ||
| type: trusty | ||
| trusty: {} |