v1.0 release (#138)

Release v1.0
DataDog · Feb 9, 2023 · f188e6a · f188e6a
2 parents 238fdd1 + e63c872
commit f188e6a
Show file tree

Hide file tree

Showing 87 changed files with 43,391 additions and 20,989 deletions.
diff --git a/.github/workflows/guarddog.yml b/.github/workflows/guarddog.yml
@@ -0,0 +1,43 @@
+name: GuardDog
+
+on:
+  push:
+    branches:
+      - main
+      - v*
+  pull_request:
+    branches:
+      - main
+      - v*
+
+permissions:
+  contents: read
+
+jobs:
+  guarddog:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Scan dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: "3.10"
+
+      - name: Install GuardDog
+        run: pip install .
+
+      - run: guarddog pypi verify requirements.txt --output-format sarif --exclude-rules repository_integrity_mismatch > guarddog.sarif
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          category: guarddog-builtin
+          sarif_file: guarddog.sarif
+
+
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -2,9 +2,13 @@ name: Semgrep scan
 
 on:
   push:
-    branches: ["main"]
+    branches:
+      - main
+      - v*
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - main
+      - v*
 
 permissions:
   contents: read

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,9 +4,11 @@ on:
   push:
     branches:
       - main
+      - v*
   pull_request:
     branches:
       - main
+      - v*
 
 permissions:
   contents: read
@@ -25,6 +27,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
+          pip install -r requirements-dev.txt
       - name: Type check with mypy
         run: make type-check
 
@@ -40,6 +43,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
+          pip install -r requirements-dev.txt
       - name: Lint with flake8
         run: make lint
 
@@ -56,12 +60,16 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
+        pip install -r requirements-dev.txt
     - name: Semgrep rules unit tests
       run: make test-semgrep-rules
     - name: Python unit tests
       run: make test-metadata-rules
     - name: Core unit tests
       run: make test-core
+    - name: Report coverage
+      run: make coverage-report
+
 
   integration-tests:
     runs-on: ubuntu-latest
@@ -81,13 +89,17 @@ jobs:
           pip install .
 
       - name: Run GuardDog against a remote package
-        run: guarddog scan requests
+        run: guarddog pypi scan requests
+
+      - name: Run GuardDog against a remote package
+        run: guarddog npm scan express
 
       - name: Run GuardDog against a local requirements.txt file
         run: >
           echo -e "requests\npywin32" > requirements.txt
-          guarddog verify ./requirements.txt
-  
+          guarddog pypi verify ./requirements.txt
+          guarddog npm verify ./tests/core/resources/package.json
+
   docker-build:
     runs-on: ubuntu-latest
     permissions:

diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,5 @@ dist/
 wheels/
 *.egg-info/
 build/
+.coverage*
+
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,4 +9,9 @@ repos:
   - id: typecheck
     name: Type check Python code
     language: system
-    entry: make type-check
+    entry: make type-check
+
+  - id: docs
+    name: Autogenerate rules documentation
+    language: system
+    entry: make docs
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,15 @@
-FROM python:3.10-alpine3.16
+FROM python:3.10.9-alpine3.17 AS builder
 LABEL org.opencontainers.image.source="https://github.com/DataDog/guarddog/"
 RUN mkdir /app
 # gcc and musl-dev needed for the pip install
-RUN apk add --update gcc musl-dev
+RUN apk add --update gcc musl-dev g++ libgit2-dev libffi-dev
 ADD . /app
 WORKDIR /app
-RUN pip install -r requirements.txt
-ENTRYPOINT ["python", "-m", "guarddog"]
+RUN pip install --no-cache-dir -r requirements.txt
+
+#FROM cgr.dev/chainguard/python:latest AS runner
+#COPY --from=builder /app /app
+#COPY --from=builder /usr/local/lib/python3.10/site-packages /app/site-packages
+#ENV PYTHONPATH=/app/site-packages
+WORKDIR /app
+ENTRYPOINT ["python", "-m", "guarddog"]
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
-.PHONY: test test-semgrep-rules test-metadata-rules test-core
+.PHONY: test test-semgrep-rules test-metadata-rules test-core docs
 
-test: test-semgrep-rules test-metadata-rules test-core
+test: test-semgrep-rules test-metadata-rules test-core coverage-report
 
 type-check:
 	mypy --install-types --non-interactive guarddog
@@ -13,7 +13,14 @@ test-semgrep-rules:
 	semgrep --metrics off --quiet --test --config guarddog/analyzer/sourcecode tests/analyzer/sourcecode
 
 test-metadata-rules:
-	python -m pytest tests/analyzer/metadata
+	COVERAGE_FILE=.coverage_metadata coverage run -m pytest tests/analyzer/metadata
 
 test-core:
-	python -m pytest tests/core
+	COVERAGE_FILE=.coverage_core coverage run -m pytest tests/core
+
+coverage-report:
+	coverage combine .coverage_metadata .coverage_core
+	coverage report
+
+docs:
+	python scripts/generate-rules-docs.py README.md
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,3 +11,5 @@ dist/ @@
     wheels/
     *.egg-info/
     build/
+    .coverage*